diff options
| author | Louis Burda <quent.burda@gmail.com> | 2021-04-28 10:51:50 +0200 |
|---|---|---|
| committer | Louis Burda <quent.burda@gmail.com> | 2021-04-28 10:51:50 +0200 |
| commit | 8aac44bb98af5442e29c8cb9a5a4acbe40d96bb2 (patch) | |
| tree | b5cea78af979ad734edf5835f1917b172e09cfd7 /README.md | |
| parent | 53156862fa68b130c9a57f2824275f99017929ac (diff) | |
| download | enowars5-service-stldoctor-8aac44bb98af5442e29c8cb9a5a4acbe40d96bb2.tar.gz enowars5-service-stldoctor-8aac44bb98af5442e29c8cb9a5a4acbe40d96bb2.zip | |
added sample service templates, basic service outline and moved service info to documentation dir
Diffstat (limited to 'README.md')
| -rw-r--r-- | README.md | 71 |
1 files changed, 2 insertions, 69 deletions
@@ -1,72 +1,5 @@ -enowars-5 printdoc -================== +Enowars5 PrintDoc +================= An stl file info service. - -setup ------ - -The service is hosted with ynetd or similar, one process per client. - -You submit an stl file and the service gives you details about the file: - -- how many triangles -- file type (bin/ascii) -- name -- attributes (binary header parsing) - -The file upload size has to be below a certain limit (4kB?). - -The files are simply stored in a directory and cleaned up -via a crontab which checks their *last modified* date. - -The model name is used to create hash / id which also -acts as directory name for the actual stl and parsed info. - -Error msg if too many verticies for one loop.. see vulnerability. - -Error msg if invalid format. - - -countermeasures ---------------- - -Countermeasures against malicious players, who via an -unintended vulnerability gain remote code execution: - - -checker -------- - -The flag is saved as a 3d model of the flag text. One needs -to orient it, take a screenshot and decode the text from the -image for automated exploitation. - - -vulnerability -------------- - -If there are > 3 verticies in a `loop` in the stl, a warning -message is returned by preparing and `printf`ing a buffer, -however, WITHOUT a terminating null byte. As such, when -processing the string, we read into the stack-adjacent integer -that holds the file's attribute byte count. This value -is zero by default so the buffer overflow will go unnoticed. - -We can set this value to 0x6e25 (= 28197), which corresponds -to the string '%n' on a little endian system. - -When the warning prints, it will write the size of the -format string (which can be controlled via the model name) -to the address of the next value on the stack: the hash str. -By varying this value to write 256 aka 0x100 we terminate -the string with a null byte, making it an empty. - -Next, the program will return the info of all scans that match -the hash prefix (files are saved in a directory <hash>-<timestamp>). -Since the hash is not empty the information for each scan will be -returned, including the id, which can be used to request the flag file. - - - |