Vortex 1 will soon be mine

July 10, 2006 in Tech by lyz | No comments

I am reading the resources that go along with the vortex 1 wargame from pulltheplug.org.  For fun, I modified one of their simple buffer overflow examples from 32 to 64 bit.  Here’s the code.

void function(int a, int b, int c) {
char buffer1[5];
char buffer2[10];
int *ret;

ret = buffer1 + 24;
(*ret) += 7;
}

void main() {
int x;

x = 1;
function(1,2,3);
x = 0;
printf(“%d\n”,x);
}

The hard part was finding out what to add to the buffer1 address to point to the function’s return address.  Buffer1 takes 8 bytes wich makes sence on a 64 bit system.  What doesn’t make sense is that there is still 16bytes.  I don’t think that it is all occupied by the frame pointer, but that’s all the resources mention.

The number 7 is added because adding 7 bytes moved the IP to the printf line.  In my testing the x=0 line was at 0x00000000004004f5 and the printf was at 0x00000000004004fc.  A difference of 7 bytes.

Tags:

Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>