Skip to content

Tokyohot N0541 [FAST]

struct user char *name; // 8 bytes char *pwd; // 8 bytes ;

stack (login): 0x7fffffffe5c0 buf[0x40] The login function does allocate any heap memory; it uses the stack buffer buf . However, after the call to login , the program returns to menu , which later accesses the users array in the global BSS. The overflow in login does not directly touch the global variable – it only corrupts the stack. tokyohot n0541

To confirm this, I printed the address of user->pwd after registration: struct user char *name; // 8 bytes char

struct user users[10]; // global, zero‑initialized int logged_in = 0; // global When register_user is called: To confirm this, I printed the address of

void login(void) char buf[0x40]; printf("Password: "); read(0, buf, 0x100); // <<< oversized read -> heap overflow strcpy(users[0].pwd, buf); if (strcmp(buf, users[0].pwd) == 0) logged_in = 1; puts("Logged in!"); else puts("Wrong password.");

void register_user(void)

gcc -no-pie