## https://sploitus.com/exploit?id=F901C6AD-D678-53D7-90E7-3352074E0085
# ATM Challenge - Buffer Overflow Exploit
**Author**: Olalekan Owoloye
**Course**: Software Exploitation
**Date**: November 2025
## Overview
This is a binary exploitation challenge featuring a vulnerable ATM banking application. The challenge demonstrates a classic stack-based buffer overflow vulnerability that can be exploited to gain shell access.
## Files Included
- **atm_challenge.c** - Source code of the vulnerable ATM application
- **atm_challenge.bin** - Compiled binary (ELF 64-bit)
- **build.sh** - Build script to compile the binary
- **exploit.py** - Working exploit script (Python + pwntools)
- **Olalekan Owoloye SW Final Porject** - Full writeup
- **README.md** - This file
## Vulnerability
**Type**: Stack-based buffer overflow
**Location**: `update_account_info()` function, line 102
**Cause**: Use of unsafe `gets()` function without bounds checking
## Quick Start
### Compile the Binary
```bash
bash build.sh
```
### Run the Exploit
```bash
python3 exploit.py
```
Expected: A shell with "ADMIN ACCESS GRANTED" message!
## Exploitation Summary
1. Authenticate with PIN: 1234
2. Select option 4 (Update Account Info)
3. Send 40 bytes + address of admin_panel()
4. Return address overwritten โ jumps to admin_panel()
5. Shell spawned!
**For full details**
## Security Mitigations
All disabled for educational purposes:
- Stack Canaries: DISABLED
- PIE/ASLR: DISABLED
- NX/DEP: DISABLED
## Educational Value
Demonstrates:
- Buffer overflow exploitation
- Stack corruption
- Return address hijacking
- Why gets() is dangerous
**Permission**: May be used in educational settings with attribution