stack (login): 0x7fffffffe5c0 buf[0x40] The login function does allocate any heap memory; it uses the stack buffer buf . However, after the call to login , the program returns to menu , which later accesses the users array in the global BSS. The overflow in login does not directly touch the global variable – it only corrupts the stack.
void show_secret(void) if (logged_in) system("/bin/cat /home/ctf/flag.txt"); else puts("You must be logged in first!"); tokyohot n0541
void login(void) char buf[0x40]; printf("Password: "); read(0, buf, 0x100); // <<< oversized read -> heap overflow strcpy(users[0].pwd, buf); if (strcmp(buf, users[0].pwd) == 0) logged_in = 1; puts("Logged in!"); else puts("Wrong password."); void login(void) char buf[0x40]
strcpy(user->pwd, buf); Thus, an overflow of buf can overflow that user->pwd points to! By providing an over‑long password we can write past the allocated 0x80 bytes of pwd and reach the logged_in variable located at 0x603200 (example address). oversized read ->