various fixes made while stress-testing exploit

1 files changed, 34 insertions, 16 deletions

diff --git a/checker/src/checker.py b/checker/src/checker.py
index 8be5213..8f9334d 100644
--- a/checker/src/checker.py
+++ b/checker/src/checker.py
@@ -8,6 +8,8 @@ logging.getLogger("faker").setLevel(logging.WARNING)
 logging.getLogger("pwnlib").setLevel(logging.WARNING)
 logging.getLogger("_curses").setLevel(logging.CRITICAL)
 
+rand = random.SystemRandom()
+
 from faker import Faker
 
 # DEBUGING MEMORY ISSUES#
@@ -63,18 +65,20 @@ class STLDoctorChecker(BaseChecker):
     def closeconn(self, conn):
         self.debug("Sending exit command")
         conn.write("exit\n")
+        # ensure it is a clean exit
+        conn.recvuntil("bye!")
         conn.close()
 
     def fakeid(self):
         fake = Faker(["en_US"])
         allowed = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmopqrstuvwxyz0123456789-+.!"
-        idstr = "".join([c for c in fake.name().replace(' ','') if c in allowed][:60]).ljust(10, '.')
-        idstr += "".join([random.choice(allowed) for i in range(5)])
+        idstr = "".join([c for c in fake.name().replace(' ','') if c in allowed][:12]).ljust(10, '.')
+        idstr += "".join([rand.choice(allowed) for i in range(8)])
         return idstr
 
     def havocid(self):
-        idlen = random.randint(10, 60)
-        return "".join([chr(random.randint(32, 127)) for i in range(idlen)])
+        idlen = rand.randint(10, 40)
+        return "".join([chr(rand.randint(32, 127)) for i in range(idlen)])
 
     def do_auth(self, conn, authstr):
         authstr = ensure_bytes(authstr)
@@ -113,10 +117,10 @@ class STLDoctorChecker(BaseChecker):
             content = b"solid " + solidname + b"\n"
         else:
             content = b"solid\n"
-        facet_count = random.randint(4, 30)
+        facet_count = rand.randint(4, 30)
         for fi in range(facet_count):
             content += b"facet normal "
-            vs = [[random.random() for i in range(3)] for k in range(3)]
+            vs = [[rand.random() for i in range(3)] for k in range(3)]
             norm = np.cross(np.subtract(vs[1], vs[0]), np.subtract(vs[2],vs[0]))
             norm = norm / np.linalg.norm(norm)
             content += " ".join([f"{v:.2f}" for v in norm]).encode() + b"\n"
@@ -141,10 +145,10 @@ class STLDoctorChecker(BaseChecker):
             content = b"#" + solidname.ljust(78, b"\x00") + b"\x00"
         else:
             content = b"#" + b"\x00" * 79
-        facet_count = random.randint(4, 30)
+        facet_count = rand.randint(4, 30)
         content += struct.pack("<I", facet_count)
         for fi in range(facet_count):
-            vs = [[random.random() for i in range(3)] for k in range(3)]
+            vs = [[rand.random() for i in range(3)] for k in range(3)]
             norm = np.cross(np.subtract(vs[1], vs[0]), np.subtract(vs[2],vs[0]))
             for i in range(3):
                 content += struct.pack("<f", norm[i])
@@ -184,7 +188,7 @@ class STLDoctorChecker(BaseChecker):
             modelid = line.rsplit(b"!", 1)[0].split(b"with ID ", 1)[1]
             if modelid == b"": raise Exception
         except:
-            raise BrokenServiceException(f"Invalid response during upload of {modelname}")
+            raise BrokenServiceException(f"Invalid response during upload of {modelname}:\n{line}")
 
         # Consume rest of data in this call
         conn.recvuntil(self.prompt)
@@ -202,7 +206,7 @@ class STLDoctorChecker(BaseChecker):
         conn.write("y\n" if download else "\n")
 
         # Wait for end of info box
-        resp = conn.recvuntil("==================")
+        resp = conn.recvuntil("================== \n")
 
         # Ask for download if desired
         if download:
@@ -352,22 +356,36 @@ class STLDoctorChecker(BaseChecker):
             filelist = [l.strip().split(b" : ") for l in conn.recvuntil("?").split(b"\n") if b" : " in l]
             if len(filelist) == 0:
                 raise BrokenServiceException("Failed to list files through search")
+            index_dict = {fl[1]: fl[0] for fl in filelist}
+            targets = [fl[1] for fl in filelist]
 
             # Use it to enumerate other files and grab contents
             found = None
-            for i in range(len(filelist)):
-                self.debug(b"Retrieving file " + filelist[i][0] + b": " + filelist[i][1])
-                conn.write(filelist[i][0] + b"\ny\n")
+            self.debug("Targets:\n" + "\n".join([' - ' + l.decode('latin1') for l in targets]))
+            for i,fhash in enumerate(targets):
+                if index_dict[fhash] == None:
+                    self.debug(b"Skipping now missing file " + fhash)
+                    continue
+
+                # Retrieve current file
+                self.debug(b"Retrieving file " + fhash + b" at index " + index_dict[fhash])
+                conn.write(index_dict[fhash] + b"\ny\n")
                 fileinfo = conn.recvuntil(self.prompt)
-                self.debug("File contents:\n" + fileinfo.decode("latin1"))
+                # self.debug("File contents:\n" + fileinfo.decode("latin1"))
                 found = self.search_flag_bytes(fileinfo)
-                if found is not None or i == len(filelist) - 1:
+                if found is not None or i == len(targets) - 1:
                     break
 
                 # Parse evil file again for next iter
                 self.getfile(conn, name, download=False)
                 conn.write("search last\n")
-                conn.recvuntil("?")
+
+                # Update indicies from new search
+                filelist = [l.strip().split(b" : ") for l in conn.recvuntil("?").split(b"\n") if b" : " in l]
+                index_dict = {name : None for name in targets}
+                for fl in filelist:
+                    index_dict[fl[1]] = fl[0]
+
             self.closeconn(conn)
 
             if found is None: