commit 52fa3462e73b1a187b0df1413746bf500bf28ba8
parent 1109a88447e1c5cefe6ed93eccc8dcf8cd595d0e
Author: Louis Burda <quent.burda@gmail.com>
Date: Thu, 20 May 2021 18:54:00 +0200
fixed checker havocid to be compatible with where they were used without triggering exploits
Diffstat:
2 files changed, 19 insertions(+), 19 deletions(-)
diff --git a/checker/src/checker.py b/checker/src/checker.py
@@ -2,11 +2,11 @@
from enochecker import BaseChecker, BrokenServiceException, EnoException, run
from enochecker.utils import SimpleSocket, assert_equals, assert_in
import random, string, struct, logging, selectors, time, socket
-import pwnlib
import numpy as np
logging.getLogger("faker").setLevel(logging.WARNING)
logging.getLogger("pwnlib").setLevel(logging.WARNING)
+
from faker import Faker
def ensure_bytes(v):
@@ -39,14 +39,16 @@ class STLDoctorChecker(BaseChecker):
def fakeid(self):
fake = Faker(["en_US"])
allowed = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmopqrstuvwxyz0123456789-+.!"
- return "".join([c for c in fake.name().lower().replace(" ", "-") if c in allowed][:60]).ljust(10, "!")
+ return "".join([c for c in fake.name().replace(' ','') if c in allowed][:60]).ljust(10, '.')
def havocid(self):
- return "".join([chr(int(random.randint(ord(' '), 255))) for i in range(60)])
+ idlen = random.randint(10, 60)
+ return "".join([chr(random.randint(32, 127)) for i in range(idlen)])
def do_auth(self, conn: SimpleSocket, authstr: str):
self.write(conn, f"auth {authstr}\n")
resp = conn.recvuntil("$")
+ print(resp)
assert_in(b"Success!", resp, f"Login with pass '{authstr}' failed!");
def check_listed(self, conn, modelid):
@@ -111,7 +113,7 @@ class STLDoctorChecker(BaseChecker):
else:
raise EnoException("Invalid file type supplied");
- def putfile(self, conn, solidname, modelname, filetype):
+ def putfile(self, conn, modelname, solidname, filetype):
solidname = ensure_bytes(solidname)
modelname = ensure_bytes(modelname)
@@ -189,17 +191,16 @@ class STLDoctorChecker(BaseChecker):
self.chain_db = vdict
def havoc_upload(self, filetype, register):
- solidname = self.havocid()
- # these should not be havoc, since they are hashed
- # and this could trigger the buffer overflow: part of exploit 2
- modelname = self.fakeid()
- authstr = self.fakeid()
+ # cant be havocid with ascii since might mess with stl parsing
+ solidname = self.fakeid() if filetype == 'ascii' else self.havocid()
+ modelname = self.havocid()
+ authstr = self.havocid()
# create new session and user and upload file
conn = self.openconn()
if register:
self.do_auth(conn, authstr)
- contents, modelid = self.putfile(conn, solidname, modelname, filetype)
+ contents, modelid = self.putfile(conn, modelname, solidname, filetype)
self.check_getfile(conn, modelname, solidname, contents)
if register:
self.check_listed(conn, modelid)
@@ -215,12 +216,10 @@ class STLDoctorChecker(BaseChecker):
self.closeconn(conn)
def openconn(self):
+ import pwnlib
self.debug("Connecting to service")
- conn = pwnlib.tubes.remote.remote(self.address, self.port)
+ conn = pwnlib.tubes.remote.remote(self.address, self.port, timeout = self.timeout)
conn.recvuntil("$") # ignore welcome
- if self.debuglog:
- self.write(conn, "echo\n")
- conn.recvuntil("$")
return conn
def closeconn(self, conn):
@@ -232,7 +231,7 @@ class STLDoctorChecker(BaseChecker):
if self.variant_id == 0:
conn = self.openconn()
modelname = self.fakeid()
- stlfile, modelid = self.putfile(conn, self.flag, modelname, filetype = "ascii")
+ stlfile, modelid = self.putfile(conn, modelname, self.flag, filetype = "ascii")
self.closeconn(conn)
self.postdb({ "modelid": modelid, "modelname": modelname })
elif self.variant_id == 1:
@@ -240,7 +239,7 @@ class STLDoctorChecker(BaseChecker):
modelname = self.fakeid()
authstr = self.fakeid()
self.do_auth(conn, authstr)
- stlfile, modelid = self.putfile(conn, self.flag, modelname, filetype = "bin")
+ stlfile, modelid = self.putfile(conn, modelname, self.flag, filetype = "bin")
self.closeconn(conn)
self.postdb({ "modelid": modelid, "modelname": modelname, "auth": authstr })
else:
@@ -269,7 +268,7 @@ class STLDoctorChecker(BaseChecker):
conn = self.openconn()
modelname = self.fakeid()
solidname = self.fakeid()
- contents, modelid = self.putfile(conn, solidname, modelname, filetype = "bin")
+ contents, modelid = self.putfile(conn, modelname, solidname, "bin")
self.closeconn(conn)
self.postdb({ "modelid": modelid, "modelname": modelname, "solidname": solidname, "contents": contents })
elif self.variant_id == 1:
@@ -278,7 +277,7 @@ class STLDoctorChecker(BaseChecker):
modelname = self.fakeid()
solidname = self.fakeid()
self.do_auth(conn, authstr)
- contents, modelid = self.putfile(conn, solidname, modelname, filetype = "ascii")
+ contents, modelid = self.putfile(conn, modelname, solidname, "ascii")
self.closeconn(conn)
self.postdb({ "modelid": modelid, "modelname": modelname, "solidname": solidname, "contents": contents, "auth": authstr })
else:
diff --git a/service/src/stlfile.c b/service/src/stlfile.c
@@ -361,8 +361,9 @@ print_info(struct parseinfo *info)
printf(" File Size: %u\n", info->filesize);
if (info->type == TYPE_BIN) {
- printf(" Header:\n ");
+ printf(" Header:\n");
for (i = 0; i < 80; i += k) {
+ printf(" ");
for (k = 0; k < MIN(80 - i, 20); k++)
printf(" %02x", (uint8_t) info->header[i+k]);
printf(" | ");
