enowars5-service-stldoctor

STL-Analyzing A/D Service for ENOWARS5 in 2021
git clone https://git.sinitax.com/sinitax/enowars5-service-stldoctor
Log | Files | Refs | README | LICENSE | sfeed.txt
commit 068c1b8fac8c0505cf9649ab124a2dff9554cecb
parent 1ea771e1a532e6633e1d9d151bc1e2b69e8203a4
Author: Louis Burda <quent.burda@gmail.com>
Date:   Mon, 26 Apr 2021 20:26:22 +0200

service and vuln concept

Diffstat:

AREADME | 72++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


1 file changed, 72 insertions(+), 0 deletions(-)

diff --git a/README b/README
@@ -0,0 +1,72 @@
+enowars-5 printdoc
+==================
+
+An stl file info service.
+
+
+setup
+-----
+
+The service is hosted with ynetd or similar, one process per client.
+
+You submit an stl file and the service gives you details about the file:
+
+- how many triangles
+- file type (bin/ascii)
+- name
+- attributes (binary header parsing)
+
+The file upload size has to be below a certain limit (4kB?).
+
+The files are simply stored in a directory and cleaned up 
+via a crontab which checks their *last modified* date.
+
+The model name is used to create hash / id which also
+acts as directory name for the actual stl and parsed info.
+
+Error msg if too many verticies for one loop.. see vulnerability.
+
+Error msg if invalid format.
+
+
+countermeasures
+---------------
+
+Countermeasures against malicious players, who via an
+unintended vulnerability gain remote code execution:
+
+
+checker
+-------
+
+The flag is saved as a 3d model of the flag text. One needs
+to orient it, take a screenshot and decode the text from the
+image for automated exploitation.
+
+
+vulnerability
+-------------
+
+If there are > 3 verticies in a `loop` in the stl, a warning
+message is returned by preparing and `printf`ing a buffer,
+however, WITHOUT a terminating null byte. As such, when
+processing the string, we read into the stack-adjacent integer
+that holds the file's attribute byte count. This value
+is zero by default so the buffer overflow will go unnoticed.
+
+We can set this value to 0x6e25 (= 28197), which corresponds
+to the string '%n' on a little endian system.
+
+When the warning prints, it will write the size of the
+format string (which can be controlled via the model name)
+to the address of the next value on the stack: the hash str.
+By varying this value to write 256 aka 0x100 we terminate
+the string with a null byte, making it an empty.
+
+Next, the program will return the info of all scans that match
+the hash prefix (files are saved in a directory <hash>-<timestamp>).
+Since the hash is not empty the information for each scan will be
+returned, including the id, which can be used to request the flag file.
+
+
+