Posted on by and filed under TUM CTF 2016.

We were given the source code for this challenge.

There are two main bugs in this program. First, we have the strip_newline and fgets functions. From the fgets man page:

So, if we add a NULL byte at the end of the password, strcpy will see the end of the string but fgets will not. Thus we will be able to pass the check and keep writing. The second vulnerability comes front the fact that the User object is declared without any arguments passed to its constructor. In the User::read_password function, When

is executed, we can overflow user::password and overwrite the User::accepted function. Here is my exploit.py

View the original post here.