From a0bd3d833d916cadd23d17d0b3784e28c729967d Mon Sep 17 00:00:00 2001
From: Louis Burda <quent.burda@gmail.com>
Date: Thu, 24 Jun 2021 02:52:21 +0200
Subject: various fixes made while stress-testing exploit

---
 checker/src/checker.py       | 50 ++++++++++++++--------
 checker/src/gunicorn.conf.py |  4 +-
 checker/src/requirements.txt |  6 +--
 checker/test.sh              | 30 +++++++++-----
 do.sh                        |  2 +-
 service/entrypoint.sh        |  2 +-
 service/src/.gitignore       |  2 +
 service/src/main.c           | 98 +++++++++++++++++++++++++-------------------
 src/.gitignore               |  4 +-
 src/main.c                   | 89 +++++++++++++++++++++++-----------------
 10 files changed, 170 insertions(+), 117 deletions(-)
 create mode 100644 service/src/.gitignore

diff --git a/checker/src/checker.py b/checker/src/checker.py
index 8be5213..8f9334d 100644
--- a/checker/src/checker.py
+++ b/checker/src/checker.py
@@ -8,6 +8,8 @@ logging.getLogger("faker").setLevel(logging.WARNING)
 logging.getLogger("pwnlib").setLevel(logging.WARNING)
 logging.getLogger("_curses").setLevel(logging.CRITICAL)
 
+rand = random.SystemRandom()
+
 from faker import Faker
 
 # DEBUGING MEMORY ISSUES#
@@ -63,18 +65,20 @@ class STLDoctorChecker(BaseChecker):
     def closeconn(self, conn):
         self.debug("Sending exit command")
         conn.write("exit\n")
+        # ensure it is a clean exit
+        conn.recvuntil("bye!")
         conn.close()
 
     def fakeid(self):
         fake = Faker(["en_US"])
         allowed = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmopqrstuvwxyz0123456789-+.!"
-        idstr = "".join([c for c in fake.name().replace(' ','') if c in allowed][:60]).ljust(10, '.')
-        idstr += "".join([random.choice(allowed) for i in range(5)])
+        idstr = "".join([c for c in fake.name().replace(' ','') if c in allowed][:12]).ljust(10, '.')
+        idstr += "".join([rand.choice(allowed) for i in range(8)])
         return idstr
 
     def havocid(self):
-        idlen = random.randint(10, 60)
-        return "".join([chr(random.randint(32, 127)) for i in range(idlen)])
+        idlen = rand.randint(10, 40)
+        return "".join([chr(rand.randint(32, 127)) for i in range(idlen)])
 
     def do_auth(self, conn, authstr):
         authstr = ensure_bytes(authstr)
@@ -113,10 +117,10 @@ class STLDoctorChecker(BaseChecker):
             content = b"solid " + solidname + b"\n"
         else:
             content = b"solid\n"
-        facet_count = random.randint(4, 30)
+        facet_count = rand.randint(4, 30)
         for fi in range(facet_count):
             content += b"facet normal "
-            vs = [[random.random() for i in range(3)] for k in range(3)]
+            vs = [[rand.random() for i in range(3)] for k in range(3)]
             norm = np.cross(np.subtract(vs[1], vs[0]), np.subtract(vs[2],vs[0]))
             norm = norm / np.linalg.norm(norm)
             content += " ".join([f"{v:.2f}" for v in norm]).encode() + b"\n"
@@ -141,10 +145,10 @@ class STLDoctorChecker(BaseChecker):
             content = b"#" + solidname.ljust(78, b"\x00") + b"\x00"
         else:
             content = b"#" + b"\x00" * 79
-        facet_count = random.randint(4, 30)
+        facet_count = rand.randint(4, 30)
         content += struct.pack("<I", facet_count)
         for fi in range(facet_count):
-            vs = [[random.random() for i in range(3)] for k in range(3)]
+            vs = [[rand.random() for i in range(3)] for k in range(3)]
             norm = np.cross(np.subtract(vs[1], vs[0]), np.subtract(vs[2],vs[0]))
             for i in range(3):
                 content += struct.pack("<f", norm[i])
@@ -184,7 +188,7 @@ class STLDoctorChecker(BaseChecker):
             modelid = line.rsplit(b"!", 1)[0].split(b"with ID ", 1)[1]
             if modelid == b"": raise Exception
         except:
-            raise BrokenServiceException(f"Invalid response during upload of {modelname}")
+            raise BrokenServiceException(f"Invalid response during upload of {modelname}:\n{line}")
 
