Memory allocation while passing environment variable as command line argument

Question

I am trying simple buffer overflow attacks in linux. I have a vulnerable program which accepts a command line argument. I have another program that sets an environment variable that has some code i want to execute (typically shellcode). Now I am trying to overflow the buffer of my vulnerable program with the address of this environment variable. I have the following questions:

1. When I pass an environment variable as a command line argument, is the content of the variable copied into argv of my vulnerable program?

2. Where in the process' address space will the environment variables (command line args) be stored? Will it be on the process stack or somewhere else?

Answer 1

1. Yes.
2. It's up to the implementation.

You're presumably doing something like:

victim "$SHELLCODE"

If $SHELLCODE is also an environment variable, the program will get one copy in the environment, preceded by SHELLCODE= so it could be retrieved via getenv(), and one copy in the argv argument list.