int main(void) setbuf(stdout, NULL); while (1) menu(); int choice; if (scanf("%d%*c", &choice) != 1) break; switch (choice) case 1: register_user(); break; case 2: login(); break; case 3: show_secret(); break; case 4: exit(0); default: puts("Invalid"); break; return 0;
struct user char *name; // 8 bytes char *pwd; // 8 bytes ; tokyohot n0541
strcpy(user->pwd, buf); Thus, an overflow of buf can overflow that user->pwd points to! By providing an over‑long password we can write past the allocated 0x80 bytes of pwd and reach the logged_in variable located at 0x603200 (example address). int main(void) setbuf(stdout, NULL); while (1) menu(); int
stack (login): 0x7fffffffe5c0 buf[0x40] The login function does allocate any heap memory; it uses the stack buffer buf . However, after the call to login , the program returns to menu , which later accesses the users array in the global BSS. The overflow in login does not directly touch the global variable – it only corrupts the stack. However, after the call to login , the
void show_secret(void) if (logged_in) system("/bin/cat /home/ctf/flag.txt"); else puts("You must be logged in first!");
gcc -no-pie