# Stack 2 ## About ![](https://3889206050-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6DIEHtstePxj4NCmCC%2F-M7wqyRdKbNXS_ptp_pr%2F-M7wr6_-YEUnOVqxBT61%2Fimage.png?alt=media\&token=a38673e3-f75b-47d9-8439-cc23a397217d) ## Source Code ```c #include #include #include #include int main(int argc, char **argv) { volatile int modified; char buffer[64]; char *variable; variable = getenv("GREENIE"); if(variable == NULL) { errx(1, "please set the GREENIE environment variable\n"); } modified = 0; strcpy(buffer, variable); if(modified == 0x0d0a0d0a) { printf("you have correctly modified the variable\n"); } else { printf("Try again, you got 0x%08x\n", modified); } } ``` This program will use the `getenv` function to check if there is an environment variable set to `GREENIE` and then assign it to `variable`. Looking at the `getenv` man page we see that it searches in the environment list to find the environment variable `GREENIE` and returns a pointer to the value string. ![](https://3889206050-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6DIEHtstePxj4NCmCC%2F-M7wqyRdKbNXS_ptp_pr%2F-M7wsmMzkRXf9_jljC79%2Fimage.png?alt=media\&token=2bb8f8b2-975e-44e4-89ec-6b3c8aad5483) So I'm guessing that the environment value must be equal to `0x0d0a0d0a` to change `modified`. We already know how to cause an overflow and set the last 4 bytes as the value we want to set `modified` to, so we just need to do it using environment variables now. Maybe we can solve this challenge with a python script. ![](https://3889206050-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6DIEHtstePxj4NCmCC%2F-M7wqyRdKbNXS_ptp_pr%2F-M7wwX7W1-2jGRlf65x3%2Fimage.png?alt=media\&token=88c7fd56-bbf3-4cf8-964b-673c7ac06df4) We run it... ![](https://3889206050-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6DIEHtstePxj4NCmCC%2F-M7wqyRdKbNXS_ptp_pr%2F-M7wwlXe5yR1-iVEGw7-%2Fimage.png?alt=media\&token=8d6b98e8-37d6-464e-903c-e9a478324d00) And it works! Stack2 solved.