scanf("%d", passcode1)
, it should be scanf("%d", *passcode1)
. Because of this error, passcode1
and passcode2
are considered addresses instead of values. In fact, there are three erros in the code:scanf()
, we are able to write some data directly to the address of the variables name
, passcode1
, and passcode2
. Let's read through the assembly to figure out the exact location of each variable:name
and passcode1
is 0x60
, which is 96 in decimal. We are able to input at most 100 bytes for name
, so it is possible to overwrite passcode1
.fflush()
is called right after scanf("%d", passcode1)
:fflush()
is [email protected]
, and the first jmp
instruction jumps to [email protected]
. The idea is:password1
with 0x804a004
, then the scanf()
statement becomes scanf("%100s", 0x804a004)
. This would allow us to input arbitrary data to the memory location 0x804a004
, which is [email protected]
.scanf()
function is called, send the integer representation (because of "%100s"
) of system("/bin/cat")
. Once [email protected]
is called, the jmp
instruction will jump to system("/bin/cat")
and execute it.system("/bin/cat")
. Take another look at the disassembly of login()
:0x80485d7
is the address of system("/bin/cat")
. To get its integer representation, use str(0x80485d7)
in Python.