From a0bd3d833d916cadd23d17d0b3784e28c729967d Mon Sep 17 00:00:00 2001
From: Louis Burda <quent.burda@gmail.com>
Date: Thu, 24 Jun 2021 02:52:21 +0200
Subject: various fixes made while stress-testing exploit

---
 checker/src/checker.py       | 50 ++++++++++++++++++++++++++++++--------------
 checker/src/gunicorn.conf.py |  4 +---
 checker/src/requirements.txt |  6 +++---
 3 files changed, 38 insertions(+), 22 deletions(-)

(limited to 'checker/src')

diff --git a/checker/src/checker.py b/checker/src/checker.py
index 8be5213..8f9334d 100644
--- a/checker/src/checker.py
+++ b/checker/src/checker.py
@@ -8,6 +8,8 @@ logging.getLogger("faker").setLevel(logging.WARNING)
 logging.getLogger("pwnlib").setLevel(logging.WARNING)
 logging.getLogger("_curses").setLevel(logging.CRITICAL)
 
+rand = random.SystemRandom()
+
 from faker import Faker
 
 # DEBUGING MEMORY ISSUES#
@@ -63,18 +65,20 @@ class STLDoctorChecker(BaseChecker):
     def closeconn(self, conn):
         self.debug("Sending exit command")
         conn.write("exit\n")
+        # ensure it is a clean exit
+        conn.recvuntil("bye!")
         conn.close()
 
     def fakeid(self):
         fake = Faker(["en_US"])
         allowed = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmopqrstuvwxyz0123456789-+.!"
-        idstr = "".join([c for c in fake.name().replace(' ','') if c in allowed][:60]).ljust(10, '.')
-        idstr += "".join([random.choice(allowed) for i in range(5)])
+        idstr = "".join([c for c in fake.name().replace(' ','') if c in allowed][:12]).ljust(10, '.')
+        idstr += "".join([rand.choice(allowed) for i in range(8)])
         return idstr
 
     def havocid(self):
-        idlen = random.randint(10, 60)
-        return "".join([chr(random.randint(32, 127)) for i in range(idlen)])
+        idlen = rand.randint(10, 40)
+        return "".join([chr(rand.randint(32, 127)) for i in range(idlen)])
 
     def do_auth(self, conn, authstr):
         authstr = ensure_bytes(authstr)
@@ -113,10 +117,10 @@ class STLDoctorChecker(BaseChecker):
             content = b"solid " + solidname + b"\n"
         else:
             content = b"solid\n"
-        facet_count = random.randint(4, 30)
+        facet_count = rand.randint(4, 30)
         for fi in range(facet_count):
             content += b"facet normal "
-            vs = [[random.random() for i in range(3)] for k in range(3)]
+            vs = [[rand.random() for i in range(3)] for k in range(3)]
             norm = np.cross(np.subtract(vs[1], vs[0]), np.subtract(vs[2],vs[0]))
             norm = norm / np.linalg.norm(norm)
             content += " ".join([f"{v:.2f}" for v in norm]).encode() + b"\n"
@@ -141,10 +145,10 @@ class STLDoctorChecker(BaseChecker):
             content = b"#" + solidname.ljust(78, b"\x00") + b"\x00"
         else:
             content = b"#" + b"\x00" * 79
-        facet_count = random.randint(4, 30)
+        facet_count = rand.randint(4, 30)
         content += struct.pack("<I", facet_count)
         for fi in range(facet_count):
-            vs = [[random.random() for i in range(3)] for k in range(3)]
+            vs = [[rand.random() for i in range(3)] for k in range(3)]
             norm = np.cross(np.subtract(vs[1], vs[0]), np.subtract(vs[2],vs[0]))
             for i in range(3):
                 content += struct.pack("<f", norm[i])
@@ -184,7 +188,7 @@ class STLDoctorChecker(BaseChecker):
             modelid = line.rsplit(b"!", 1)[0].split(b"with ID ", 1)[1]
             if modelid == b"": raise Exception
         except:
-            raise BrokenServiceException(f"Invalid response during upload of {modelname}")
+            raise BrokenServiceException(f"Invalid response during upload of {modelname}:\n{line}")
 