         # Consume rest of data in this call
         conn.recvuntil(self.prompt)
@@ -202,7 +206,7 @@ class STLDoctorChecker(BaseChecker):
         conn.write("y\n" if download else "\n")
 
         # Wait for end of info box
-        resp = conn.recvuntil("==================")
+        resp = conn.recvuntil("================== \n")
 
         # Ask for download if desired
         if download:
@@ -352,22 +356,36 @@ class STLDoctorChecker(BaseChecker):
             filelist = [l.strip().split(b" : ") for l in conn.recvuntil("?").split(b"\n") if b" : " in l]
             if len(filelist) == 0:
                 raise BrokenServiceException("Failed to list files through search")
+            index_dict = {fl[1]: fl[0] for fl in filelist}
+            targets = [fl[1] for fl in filelist]
 
             # Use it to enumerate other files and grab contents
             found = None
-            for i in range(len(filelist)):
-                self.debug(b"Retrieving file " + filelist[i][0] + b": " + filelist[i][1])
-                conn.write(filelist[i][0] + b"\ny\n")
+            self.debug("Targets:\n" + "\n".join([' - ' + l.decode('latin1') for l in targets]))
+            for i,fhash in enumerate(targets):
+                if index_dict[fhash] == None:
+                    self.debug(b"Skipping now missing file " + fhash)
+                    continue
+
+                # Retrieve current file
+                self.debug(b"Retrieving file " + fhash + b" at index " + index_dict[fhash])
+                conn.write(index_dict[fhash] + b"\ny\n")
                 fileinfo = conn.recvuntil(self.prompt)
-                self.debug("File contents:\n" + fileinfo.decode("latin1"))
+                # self.debug("File contents:\n" + fileinfo.decode("latin1"))
                 found = self.search_flag_bytes(fileinfo)
-                if found is not None or i == len(filelist) - 1:
+                if found is not None or i == len(targets) - 1:
                     break
 
                 # Parse evil file again for next iter
                 self.getfile(conn, name, download=False)
                 conn.write("search last\n")
-                conn.recvuntil("?")
+
+                # Update indicies from new search
+                filelist = [l.strip().split(b" : ") for l in conn.recvuntil("?").split(b"\n") if b" : " in l]
+                index_dict = {name : None for name in targets}
+                for fl in filelist:
+                    index_dict[fl[1]] = fl[0]
+
             self.closeconn(conn)
 
             if found is None:
diff --git a/checker/src/gunicorn.conf.py b/checker/src/gunicorn.conf.py
index b049e48..095073e 100644
--- a/checker/src/gunicorn.conf.py
+++ b/checker/src/gunicorn.conf.py
@@ -1,10 +1,8 @@
 import multiprocessing
 
-worker_class = "gevent"
+worker_class = "eventlet"
 workers = multiprocessing.cpu_count() * 2 + 1
 bind = "0.0.0.0:3031"
 timeout = 90
 keepalive = 3600
-max_requests = 100
 preload_app = True
-max_requests_jitter = 30
diff --git a/checker/src/requirements.txt b/checker/src/requirements.txt
index e88eeb1..0668404 100644
--- a/checker/src/requirements.txt
+++ b/checker/src/requirements.txt
@@ -3,14 +3,14 @@ chardet==4.0.0
 click==7.1.2
 dnspython==1.16.0
 # enochecker==0.4.2
-# git+https://github.com/enowars/enochecker@e1ce01b510b0d9e05d292a11a24c809bca1c181b
-git+https://github.com/Sinitax/enochecker@7fbc1b9ad4eee85343dcdce7e575e95b8e3c481e
+# git+https://github.com/enowars/enochecker@37981175f3125bd552c3c351494186fe9ce35e0b
+git+https://github.com/Sinitax/enochecker@3bd2e698e9421f4a67e60a2377ac6f40e65b18a7
 enochecker-cli==0.7.0
 enochecker-core==0.10.0
 eventlet==0.30.2
 Flask==1.1.2
 greenlet==1.0.0
-gunicorn[gevent]
+gunicorn==20.1.0
 idna==2.10
 itsdangerous==1.1.0
 Jinja2==2.11.3
diff --git a/checker/test.sh b/checker/test.sh
index 9b2d08e..c3df08c 100644
--- a/checker/test.sh
+++ b/checker/test.sh
@@ -26,14 +26,15 @@ except:
 
