fixed checker havocid to be compatible with where they were used without triggering exploits

1 files changed, 17 insertions, 18 deletions

diff --git a/checker/src/checker.py b/checker/src/checker.py
index 85c3a91..9774ecc 100644
--- a/checker/src/checker.py
+++ b/checker/src/checker.py
@@ -2,11 +2,11 @@
 from enochecker import BaseChecker, BrokenServiceException, EnoException, run
 from enochecker.utils import SimpleSocket, assert_equals, assert_in
 import random, string, struct, logging, selectors, time, socket
-import pwnlib
 import numpy as np
 
 logging.getLogger("faker").setLevel(logging.WARNING)
 logging.getLogger("pwnlib").setLevel(logging.WARNING)
+
 from faker import Faker
 
 def ensure_bytes(v):
@@ -39,14 +39,16 @@ class STLDoctorChecker(BaseChecker):
     def fakeid(self):
         fake = Faker(["en_US"])
         allowed = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmopqrstuvwxyz0123456789-+.!"
-        return "".join([c for c in fake.name().lower().replace(" ", "-") if c in allowed][:60]).ljust(10, "!")
+        return "".join([c for c in fake.name().replace(' ','') if c in allowed][:60]).ljust(10, '.')
 
     def havocid(self):
-        return "".join([chr(int(random.randint(ord(' '), 255))) for i in range(60)])
+        idlen = random.randint(10, 60)
+        return "".join([chr(random.randint(32, 127)) for i in range(idlen)])
 
     def do_auth(self, conn: SimpleSocket, authstr: str):
         self.write(conn, f"auth {authstr}\n")
         resp = conn.recvuntil("$")
+        print(resp)
         assert_in(b"Success!", resp, f"Login with pass '{authstr}' failed!");
 
     def check_listed(self, conn, modelid):
@@ -111,7 +113,7 @@ class STLDoctorChecker(BaseChecker):
         else:
             raise EnoException("Invalid file type supplied");
 
-    def putfile(self, conn, solidname, modelname, filetype):
+    def putfile(self, conn, modelname, solidname, filetype):
         solidname = ensure_bytes(solidname)
         modelname = ensure_bytes(modelname)
 
@@ -189,17 +191,16 @@ class STLDoctorChecker(BaseChecker):
         self.chain_db = vdict
 
     def havoc_upload(self, filetype, register):
-        solidname = self.havocid()
-        # these should not be havoc, since they are hashed
-        # and this could trigger the buffer overflow: part of exploit 2
-        modelname = self.fakeid()
-        authstr = self.fakeid()
+        # cant be havocid with ascii since might mess with stl parsing
+        solidname = self.fakeid() if filetype == 'ascii' else self.havocid()
+        modelname = self.havocid()
+        authstr = self.havocid()
 
         # create new session and user and upload file
         conn = self.openconn()
         if register:
             self.do_auth(conn, authstr)
-        contents, modelid = self.putfile(conn, solidname, modelname, filetype)
+        contents, modelid = self.putfile(conn, modelname, solidname, filetype)
         self.check_getfile(conn, modelname, solidname, contents)
         if register:
             self.check_listed(conn, modelid)
@@ -215,12 +216,10 @@ class STLDoctorChecker(BaseChecker):
         self.closeconn(conn)
 
     def openconn(self):
+        import pwnlib
         self.debug("Connecting to service")
-        conn = pwnlib.tubes.remote.remote(self.address, self.port)
+        conn = pwnlib.tubes.remote.remote(self.address, self.port, timeout = self.timeout)
         conn.recvuntil("$") # ignore welcome
-        if self.debuglog:
-            self.write(conn, "echo\n")
-            conn.recvuntil("$")
         return conn
 
     def closeconn(self, conn):
@@ -232,7 +231,7 @@ class STLDoctorChecker(BaseChecker):
         if self.variant_id == 0:
             conn = self.openconn()
             modelname = self.fakeid()
-            stlfile, modelid = self.putfile(conn, self.flag, modelname, filetype = "ascii")
+            stlfile, modelid = self.putfile(conn, modelname, self.flag, filetype = "ascii")
             self.closeconn(conn)
             self.postdb({ "modelid": modelid, "modelname": modelname })
         elif self.variant_id == 1:
@@ -240,7 +239,7 @@ class STLDoctorChecker(BaseChecker):
             modelname = self.fakeid()
             authstr = self.fakeid()
             self.do_auth(conn, authstr)
-            stlfile, modelid = self.putfile(conn, self.flag, modelname, filetype = "bin")
+            stlfile, modelid = self.putfile(conn, modelname, self.flag, filetype = "bin")
             self.closeconn(conn)
             self.postdb({ "modelid": modelid, "modelname": modelname, "auth": authstr })
         else:
@@ -269,7 +268,7 @@ class STLDoctorChecker(BaseChecker):
             conn = self.openconn()
             modelname = self.fakeid()
             solidname = self.fakeid()
-            contents, modelid = self.putfile(conn, solidname, modelname, filetype = "bin")
+            contents, modelid = self.putfile(conn, modelname, solidname, "bin")
             self.closeconn(conn)
             self.postdb({ "modelid": modelid, "modelname": modelname, "solidname": solidname, "contents": contents })
         elif self.variant_id == 1:
@@ -278,7 +277,7 @@ class STLDoctorChecker(BaseChecker):
             modelname = self.fakeid()
             solidname = self.fakeid()
             self.do_auth(conn, authstr)
-            contents, modelid = self.putfile(conn, solidname, modelname, filetype = "ascii")
+            contents, modelid = self.putfile(conn, modelname, solidname, "ascii")
             self.closeconn(conn)
             self.postdb({ "modelid": modelid, "modelname": modelname, "solidname": solidname, "contents": contents, "auth": authstr })
         else: