From 9c24455a07b6c743239f3301475ad656b702a627 Mon Sep 17 00:00:00 2001 From: Louis Burda Date: Wed, 30 Jun 2021 11:00:21 +0200 Subject: add new havoc which uploads stl models with real objects in them for fluff --- checker/src/checker.py | 36 ++++++++++++++++++++++++++---------- 1 file changed, 26 insertions(+), 10 deletions(-) (limited to 'checker/src/checker.py') diff --git a/checker/src/checker.py b/checker/src/checker.py index 633a0f1..fe2b8d5 100644 --- a/checker/src/checker.py +++ b/checker/src/checker.py @@ -28,6 +28,11 @@ endsolid test\xff generic_alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmopqrstuvwxyz0123456789-+.!" +script_path = os.path.dirname(os.path.realpath(__file__)) +models_path = f"{script_path}/models" +extra_models = [f"{models_path}/{path}" for path in \ + os.listdir(models_path) if path.endswith(".stl")] + def ensure_bytes(v): if type(v) == bytes: return v @@ -64,7 +69,7 @@ def approx_equal(f1, f2, precision = 2): def reverse_hash(hashstr): if type(hashstr) is bytes: hashstr = hashstr.decode() - data = subprocess.check_output([os.getenv("REVHASH_PATH"), hashstr])[:-1] + data = subprocess.check_output([f"{script_path}/revhash/revhash", hashstr])[:-1] if data == b"": raise BrokenServiceException(f"Failed to find hash preimage of {hashstr}") return data @@ -104,7 +109,7 @@ class STLDoctorChecker(BaseChecker): flag_variants = 2 noise_variants = 2 - havoc_variants = 16 + havoc_variants = 17 exploit_variants = 2 prompt = b"\r$ " @@ -298,9 +303,8 @@ class STLDoctorChecker(BaseChecker): conn.write(stlfile) # Check for errors - _ = conn.recvline() # Modelname: - line = conn.recvline() - if b"ERR:" in line: + resp = conn.recvline() + conn.recvline() + if b"ERR:" in resp: if check: raise BrokenServiceException(f"Failed to upload model {modelname}:\n{line}") conn.recvuntil(self.prompt) @@ -308,7 +312,7 @@ class STLDoctorChecker(BaseChecker): # Parse ID try: - modelid = line.rsplit(b"!", 1)[0].split(b"with ID ", 1)[1] + modelid = resp.rsplit(b"!", 1)[0].split(b"with ID ", 1)[1] if modelid == b"": raise Exception except: raise BrokenServiceException(f"Invalid response during upload of {modelname}:\n{line}") @@ -633,6 +637,19 @@ class STLDoctorChecker(BaseChecker): self.test_list(False) elif self.variant_id == 15: self.test_list(True) + elif self.variant_id == 16: + if len(extra_models) == 0: + return + # upload spicy models + conn = self.openconn() + model = rand.choice(extra_models) + modelname = os.path.basename(model).split("-")[0] + modelname += "".join([rand.choice("0123456789") for i in range(5)]) + stlfile = open(model, "rb").read() + self.debug(stlfile) + modelid = self.do_upload(conn, modelname, stlfile) + self.check_in_search(conn, modelname, [modelname, modelid, stlfile], download = True) + self.closeconn(conn) else: raise EnoException(f"Invalid havoc variant ({self.variant_id}) provided") @@ -680,11 +697,11 @@ class STLDoctorChecker(BaseChecker): raise BrokenServiceException("Exploit did not set 'loggedin' variable via overflow") # Get private user hashes via 'list' - resp = self.do_list(conn) + resp = self.do_list(conn, check=False) + if not resp: + raise BrokenServiceException("") self.debug("List response: " + str(resp)) users = [l.split(b" .")[1] for l in resp.split(b"\n") if b">> ." in l] - if len(users) == 0: - raise BrokenServiceException("Unable to list private user hashes") self.closeconn(conn) # Login as each private user @@ -706,7 +723,6 @@ class STLDoctorChecker(BaseChecker): # List all private files of user resp = self.do_list(conn) - self.closeconn(conn) # Search for flag in solid names names = b"\n".join([l.split(b": ", 1)[1] for l in resp.split(b"\n") if b"Solid Name: " in l]) -- cgit v1.2.3-71-gd317