 try() {
 	cmd="$1"
-	tmpfile="/tmp/checker-log-$BASHPID"
+	pid=$BASHPID
+	tmpfile="/tmp/checker-log-$pid"
 	[ -e "$tmpfile" ] && rm "$tmpfile"
 	if [ $# -lt 2 ]; then
 		variant=0
 	else
 		variant=$2
 	fi
-	taskid=$$
+	taskid=$pid
 	if [ ! -z "$REMOTE" ]; then
 		python3 enoreq.py -j True -A http://localhost:9091 -a $REMOTE \
 			--flag ENOTESTFLAG123= --flag_regex 'ENO.*=' -i $taskid \
@@ -46,18 +47,18 @@ try() {
 		res="$(cat $tmpfile | grep -a Result: | tail -n1 | grep -a -o OK)"
 	fi
 	if [ "$res" != "OK" ]; then
-		newfile="fails/err-$(ls fails | wc -l)"
+		newfile="fails/err-$pid"
 		(
 			echo "METHOD $@"
+			echo "RESULT $res"
+			echo "TASK $taskid"
 			cat "$tmpfile"
 			if [ ! -z "$REMOTE" -a -e "$ENOLOGMESSAGE_PARSER" ]; then
-				docker-compose logs --tail=400 | grep '"taskId": '$taskid | $ENOLOGMESSAGE_PARSER
+				docker-compose logs --tail=2000 | grep '"taskId": '$taskid | $ENOLOGMESSAGE_PARSER
 			fi
 		) > "$newfile"
-		echo -ne "Executing $cmd with variant $variant.. $res ($newfile)\n"
-	else
-		echo -ne "Executing $cmd with variant $variant.. $res\n"
 	fi
+	echo -ne "Executing $cmd with variant $variant.. $res (TASK: $taskid)\n"
 }
 
 try-all() {
@@ -82,16 +83,23 @@ try-all() {
 	try exploit 1
 }
 
-if [ $# -ge 2 ]; then
+one-of() {
+	for arg in ${@:2}; do
+		[ "$1" == "$arg" ] && return 0
+	done
+	return 1
+}
+
+if one-of "$1" putflag getflag putnoise getnoise havoc exploit; then
 	try $@
 elif [ "$1" == "test-exploits" ]; then
 	try exploit 0
 	try exploit 1
 elif [ "$1" == "stress-test" ]; then
 	mkdir -p fails
-	while [ 1 ]; do
-		try-all &
-		sleep 2
+	count=${2:-100}
+	for i in $(seq $count); do
+		try ${3:-exploit} ${4:-0} &
 	done
 else
 	try-all
diff --git a/do.sh b/do.sh
index db78a4b..0faf177 100644
--- a/do.sh
+++ b/do.sh
@@ -35,7 +35,7 @@ elif [ "$1" == "cleansrc" ]; then
 	dst="$3"
 	[ -e "$dst" ] && rm -rf "$dst"
 	mkdir -p "$dst"
-	cp -r "$src"/{*.c,*.h,Makefile,msgs} "$dst"
+	cp -r "$src"/{*.c,*.h,Makefile,msgs,.gitignore} "$dst"
 
