You can find the protostar there > Protostar
We have the source code of the binary :
1 |
|
We have a variable buffer
with 64bytes buffer, then we have the getenv
function.
getenv
-> get an environmental variable
environmental variable
-> used to pass information into processes
The if statement says that if the enviromental variable == NULL
will print the error message.
Then we have the modified
variable with 0 value.
Again the vulnerable strcpy
function.
strcpy
-> doesn’t do any length checking.
Then an if statement that if modified == 0x0d0a0d0a
we get the flag.
Let’s execute the binary.
1 |
|
We have to set the environmental variable.
1 |
|
Perfect, now let’s simply add our payload in enviromental variable.
A * 64 + 0x0d0a0d0a in little endian
1 |
|
1 |
|
We can remove the variable now if we want.
1 |
|