Writeup1.EasyOverrideVariable1

Question1：

NJUPT-CGCTF-Whendidyouborn？

Analysis1.0:

Glancing over the source code given , we shall find that the logic of this program seems wrong .

But how can we get the flag in a wrong logic?

The key is not logic but the function 'gets' .

As is known to many of us , function 'gets' may lead to Buffer Overflow. 

Hidden danger from 'gets'

What is Buffer Overflow?

So what we should do is exploit the vulneribility of 'gets' to tamper the value of student.birth.

Analysis1.1:

With the help of decompiler ,  the general situation of internal storage can be detected.

As we can see , on the stack , the address of 'year' is -0x18 while that of 'name' is -0x20. Consequently we could cover the address between 'year' and 'name' ,finally override the value of 'year'. 

//p32 or p64 can pack the integer.

Exploit1:

Thanks

C0ss4ck

2018/1/19/22:39