slides.md (3810B)
1title: STLDoctor 2output: index.html 3controls: false 4 5-- 6 7<style> 8 9.footnote { 10 font-size: 16pt; 11 position: absolute; 12 color: gray; 13 bottom: 0px; 14 right: 0px; 15} 16 17.slide-content { 18 position: relative; 19} 20 21.slide-content > ul >li { 22 padding: 7px 0px; 23} 24 25.slide-content > p > img { 26 width: 100%; 27} 28 29</style> 30 31-- 32 33# STLDoctor 💉 34 35-- 36 37### The Plan 💡 38 39<!-- Familiar with C and wondered about non-standard 40 buffer-/integer overflow C bugs --> 41<!-- Plaintext file inspection service --> 42<!-- Interesting and realisitic bugs --> 43<!-- Written in C --> 44<!-- Have to combine 'gadgets' for exploit, but 45 as a logic bug, not RCE --> 46- Plaintext service 47- Interesting C bugs 48- Exploit logic bugs, not RCE 49- Learn about the STL format 50 51<img style="width: 240px !important; transform: rotate(90deg); height: 240px; position:absolute; top:150px; right:70px;" src="https://upload.wikimedia.org/wikipedia/commons/9/9b/STL_sample_2.png"> 52 53-- 54 55### Setup 🔧 56 57- C binary that communicates via `stdin` and `stdout` 58- Networking abstracted through hosting with `socat` 59- File system backend with periodic clean up 60 61 62 63-- 64 65### Functionality 🎮 66 67<!-- file system backend separates user accounts and stl files location for non-guests --> 68<!-- guest account files can be downloaded by knowing their modelname, 69 premium account files can only be downloaded by authenticated users --> 70 71- Users can upload and search for files 72- Register to upload private files 73- Uploaded files are analyzed and information is returned to the user 74 75--- 76 77<!-- Sample interaction demonstrating how you would retrieve a file you uploaded --> 78 79 80 81-- 82 83### 1. Vuln 💉 84 85- Flags are stored in the solidname of the STL 86- Bug in upload info file parsing allows attacker to retrieve any public file 87 88-- 89 90### 2. Vuln 💉 91 92- Flags are stored in the solidname of a private file 93- Buffer overflow in hash function allows enumeration of private user hashes 94- Generate preimages of weak hash function to login as users 95 96-- 97 98### Goals Met 🎉 99 100<!-- dont need to be an expert at fancy exploitation to exploit, 101 just basic knowledge of C and testing code snippets to see 102 if they do what you expect them to in different cases --> 103 104⭐ Plaintext file inspection service <br> 105⭐ Interesting and realisitic bugs <br> 106⭐ Combine different gadgets for exploit <br> 107⭐ Don't need to be an expert at fancy ROP <br> 108⭐ No SLA lost in TestCTF <br> 109⭐ Written in C 110 111-- 112 113### Issues 📉 114 115<!-- Currently, the exploits dont require you to understand the 116 STL file format, however, to make sure that the service 117 is working correctly, you need to inspect the code --> 118 119<!-- Still considering encoding of flags as STL, but want to 120 avoid --> 121 122💥 Exploits not directly related to STL format <br> 123💥 (Eno)checker has memory leaks 124 125-- 126 127### Lesssons Learned 128 129<!-- from the feedback I gathered, that not a lot of people write C code 130 often, but this also means it is a great opportunity for learning 131 something new. --> 132 133- Many exploits are not suited for A/D ctfs 134- How to write a FSM format parser 135- Be careful with casts in C 136- People just *love* C services 🤡 137 138-- 139 140-- 141 142-- 143 144# Exploit 1 145 146-- 147 148 149 150-- 151 152 153 154-- 155 156 157 158-- 159 160 161 162-- 163 164 165 166-- 167 168# Exploit 2 169 170-- 171 172 173 174 175 176<script> 177 // var slide_headers = document.querySelectorAll(".slide-content > h3"); 178 // for (var i = 0; i < slide_headers.length; i++) { 179 // var img = document.createElement('img') 180 // img.src = "logo.png"; 181 // img.style = "height: 2.4ex; padding-right: 10px; float:right"; 182 // slide_headers[i].append(img); 183 // } 184</script>