Building yet again on the prior exercise, this time we’re going to use an environmental variable to deliver the payload.
char *variable;
variable = getenv("GREENIE");
if(variable == NULL) {
errx(1, "please set the GREENIE environment variable\n");
}
modified = 0;
strcpy(buffer, variable);
if(modified == 0x0d0a0d0a) {
printf("you have correctly modified the variable\n");
} else {
printf("Try again, you got 0x%08x\n", modified);
}
The only other difference between this exercise and the last is that we’re setting modified to 0x0d0a0d0a. Doing the conversion to ascii characters, it appears to be “\n\r\n\r”. Slightly modifying our ruby one liner to create the new payload, we set the environment variable and call the next program.
