Tokyohot N0541 __link__ Link

if __name__ == "__main__": main() Running the script locally prints:

void menu(void) puts("\n--- TokyoHot ---"); puts("1) Register"); puts("2) Login"); puts("3) Show secret"); puts("4) Exit"); printf("> "); tokyohot n0541

#define _GNU_SOURCE #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> if __name__ == "__main__": main() Running the script

The interesting functions are register_user , login , and show_secret . void register_user() char *name = malloc(0x80); char *pwd = malloc(0x80); printf("Name: "); gets(name); // <--- vulnerable printf("Password: "); gets(pwd); // store pointers in a global struct (userlist) puts("3) Show secret")

To confirm this, I printed the address of user->pwd after registration:

def main(): s = socket.create_connection((HOST, PORT)) register(s) login_overwrite(s) get_flag(s) s.close()