From 6a321759f6f75e7e14a29fde7cd0fa359d14215e Mon Sep 17 00:00:00 2001
From: Louis Burda <quent.burda@gmail.com>
Date: Wed, 21 Jul 2021 19:37:15 +0200
Subject: final tweaks to documentations, added intro and final presentation
 slides

---
 documentation/slides-intro/slides.md | 184 +++++++++++++++++++++++++++++++++++
 1 file changed, 184 insertions(+)
 create mode 100644 documentation/slides-intro/slides.md

(limited to 'documentation/slides-intro/slides.md')

diff --git a/documentation/slides-intro/slides.md b/documentation/slides-intro/slides.md
new file mode 100644
index 0000000..48e3447
--- /dev/null
+++ b/documentation/slides-intro/slides.md
@@ -0,0 +1,184 @@
+title: STLDoctor
+output: index.html
+controls: false
+
+--
+
+<style>
+
+.footnote {
+	font-size: 16pt;
+	position: absolute;
+	color: gray;
+	bottom: 0px;
+	right: 0px;
+}
+
+.slide-content {
+	position: relative;
+}
+
+.slide-content > ul >li {
+	padding: 7px 0px;
+}
+
+.slide-content > p > img {
+	width: 100%;
+}
+
+</style>
+
+--
+
+# STLDoctor 💉
+
+--
+
+### The Plan 💡
+
+<!-- Familiar with C and wondered about non-standard
+     buffer-/integer overflow C bugs -->
+<!-- Plaintext file inspection service -->
+<!-- Interesting and realisitic bugs -->
+<!-- Written in C -->
+<!-- Have to combine 'gadgets' for exploit, but
+     as a logic bug, not RCE -->
+- Plaintext service
+- Interesting C bugs
+- Exploit logic bugs, not RCE
+- Learn about the STL format
+
+<img style="width: 240px !important; transform: rotate(90deg); height: 240px; position:absolute; top:150px; right:70px;" src="https://upload.wikimedia.org/wikipedia/commons/9/9b/STL_sample_2.png">
+
+--
+
+### Setup 🔧
+
+- C binary that communicates via `stdin` and `stdout`
+- Networking abstracted through hosting with `socat`
+- File system backend with periodic clean up
+
+![socat](media/socat.gif)
+
+--
+
+### Functionality 🎮
+
+<!-- file system backend separates user accounts and stl files location for non-guests -->
+<!-- guest account files can be downloaded by knowing their modelname,
+     premium account files can only be downloaded by authenticated users -->
+
+- Users can upload and search for files
+- Register to upload private files
+- Uploaded files are analyzed and information is returned to the user
+
+---
+
+<!-- Sample interaction demonstrating how you would retrieve a file you uploaded -->
+
+![FileSearch](media/search.gif)
+
+--
+
+### 1. Vuln 💉
+
+- Flags are stored in the solidname of the STL
+- Bug in upload info file parsing allows attacker to retrieve any public file
+
+--
+
+### 2. Vuln 💉
+
+- Flags are stored in the solidname of a private file
+- Buffer overflow in hash function allows enumeration of private user hashes
+- Generate preimages of weak hash function to login as users
+
+--
+
+### Goals Met 🎉
+
+<!-- dont need to be an expert at fancy exploitation to exploit,
+     just basic knowledge of C and testing code snippets to see
+     if they do what you expect them to in different cases -->
+
+⭐ Plaintext file inspection service <br>
+⭐ Interesting and realisitic bugs <br>
+⭐ Combine different gadgets for exploit <br>
+⭐ Don't need to be an expert at fancy ROP <br>
+⭐ No SLA lost in TestCTF <br>
+⭐ Written in C
+
+--
+
+### Issues 📉
+
+<!-- Currently, the exploits dont require you to understand the
+	STL file format, however, to make sure that the service
+	is working correctly, you need to inspect the code -->
+
+<!-- Still considering encoding of flags as STL, but want to
+	avoid -->
+
+💥 Exploits not directly related to STL format <br>
+💥 (Eno)checker has memory leaks
+
+--
+
+### Lesssons Learned 
+
+<!-- from the feedback I gathered, that not a lot of people write C code
+     often, but this also means it is a great opportunity for learning
+     something new. -->
+
+- Many exploits are not suited for A/D ctfs
+- How to write a FSM format parser
+- Be careful with casts in C
+- People just *love* C services 🤡
+
+--
+
+--
+
+--
+
+# Exploit 1
+
+--
+
+![exploit-1-1](media/exploit-1-1.png)
+
+--
+
+![exploit-1-2](media/exploit-1-2.png)
+
+--
+
+![exploit-1-3](media/exploit-1-3.png)
+
+--
+
+![exploit-1-4](media/exploit-1-4.png)
+
+--
+
+![exploit-1-5](media/exploit-1-5.png)
+
+--
+
+# Exploit 2
+
+--
+
+![exploit-2-1](media/exploit-2-1.png)
+
+
+
+<script>
+	// var slide_headers = document.querySelectorAll(".slide-content > h3");
+	// for (var i = 0; i < slide_headers.length; i++) {
+	// 	var img = document.createElement('img')
+	// 	img.src = "logo.png";
+	// 	img.style = "height: 2.4ex; padding-right: 10px; float:right";
+	// 	slide_headers[i].append(img);
+	// }
+</script>
-- 
cgit v1.2.3-71-gd317