The problem is that I have to jump to the administrative function using buffer overflow but it is disabled in the code. I have to figure out how to bypass #undef ADMINISTRATIVE and get inside the function somehow. #include #include #include // define to allow administrative access, undef to restrict #undef ADMINISTRATIVE //#define ADMINISTRATIVE // function prototypes for \"main.c\" functions int main (int argc, char *argv[]); void list(void); void add(void); void quit(void); void delete(void); void deleteall(void); void normal(char *user); void administrative(char *nothing); void debug(char *nothing); void rot13(char *user, char *rot13pwd); typedef void (*menufunctype)(char *); typedef void (*userfunctype)(void); typedef void (*adminfunctype)(void); // jump table for non-administrative functions userfunctype userfunc[3] = {add, list, quit}; // jump table for administrative functions adminfunctype adminfunc[5] = {delete, deleteall, add, list, quit}; int main (int argc, char *argv[]) { menufunctype menufunc[3]={debug, administrative, normal}; char rot13pwd[20]; char user[20]; char pwd[20]; printf(\"Enter authorization code: \"); fflush(stdout); gets(pwd); printf(\"Enter username or \\\"admin\\\" for admin functions: \"); fflush(stdout); gets(user); // authenticate user rot13(user, rot13pwd); if (strcmp(pwd, rot13pwd)) { puts(\"Authentication FAILED. Access denied.\ \"); exit(1); } // passed authentication, now display debug, normal or // administrative menu. If administrative access is prohibited by // compile-time \"ADMINISTRATIVE\" symbol, then don\'t allow admin // under any circumstances. if (! strncmp(\"debug\", user, 5)) { (*menufunc[0])(user); } else if (! strncmp(\"admin\", user, 5)) { #if defined(ADMINISTRATIVE) (*menufunc[1])(0); #else puts(\"NO ADMINSTRATIVE ACCESS AVAILABLE--SEE YOUR SYSTEMS ADMINISTRATOR.\"); #endif } else { (*menufunc[2])(user); } } // menu for users with non-administrative access void normal(char *user) { char buf[40]; char normalaccessfile[20]=\".normal_access\"; char choice[2]; int ch; // audit trail sprintf(buf, \"echo %s >> %s\", user, normalaccessfile); system(buf); while (1) { puts(\"\ ##### MENU ######\ \"); puts(\"[0] Add a record\"); puts(\"[1] List all records\"); puts(\"[2] Exit\ \"); printf(\"Choice: \"); fflush(stdout); gets(choice); // audit trail sprintf(buf, \"echo %c >> %s\", choice[0], normalaccessfile); system(buf); ch = atoi(choice); if (ch < 0 || ch > 2) { puts(\"Invalid choice.\ \"); } else { (*userfunc[ch])(); } } } // menu for administrators void administrative(char *nothing) { char buf[80]; char administrativeaccessfile[80]=\".admin_access\"; char choice[2]; int ch; while (1) { puts(\"\ ----- RESTRICTED ADMIN MENU -----\ \"); puts(\"[0] Delete a record\"); puts(\"[1] Delete all records\"); puts(\"[2] Add a record\"); puts(\"[3] List all records\"); puts(\"[4] Exit\ \"); printf(\"Choice: \"); fflush(stdout); gets(choice); // audit trail sprintf(buf, \"echo %c >> %s\", choice[0], administr.