void register_user() char *name = malloc(0x80); char *pwd = malloc(0x80); printf("Name: "); gets(name); // <--- vulnerable printf("Password: "); gets(pwd); // store pointers in a global struct (userlist)

The global logged_in lives at 0x603200 . The distance is:

The simpler and more reliable route is , because it only needs to set a single byte/word to 1 .

The menu repeats after each operation.

: Organizations should restrict PowerShell execution policies and use tools like AppLocker or Device Guard to prevent unauthorized scripts from running.

The goal is to (a global variable) or overwrite the GOT entry of strcmp / puts to gain code execution.

Tokyohot N0541 _hot_ 📍

void register_user() char *name = malloc(0x80); char *pwd = malloc(0x80); printf("Name: "); gets(name); // <--- vulnerable printf("Password: "); gets(pwd); // store pointers in a global struct (userlist)

The global logged_in lives at 0x603200 . The distance is:

The simpler and more reliable route is , because it only needs to set a single byte/word to 1 .

The menu repeats after each operation.

: Organizations should restrict PowerShell execution policies and use tools like AppLocker or Device Guard to prevent unauthorized scripts from running.

The goal is to (a global variable) or overwrite the GOT entry of strcmp / puts to gain code execution.