Why can I use get_sp() to get the stack address in my exploit?
When you put in a get_sp() on your exploit code, it’s getting the stack pointer of the main() function in the exploit code. That stack pointer address is based on, among other things, the environment variables in your shell when you executed sploit1. This address might change depending on what you do in the shell beforehand. So basing your exploit code on this address is not a good idea. But once main() calls execve, the sploit process gets forked and the text, data, bss, and stack of the calling process (sploit) are overwritten by that of the program loaded (target program). Once we’re in this state, the addresses that we obtain from running gdb at this point will not change if you don’t change the size of the input arguments (i.e. your exploit string length) or the contents of the env pointer argument to execve. That’s why you can safely hardcode your address in your exploit code.
