First I started gdb and checked the heap memory after I sent several input. I sent “auth AAAA” and the “serviceBBBB” (without space after service!).

screen-shot-2016-12-04-at-19-49-53

The output was a little help ([ auth = 0x804c008, service = 0x804c018 ]). The first eight bytes were the header of the allocated space of auth. The interesting thing here is that the allocated space is only 8 bytes (the next 8 bytes). The sizeof(auth) refers to the size of the pointer of the auth, not the size of the struct auth. The problem here is that the name of the struct is the same as the name of the pointer.

The 8 bytes from 0x0804c010 is the header of the allocated space by strdup, which uses malloc internally.

The auth structure has 32 characters/bytes and int auth, which is 4 bytes, starts after these 32 bytes. In other words:

0x0804c008 – 0x0804c027 = auth->name (32 bytes)
0x0804c028 – 0x0804c02b = auth->auth (4 bytes)

The login method checks auth->auth. We can overwrite it with service. We only need 16 bytes and the next 4 bytes will be auth->auth. I tested it with the following: “auth AAAA”, “serviceBBBBBBBBBBBBBBBBCCCC”

screen-shot-2016-12-04-at-19-49-23

screen-shot-2016-12-04-at-20-06-44