 	# strip comments
 	find "$dst" | while read path; do
diff --git a/service/entrypoint.sh b/service/entrypoint.sh
index 4e6a8c4..94dbea1 100755
--- a/service/entrypoint.sh
+++ b/service/entrypoint.sh
@@ -5,7 +5,7 @@ chown -R service:service "$RESULTDIR"
 
 while [ 1 ]; do
 	/cleaner.sh
-	sleep 200
+	sleep 400
 done &
 
 CMD="socat -T180 -s TCP-LISTEN:9000,nodelay,reuseaddr,fork EXEC:/service/build/stldoctor,raw,pty,echo=0,stderr"
diff --git a/service/src/.gitignore b/service/src/.gitignore
new file mode 100644
index 0000000..140742a
--- /dev/null
+++ b/service/src/.gitignore
@@ -0,0 +1,2 @@
+build
+vgcore.*
diff --git a/service/src/main.c b/service/src/main.c
index d76ceb8..24279c5 100644
--- a/service/src/main.c
+++ b/service/src/main.c
@@ -92,6 +92,13 @@ fail:
 	return FAIL;
 }
 
+int
+access_authorized(const char *file)
+{
+	return (loggedin && file[0] == '.' && file[1] != '.')
+		|| (!loggedin && file[0] != '.');
+}
+
 void
 cat_cmd(const char *arg)
 {
@@ -106,12 +113,10 @@ help_cmd(const char *arg)
 {
 	int i;
 
-	if (arg) {
-		for (i = 0; i < ARRSIZE(commands); i++) {
-			if (!strcmp(commands[i].name, arg)) {
-				printf("%s\n", commands[i].desc);
-				return;
-			}
+	for (i = 0; arg && i < ARRSIZE(commands); i++) {
+		if (!strcmp(commands[i].name, arg)) {
+			printf("%s\n", commands[i].desc);
+			return;
 		}
 	}
 
@@ -124,6 +129,7 @@ help_cmd(const char *arg)
 void
 exit_cmd(const char *arg)
 {
+	printf("bye!\n");
 	exit(0);
 }
 
@@ -170,8 +176,9 @@ cleanup:
 void
 search_cmd(const char *arg)
 {
-	char *end, *scandir = NULL, *infopath = NULL, *modelpath = NULL;
-	int i, which, dirstart, ishidden;
+	char *end, *scandir = NULL, *infopath = NULL,
+	     *modelpath = NULL, **paths = NULL;
+	int i, which, dirstart, ishidden, pathc, pathcap = 100;
 	const char *hash, *name;
 	struct dirent *de;
 	DIR *d = NULL;
@@ -188,51 +195,49 @@ search_cmd(const char *arg)
 		hash = mhash(arg ? arg : ask("Model name: "), -1);
 	}
 
-	if (!(d = opendir(resultdir))) return;
+	if (!(d = opendir(resultdir))) {
+		printf("Unable to access upload directory!\n");
+		return;
+	}
 
+	paths = checkp(malloc(pathcap * sizeof(char*)));
 	dirstart = telldir(d);
-	for (i = 0; (de = readdir(d));) {
-		name = de->d_name;
-		if (loggedin && *name == '.' && !strpfcmp(hash, name + 1)
-				|| !loggedin && *name != '.' && !strpfcmp(hash, name)) {
-			printf("%i : %s\n", i, de->d_name);
-			i++;
+	for (pathc = 0; (de = readdir(d));) {
+		if (access_authorized(de->d_name)
+		    && !strpfcmp(hash, de->d_name + loggedin)) {
+			printf("%i : %s\n", pathc, de->d_name);
+			paths[pathc++] = checkp(strdup(de->d_name));
+			if (pathc == pathcap) {
+				pathcap *= 2;
+				paths = checkp(realloc(paths, pathcap * sizeof(char*)));
+			}
 		}
 	}
+	closedir(d);
 
-	if (i == 0) {
+	if (pathc == 0) {
 		printf("Sorry, couldnt find a matching scan result!\n");
 		goto cleanup;
-	} else {
-		which = strtoul(ask("Which of these results? "), &end, 10);
-		if (which >= i || which < 0 || *end) {
-			printf("Invalid index!\n");
-			goto cleanup;
-		}
-	}
-
-	seekdir(d, dirstart);
-	for (i = 0; (de = readdir(d));) {
-		name = de->d_name;
-		if (loggedin && *name == '.' && !strpfcmp(hash, name + 1)
-				|| !loggedin && *name != '.' && !strpfcmp(hash, name)) {
-			if (i == which) {
-				scandir = aprintf("%s/%s", resultdir, de->d_name);
-				break;
-			}
-			i++;
-		}
 	}
 
