From 53156862fa68b130c9a57f2824275f99017929ac Mon Sep 17 00:00:00 2001 From: Louis Burda Date: Tue, 27 Apr 2021 14:35:38 +0200 Subject: updated LICENSE and moved README for displaying by github --- LICENSE | 2 +- README | 72 --------------------------------------------------------------- README.md | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 73 insertions(+), 73 deletions(-) delete mode 100644 README create mode 100644 README.md diff --git a/LICENSE b/LICENSE index 4a4a2ac..93f0ca7 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2021 enowars +Copyright (c) 2021 ENOWARS, Louis Burda Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/README b/README deleted file mode 100644 index 109dd64..0000000 --- a/README +++ /dev/null @@ -1,72 +0,0 @@ -enowars-5 printdoc -================== - -An stl file info service. - - -setup ------ - -The service is hosted with ynetd or similar, one process per client. - -You submit an stl file and the service gives you details about the file: - -- how many triangles -- file type (bin/ascii) -- name -- attributes (binary header parsing) - -The file upload size has to be below a certain limit (4kB?). - -The files are simply stored in a directory and cleaned up -via a crontab which checks their *last modified* date. - -The model name is used to create hash / id which also -acts as directory name for the actual stl and parsed info. - -Error msg if too many verticies for one loop.. see vulnerability. - -Error msg if invalid format. - - -countermeasures ---------------- - -Countermeasures against malicious players, who via an -unintended vulnerability gain remote code execution: - - -checker -------- - -The flag is saved as a 3d model of the flag text. One needs -to orient it, take a screenshot and decode the text from the -image for automated exploitation. - - -vulnerability -------------- - -If there are > 3 verticies in a `loop` in the stl, a warning -message is returned by preparing and `printf`ing a buffer, -however, WITHOUT a terminating null byte. As such, when -processing the string, we read into the stack-adjacent integer -that holds the file's attribute byte count. This value -is zero by default so the buffer overflow will go unnoticed. - -We can set this value to 0x6e25 (= 28197), which corresponds -to the string '%n' on a little endian system. - -When the warning prints, it will write the size of the -format string (which can be controlled via the model name) -to the address of the next value on the stack: the hash str. -By varying this value to write 256 aka 0x100 we terminate -the string with a null byte, making it an empty. - -Next, the program will return the info of all scans that match -the hash prefix (files are saved in a directory -). -Since the hash is not empty the information for each scan will be -returned, including the id, which can be used to request the flag file. - - - diff --git a/README.md b/README.md new file mode 100644 index 0000000..109dd64 --- /dev/null +++ b/README.md @@ -0,0 +1,72 @@ +enowars-5 printdoc +================== + +An stl file info service. + + +setup +----- + +The service is hosted with ynetd or similar, one process per client. + +You submit an stl file and the service gives you details about the file: + +- how many triangles +- file type (bin/ascii) +- name +- attributes (binary header parsing) + +The file upload size has to be below a certain limit (4kB?). + +The files are simply stored in a directory and cleaned up +via a crontab which checks their *last modified* date. + +The model name is used to create hash / id which also +acts as directory name for the actual stl and parsed info. + +Error msg if too many verticies for one loop.. see vulnerability. + +Error msg if invalid format. + + +countermeasures +--------------- + +Countermeasures against malicious players, who via an +unintended vulnerability gain remote code execution: + + +checker +------- + +The flag is saved as a 3d model of the flag text. One needs +to orient it, take a screenshot and decode the text from the +image for automated exploitation. + + +vulnerability +------------- + +If there are > 3 verticies in a `loop` in the stl, a warning +message is returned by preparing and `printf`ing a buffer, +however, WITHOUT a terminating null byte. As such, when +processing the string, we read into the stack-adjacent integer +that holds the file's attribute byte count. This value +is zero by default so the buffer overflow will go unnoticed. + +We can set this value to 0x6e25 (= 28197), which corresponds +to the string '%n' on a little endian system. + +When the warning prints, it will write the size of the +format string (which can be controlled via the model name) +to the address of the next value on the stack: the hash str. +By varying this value to write 256 aka 0x100 we terminate +the string with a null byte, making it an empty. + +Next, the program will return the info of all scans that match +the hash prefix (files are saved in a directory -). +Since the hash is not empty the information for each scan will be +returned, including the id, which can be used to request the flag file. + + + -- cgit v1.2.3-71-gd317