ret2csu

Same same, but different

This challenge is very similar to "callme", with the exception of the useful gadgets. Simply call the ret2win() function in the accompanying library with the same arguments you used to beat the "callme" challenge (ret2win(0xdeadbeef, 0xcafebabe, 0xd00df00d) for the ARM & MIPS binaries, ret2win(0xdeadbeefdeadbeef, 0xcafebabecafebabe, 0xd00df00dd00df00d) for the x86_64 binary).

Populating the elusive 3rd register using ROP can prove more difficult than you might expect, especially in smaller binaries with fewer gadgets. This can become particularly irksome since many useful GLIBC functions require three arguments.

So little room for activities

Start by using ropper to search for sensible gadgets, if there's no pop rdx for example, perhaps there's a mov rdx, rbp that you could chain with a pop rbp. If you're all out of ideas go ahead and read the last paragraph.

Universal

Fortunately some very smart people have come up with a solution to your problem and as is customary in infosec given it a collection of pretentious names, including "Universal ROP", "μROP", "return-to-csu" or just "ret2csu". You can learn all you need to on the subject from this BlackHat Asia paper. Note that more recent versions of gcc may use different registers from the example in __libc_csu_init(), including the version that compiled this challenge.

Before you go

Most folks start by completing the x86 & x86_64 challenges, if you’ve beaten these then congratulations! But why stop there? The ARMv5 & MIPS challenges may seem intimidating if you’re unfamiliar with those architectures, but if you can handle the Intel challenges then you can handle these. Getting started with these architectures takes only a few commands, which are documented in the Beginners’ Guide. I think MIPS ROP is particularly good fun, and once you’ve beaten the challenges you can count yourself amongst the few exploit developers who can write return-oriented programming exploits for MIPS hardware!