# Buffer Overflow with Password

We are given a C program and source code.

The C program has a void function loading a boolean guard onto the stack, followed immediately by a `buffer of length 256`.

Later in the source code, userprompt uses `scanf()` - which is vulnerable to buffer overflows - so we can shove data onto the stack by this method.

We want to overwrite the `no` boolean in memory at stack position 257 so we need a string of *at least* this length to be entered.
Additionally, we have to provide a password "OpenSesame!!!" of 13 bytes in order for the application to read the flag.txt file and print it to the terminal.

PAYLOAD:
"OpenSesame!!!"+"A"*243

### open_sesame.c
```
#include <stdlib.h>
#include <string.h>
#include <stdio.h>

#define SECRET_PASS "OpenSesame!!!"

typedef enum {no, yes} Bool;

void flushBuffers() {
fflush(NULL);
}

void flag()
{
system("/bin/cat flag.txt");
flushBuffers();
}

Bool isPasswordCorrect(char *input)
{
return (strncmp(input, SECRET_PASS, strlen(SECRET_PASS)) == 0) ? yes : no;
}

void caveOfGold()
{
Bool caveCanOpen = no;
char inputPass[256];

puts("BEHOLD THE CAVE OF GOLD\n");

puts("What is the magic enchantment that opens the mouth of the cave?");
flushBuffers();

scanf("%s", inputPass);

if (caveCanOpen == no)
{
puts("Sorry, the cave will not open right now!");
flushBuffers();
return;
}

if (isPasswordCorrect(inputPass) == yes)
{
puts("YOU HAVE PROVEN YOURSELF WORTHY HERE IS THE GOLD:");
flag();
}
else
{
puts("ERROR, INCORRECT PASSWORD!");
flushBuffers();
}
}

int main()
{
setbuf(stdin, NULL);
setbuf(stdout, NULL);

caveOfGold();

return 0;
}
```