         # Consume rest of data in this call
         conn.recvuntil(self.prompt)
@@ -202,7 +206,7 @@ class STLDoctorChecker(BaseChecker):
         conn.write("y\n" if download else "\n")
 
         # Wait for end of info box
-        resp = conn.recvuntil("==================")
+        resp = conn.recvuntil("================== \n")
 
         # Ask for download if desired
         if download:
@@ -352,22 +356,36 @@ class STLDoctorChecker(BaseChecker):
             filelist = [l.strip().split(b" : ") for l in conn.recvuntil("?").split(b"\n") if b" : " in l]
             if len(filelist) == 0:
                 raise BrokenServiceException("Failed to list files through search")
+            index_dict = {fl[1]: fl[0] for fl in filelist}
+            targets = [fl[1] for fl in filelist]
 
             # Use it to enumerate other files and grab contents
             found = None
-            for i in range(len(filelist)):
-                self.debug(b"Retrieving file " + filelist[i][0] + b": " + filelist[i][1])
-                conn.write(filelist[i][0] + b"\ny\n")
+            self.debug("Targets:\n" + "\n".join([' - ' + l.decode('latin1') for l in targets]))
+            for i,fhash in enumerate(targets):
+                if index_dict[fhash] == None:
+                    self.debug(b"Skipping now missing file " + fhash)
+                    continue
+
+                # Retrieve current file
+                self.debug(b"Retrieving file " + fhash + b" at index " + index_dict[fhash])
+                conn.write(index_dict[fhash] + b"\ny\n")
                 fileinfo = conn.recvuntil(self.prompt)
-                self.debug("File contents:\n" + fileinfo.decode("latin1"))
+                # self.debug("File contents:\n" + fileinfo.decode("latin1"))
                 found = self.search_flag_bytes(fileinfo)
-                if found is not None or i == len(filelist) - 1:
+                if found is not None or i == len(targets) - 1:
                     break
 
                 # Parse evil file again for next iter
                 self.getfile(conn, name, download=False)
                 conn.write("search last\n")
-                conn.recvuntil("?")
+
+                # Update indicies from new search
+                filelist = [l.strip().split(b" : ") for l in conn.recvuntil("?").split(b"\n") if b" : " in l]
+                index_dict = {name : None for name in targets}
+                for fl in filelist:
+                    index_dict[fl[1]] = fl[0]
+
             self.closeconn(conn)
 
             if found is None:
diff --git a/checker/src/gunicorn.conf.py b/checker/src/gunicorn.conf.py
index b049e48..095073e 100644
--- a/checker/src/gunicorn.conf.py
+++ b/checker/src/gunicorn.conf.py
@@ -1,10 +1,8 @@
 import multiprocessing
 
-worker_class = "gevent"
+worker_class = "eventlet"
 workers = multiprocessing.cpu_count() * 2 + 1
 bind = "0.0.0.0:3031"
 timeout = 90
 keepalive = 3600
-max_requests = 100
 preload_app = True
-max_requests_jitter = 30
diff --git a/checker/src/requirements.txt b/checker/src/requirements.txt
index e88eeb1..0668404 100644
--- a/checker/src/requirements.txt
+++ b/checker/src/requirements.txt
@@ -3,14 +3,14 @@ chardet==4.0.0
 click==7.1.2
 dnspython==1.16.0
 # enochecker==0.4.2
-# git+https://github.com/enowars/enochecker@e1ce01b510b0d9e05d292a11a24c809bca1c181b
-git+https://github.com/Sinitax/enochecker@7fbc1b9ad4eee85343dcdce7e575e95b8e3c481e
+# git+https://github.com/enowars/enochecker@37981175f3125bd552c3c351494186fe9ce35e0b
+git+https://github.com/Sinitax/enochecker@3bd2e698e9421f4a67e60a2377ac6f40e65b18a7
 enochecker-cli==0.7.0
 enochecker-core==0.10.0
 eventlet==0.30.2
 Flask==1.1.2
 greenlet==1.0.0
-gunicorn[gevent]
+gunicorn==20.1.0
 idna==2.10
 itsdangerous==1.1.0
 Jinja2==2.11.3
-- 
cgit v1.2.3-71-gd317