Tokyohot: N0541

The interesting functions are register_user , login , and show_secret . void register_user() char *name = malloc(0x80); char *pwd = malloc(0x80); printf("Name: "); gets(name); // <--- vulnerable printf("Password: "); gets(pwd); // store pointers in a global struct (userlist)

struct user users[10]; // global, zero‑initialized int logged_in = 0; // global When register_user is called: tokyohot n0541

$ ./n0541 1) Register > 1 Name: AAAAA... Password: BBBBB... [debug] pwd ptr = 0x603090 The global logged_in lives at 0x603200 . The distance is: The interesting functions are register_user , login ,

user_t users[10]; int logged_in = 0;

def recvuntil(s, delim=b'\n'): data = b'' while not data.endswith(delim): chunk = s.recv(1) if not chunk: break data += chunk return data [debug] pwd ptr = 0x603090 The global logged_in

gcc -no-pie

int main(void) setbuf(stdout, NULL); while (1) menu(); int choice; if (scanf("%d%*c", &choice) != 1) break; switch (choice) case 1: register_user(); break; case 2: login(); break; case 3: show_secret(); break; case 4: exit(0); default: puts("Invalid"); break; return 0;