-	if (!scandir) {
-		printf("Selected result spontaneously combusted!\n");
+	which = strtoul(ask("Which of these results? "), &end, 10);
+	if (which >= pathc || which < 0 || *end) {
+		printf("Invalid index!\n");
 		goto cleanup;
 	}
 
+	scandir = aprintf("%s/%s", resultdir, paths[which]);
+
 	infopath = aprintf("%s/%s", scandir, "info");
-	if (!(f = fopen(infopath, "r"))) goto cleanup;
+	if (!(f = fopen(infopath, "r"))) {
+		printf("Selected result is missing!\n");
+		goto cleanup;
+	}
 	free_info(&cached);
-	if (load_info(&cached, f) != OK) goto cleanup;
+	if (load_info(&cached, f) != OK) {
+		printf("Failed to parse info file!\n");
+		goto cleanup;
+	}
 	fclose(f);
 	f = NULL;
 
@@ -240,11 +245,17 @@ search_cmd(const char *arg)
 
 	if (strchr(ask("Download the model? "), 'y')) {
 		modelpath = aprintf("%s/%s", scandir, "model");
-		if (!(f = fopen(modelpath, "r"))) goto cleanup;
+		if (!(f = fopen(modelpath, "r"))) {
+			printf("Failed to access file!\n");
+			goto cleanup;
+		}
 		fseek(f, 0, SEEK_END);
 		size = ftell(f);
 		fseek(f, 0, SEEK_SET);
-		if (size > MAXFILESIZE) goto cleanup;
+		if (size > MAXFILESIZE) {
+			printf("File is too large to send!\n");
+			goto cleanup;
+		}
 		printf("Here you go.. (%liB)\n", size);
 		while ((i = getc(f)) != EOF)
 			putc(i, stdout);
@@ -254,10 +265,13 @@ search_cmd(const char *arg)
 
 cleanup:
 	if (f) fclose(f);
-	closedir(d);
+
 	free(scandir);
 	free(infopath);
 	free(modelpath);
+
+	for (i = 0; i < pathc; i++) free(paths[i]);
+	free(paths);
 }
 
 void
diff --git a/src/.gitignore b/src/.gitignore
index 5f14e4d..140742a 100644
--- a/src/.gitignore
+++ b/src/.gitignore
@@ -1,4 +1,2 @@
-stldoctor
-*.o
+build
 vgcore.*
-safe_*
diff --git a/src/main.c b/src/main.c
index 43dce40..ff30df3 100644
--- a/src/main.c
+++ b/src/main.c
@@ -92,6 +92,13 @@ fail:
 	return FAIL;
 }
 
+int
+access_authorized(const char *file)
+{
+	return (loggedin && file[0] == '.' && file[1] != '.')
+		|| (!loggedin && file[0] != '.');
+}
+
 void
 cat_cmd(const char *arg)
 {
@@ -122,6 +129,7 @@ help_cmd(const char *arg)
 void
 exit_cmd(const char *arg)
 {
+	printf("bye!\n");
 	exit(0);
 }
 
@@ -168,8 +176,9 @@ cleanup:
 void
 search_cmd(const char *arg)
 {
-	char *end, *scandir = NULL, *infopath = NULL, *modelpath = NULL;
-	int i, which, dirstart, ishidden;
+	char *end, *scandir = NULL, *infopath = NULL,
+	     *modelpath = NULL, **paths = NULL;
+	int i, which, dirstart, ishidden, pathc, pathcap = 100;
 	const char *hash, *name;
 	struct dirent *de;
 	DIR *d = NULL;
@@ -186,52 +195,49 @@ search_cmd(const char *arg)
 		hash = mhash(arg ? arg : ask("Model name: "), -1);
 	}
 
-	if (!(d = opendir(resultdir))) return;
+	if (!(d = opendir(resultdir))) {
+		fprintf(stderr, "Unable to access upload directory!\n");
+		return;
+	}
 
