diff options
Diffstat (limited to 'documentation/slides/slides.md')
| -rw-r--r-- | documentation/slides/slides.md | 184 |
1 files changed, 0 insertions, 184 deletions
diff --git a/documentation/slides/slides.md b/documentation/slides/slides.md deleted file mode 100644 index 48e3447..0000000 --- a/documentation/slides/slides.md +++ /dev/null @@ -1,184 +0,0 @@ -title: STLDoctor -output: index.html -controls: false - --- - -<style> - -.footnote { - font-size: 16pt; - position: absolute; - color: gray; - bottom: 0px; - right: 0px; -} - -.slide-content { - position: relative; -} - -.slide-content > ul >li { - padding: 7px 0px; -} - -.slide-content > p > img { - width: 100%; -} - -</style> - --- - -# STLDoctor 💉 - --- - -### The Plan 💡 - -<!-- Familiar with C and wondered about non-standard - buffer-/integer overflow C bugs --> -<!-- Plaintext file inspection service --> -<!-- Interesting and realisitic bugs --> -<!-- Written in C --> -<!-- Have to combine 'gadgets' for exploit, but - as a logic bug, not RCE --> -- Plaintext service -- Interesting C bugs -- Exploit logic bugs, not RCE -- Learn about the STL format - -<img style="width: 240px !important; transform: rotate(90deg); height: 240px; position:absolute; top:150px; right:70px;" src="https://upload.wikimedia.org/wikipedia/commons/9/9b/STL_sample_2.png"> - --- - -### Setup 🔧 - -- C binary that communicates via `stdin` and `stdout` -- Networking abstracted through hosting with `socat` -- File system backend with periodic clean up - - - --- - -### Functionality 🎮 - -<!-- file system backend separates user accounts and stl files location for non-guests --> -<!-- guest account files can be downloaded by knowing their modelname, - premium account files can only be downloaded by authenticated users --> - -- Users can upload and search for files -- Register to upload private files -- Uploaded files are analyzed and information is returned to the user - ---- - -<!-- Sample interaction demonstrating how you would retrieve a file you uploaded --> - - - --- - -### 1. Vuln 💉 - -- Flags are stored in the solidname of the STL -- Bug in upload info file parsing allows attacker to retrieve any public file - --- - -### 2. Vuln 💉 - -- Flags are stored in the solidname of a private file -- Buffer overflow in hash function allows enumeration of private user hashes -- Generate preimages of weak hash function to login as users - --- - -### Goals Met 🎉 - -<!-- dont need to be an expert at fancy exploitation to exploit, - just basic knowledge of C and testing code snippets to see - if they do what you expect them to in different cases --> - -⭐ Plaintext file inspection service <br> -⭐ Interesting and realisitic bugs <br> -⭐ Combine different gadgets for exploit <br> -⭐ Don't need to be an expert at fancy ROP <br> -⭐ No SLA lost in TestCTF <br> -⭐ Written in C - --- - -### Issues 📉 - -<!-- Currently, the exploits dont require you to understand the - STL file format, however, to make sure that the service - is working correctly, you need to inspect the code --> - -<!-- Still considering encoding of flags as STL, but want to - avoid --> - -💥 Exploits not directly related to STL format <br> -💥 (Eno)checker has memory leaks - --- - -### Lesssons Learned - -<!-- from the feedback I gathered, that not a lot of people write C code - often, but this also means it is a great opportunity for learning - something new. --> - -- Many exploits are not suited for A/D ctfs -- How to write a FSM format parser -- Be careful with casts in C -- People just *love* C services 🤡 - --- - --- - --- - -# Exploit 1 - --- - - - --- - - - --- - - - --- - - - --- - - - --- - -# Exploit 2 - --- - - - - - -<script> - // var slide_headers = document.querySelectorAll(".slide-content > h3"); - // for (var i = 0; i < slide_headers.length; i++) { - // var img = document.createElement('img') - // img.src = "logo.png"; - // img.style = "height: 2.4ex; padding-right: 10px; float:right"; - // slide_headers[i].append(img); - // } -</script> |