#include <stdio.h>
#include <stdlib.h>
void login(){
int passcode1;
int passcode2;
printf("enter passcode1 : ");
scanf("%d", passcode1);
fflush(stdin);
// ha! mommy told me that 32bit is vulnerable to bruteforcing :)
printf("enter passcode2 : ");
scanf("%d", passcode2);
printf("checking...\\n");
if(passcode1==338150 && passcode2==13371337){
printf("Login OK!\\n");
system("/bin/cat flag");
}
else{
printf("Login Failed!\\n");
exit(0);
}
}
void welcome(){
char name[100];
printf("enter you name : ");
scanf("%100s", name);
printf("Welcome %s!\\n", name);
}
int main(){
printf("Toddler's Secure Login System 1.0 beta.\\n");
welcome();
login();
// something after login...
printf("Now I can safely trust you that you have credential :)\\n");
return 0;
}
Say Cheeeeeeese
First glance, I was scared by the amount of code in this. I mean comparing to previous challs, this is a 10pts chall, so more lines of code would only make sense. At first, I was stuck on the function scanf as I have no idea how it works besides taking user's input and store it in the variable. Well, after playing around with the binary itself, I see that the int passcode1 and int passcode2 are being passed to scanf as argument. This is a problem, because scanf takes pointers and will write users input to the address, in this case, we are writing to the value of passcode1 instead of &passcode1 which is the address of passcode1 .
I have compiled another program which has &passcode1 and &passcode2 as arguments to scanf .
as we can see, if the scanf recieves a int type instead of int* type on the right. then it will show the segfault, because the address on the left is not writable.
first, let's see what's in the Welcome() function,
So now, when Welcome() is called, .
Saved EIPSaved EBP - 0x8048609ebp, espesp, 0x88 2-4 is the Welcome() 's function prolog.