#include <stdio.h>
#include <string.h>
void hacked() {
printf("System Compromised!\n");
}
void login() {
char buffer[8];
int authenticated = 0;
printf("Enter payload: ");
// VULNERABILITY: gets() does not check bounds!
gets(buffer);
if (authenticated) {
printf("Access Granted.\n");
}
}
int main() {
login();
return 0;
}#include <stdio.h>
#include <string.h>
void hacked() {
printf("System Compromised!\n");
}
void login() {
char buffer[8];
int authenticated = 0;
printf("Enter payload: ");
// SECURE: fgets() strictly limits input to buffer size.
fgets(buffer, sizeof(buffer), stdin);
if (authenticated) {
printf("Access Granted.\n");
}
}
int main() {
login();
return 0;
}
Terminal Output
$ ./vulnerable_program
Enter payload:
Memory Stack Diagram
Lower
Memory Higher
Memory
Memory Higher
Memory
(Stack Grows Down ↓)
Buffer
EBP
EIP
Control Panel
Inject data into the program's memory.
Watch how standard functions like gets() blindly write beyond their allocated space.
0/24
Characters animate into memory blocks sequentially.
Target
The vulnerable buffer is only 8 bytes.
The next byte is EBP,
and the following is the
Return Address
(EIP).
Can you overwrite EIP with 0xEF or HACK?