+	paths = checkp(malloc(pathcap * sizeof(char*)));
 	dirstart = telldir(d);
-	for (i = 0; (de = readdir(d));) {
-		name = de->d_name;
-		if (loggedin && *name == '.' && !strpfcmp(hash, name + 1)
-				|| !loggedin && *name != '.' && !strpfcmp(hash, name)) {
-			printf("%i : %s\n", i, de->d_name);
-			i++;
+	for (pathc = 0; (de = readdir(d));) {
+		if (access_authorized(de->d_name)
+		    && !strpfcmp(hash, de->d_name + loggedin)) {
+			printf("%i : %s\n", pathc, de->d_name);
+			paths[pathc++] = checkp(strdup(de->d_name));
+			if (pathc == pathcap) {
+				pathcap *= 2;
+				paths = checkp(realloc(paths, pathcap * sizeof(char*)));
+			}
 		}
 	}
+	closedir(d);
 
-	if (i == 0) {
+	if (pathc == 0) {
 		fprintf(stderr, "Sorry, couldnt find a matching scan result!\n");
 		goto cleanup;
-	} else {
-		which = strtoul(ask("Which of these results? "), &end, 10);
-		if (which >= i || which < 0 || *end) {
-			fprintf(stderr, "Invalid index!\n");
-			goto cleanup;
-		}
 	}
 
-	seekdir(d, dirstart);
-	for (i = 0; (de = readdir(d));) {
-		name = de->d_name;
-		if (loggedin && *name == '.' && !strpfcmp(hash, name + 1)
-				|| !loggedin && *name != '.' && !strpfcmp(hash, name)) {
-			if (i == which) {
-				scandir = aprintf("%s/%s", resultdir, de->d_name);
-				break;
-			}
-			i++;
-		}
-	}
-
-	/* file got cleaned up during race condition by background task */
-	if (!scandir) {
-		fprintf(stderr, "Selected result spontaneously combusted!\n");
+	which = strtoul(ask("Which of these results? "), &end, 10);
+	if (which >= pathc || which < 0 || *end) {
+		fprintf(stderr, "Invalid index!\n");
 		goto cleanup;
 	}
 
+	scandir = aprintf("%s/%s", resultdir, paths[which]);
+
 	infopath = aprintf("%s/%s", scandir, "info");
-	if (!(f = fopen(infopath, "r"))) goto cleanup;
+	if (!(f = fopen(infopath, "r"))) {
+		fprintf(stderr, "Selected result is missing!\n");
+		goto cleanup;
+	}
 	free_info(&cached);
-	if (load_info(&cached, f) != OK) goto cleanup;
+	if (load_info(&cached, f) != OK) {
+		fprintf(stderr, "Failed to parse info file!\n");
+		goto cleanup;
+	}
 	fclose(f);
 	f = NULL;
 
@@ -239,11 +245,17 @@ search_cmd(const char *arg)
 
 	if (strchr(ask("Download the model? "), 'y')) {
 		modelpath = aprintf("%s/%s", scandir, "model");
-		if (!(f = fopen(modelpath, "r"))) goto cleanup;
+		if (!(f = fopen(modelpath, "r"))) {
+			fprintf(stderr, "Failed to access file!\n");
+			goto cleanup;
+		}
 		fseek(f, 0, SEEK_END);
 		size = ftell(f);
 		fseek(f, 0, SEEK_SET);
-		if (size > MAXFILESIZE) goto cleanup;
+		if (size > MAXFILESIZE) {
+			fprintf(stderr, "File is too large to send!\n");
+			goto cleanup;
+		}
 		printf("Here you go.. (%liB)\n", size);
 		while ((i = getc(f)) != EOF)
 			putc(i, stdout);
@@ -253,10 +265,13 @@ search_cmd(const char *arg)
 
 cleanup:
 	if (f) fclose(f);
-	closedir(d);
+
 	free(scandir);
 	free(infopath);
 	free(modelpath);
+
+	for (i = 0; i < pathc; i++) free(paths[i]);
+	free(paths);
 }
 
 void
-- 
cgit v1.2.3-71-gd317