Vortex 1 will soon be mine

I am reading the resources that go along with the vortex 1 wargame from pulltheplug.org.  For fun, I modified one of their simple buffer overflow examples from 32 to 64 bit.  Here’s the code.

void function(int a, int b, int c) {
char buffer1[5];
char buffer2[10];
int *ret;

ret = buffer1 + 24;
(*ret) += 7;
}

void main() {
int x;

x = 1;
function(1,2,3);
x = 0;
printf(“%d\n”,x);
}

The hard part was finding out what to add to the buffer1 address to point to the function’s return address.  Buffer1 takes 8 bytes wich makes sence on a 64 bit system.  What doesn’t make sense is that there is still 16bytes.  I don’t think that it is all occupied by the frame pointer, but that’s all the resources mention.

The number 7 is added because adding 7 bytes moved the IP to the printf line.  In my testing the x=0 line was at 0x00000000004004f5 and the printf was at 0x00000000004004fc.  A difference of 7 bytes.

Related posts:

Tags: