STLDoctor

From 6a321759f6f75e7e14a29fde7cd0fa359d14215e Mon Sep 17 00:00:00 2001 From: Louis Burda Date: Wed, 21 Jul 2021 19:37:15 +0200 Subject: final tweaks to documentations, added intro and final presentation slides --- documentation/slides/.gitignore | 1 - documentation/slides/index.html | 699 ----------------------------- documentation/slides/media/exploit-1-1.png | Bin 16715 -> 0 bytes documentation/slides/media/exploit-1-2.png | Bin 26940 -> 0 bytes documentation/slides/media/exploit-1-3.png | Bin 52090 -> 0 bytes documentation/slides/media/exploit-1-4.png | Bin 70074 -> 0 bytes documentation/slides/media/exploit-1-5.png | Bin 71647 -> 0 bytes documentation/slides/media/exploit-2-1.png | Bin 46589 -> 0 bytes documentation/slides/media/search.gif | Bin 60562 -> 0 bytes documentation/slides/media/socat.gif | Bin 19413 -> 0 bytes documentation/slides/slides.md | 184 -------- documentation/slides/stldoctor.pdf | Bin 579874 -> 0 bytes 12 files changed, 884 deletions(-) delete mode 100644 documentation/slides/.gitignore delete mode 100644 documentation/slides/index.html delete mode 100644 documentation/slides/media/exploit-1-1.png delete mode 100644 documentation/slides/media/exploit-1-2.png delete mode 100644 documentation/slides/media/exploit-1-3.png delete mode 100644 documentation/slides/media/exploit-1-4.png delete mode 100644 documentation/slides/media/exploit-1-5.png delete mode 100644 documentation/slides/media/exploit-2-1.png delete mode 100644 documentation/slides/media/search.gif delete mode 100644 documentation/slides/media/socat.gif delete mode 100644 documentation/slides/slides.md delete mode 100644 documentation/slides/stldoctor.pdf (limited to 'documentation/slides') diff --git a/documentation/slides/.gitignore b/documentation/slides/.gitignore deleted file mode 100644 index e4e7469..0000000 --- a/documentation/slides/.gitignore +++ /dev/null @@ -1 +0,0 @@ -slides diff --git a/documentation/slides/index.html b/documentation/slides/index.html deleted file mode 100644 index cc0aa6a..0000000 --- a/documentation/slides/index.html +++ /dev/null @@ -1,699 +0,0 @@ - - - - - - STLDoctor - - - - -

- -

- - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/documentation/slides/media/exploit-1-1.png b/documentation/slides/media/exploit-1-1.png deleted file mode 100644 index b251075..0000000 Binary files a/documentation/slides/media/exploit-1-1.png and /dev/null differ diff --git a/documentation/slides/media/exploit-1-2.png b/documentation/slides/media/exploit-1-2.png deleted file mode 100644 index e63f7d0..0000000 Binary files a/documentation/slides/media/exploit-1-2.png and /dev/null differ diff --git a/documentation/slides/media/exploit-1-3.png b/documentation/slides/media/exploit-1-3.png deleted file mode 100644 index 4dc961d..0000000 Binary files a/documentation/slides/media/exploit-1-3.png and /dev/null differ diff --git a/documentation/slides/media/exploit-1-4.png b/documentation/slides/media/exploit-1-4.png deleted file mode 100644 index 2d75f2f..0000000 Binary files a/documentation/slides/media/exploit-1-4.png and /dev/null differ diff --git a/documentation/slides/media/exploit-1-5.png b/documentation/slides/media/exploit-1-5.png deleted file mode 100644 index 874529b..0000000 Binary files a/documentation/slides/media/exploit-1-5.png and /dev/null differ diff --git a/documentation/slides/media/exploit-2-1.png b/documentation/slides/media/exploit-2-1.png deleted file mode 100644 index 91b0df7..0000000 Binary files a/documentation/slides/media/exploit-2-1.png and /dev/null differ diff --git a/documentation/slides/media/search.gif b/documentation/slides/media/search.gif deleted file mode 100644 index de4ed18..0000000 Binary files a/documentation/slides/media/search.gif and /dev/null differ diff --git a/documentation/slides/media/socat.gif b/documentation/slides/media/socat.gif deleted file mode 100644 index 38f1e93..0000000 Binary files a/documentation/slides/media/socat.gif and /dev/null differ diff --git a/documentation/slides/slides.md b/documentation/slides/slides.md deleted file mode 100644 index 48e3447..0000000 --- a/documentation/slides/slides.md +++ /dev/null @@ -1,184 +0,0 @@ -title: STLDoctor -output: index.html -controls: false - --- - - - --- - -# STLDoctor 💉 - --- - -### The Plan 💡 - - - - - - -- Plaintext service -- Interesting C bugs -- Exploit logic bugs, not RCE -- Learn about the STL format - -

- --- - -### Setup 🔧 - -- C binary that communicates via `stdin` and `stdout` -- Networking abstracted through hosting with `socat` -- File system backend with periodic clean up - -![socat](media/socat.gif) - --- - -### Functionality 🎮 - - - - -- Users can upload and search for files -- Register to upload private files -- Uploaded files are analyzed and information is returned to the user - ---- - - - -![FileSearch](media/search.gif) - --- - -### 1. Vuln 💉 - -- Flags are stored in the solidname of the STL -- Bug in upload info file parsing allows attacker to retrieve any public file - --- - -### 2. Vuln 💉 - -- Flags are stored in the solidname of a private file -- Buffer overflow in hash function allows enumeration of private user hashes -- Generate preimages of weak hash function to login as users - --- - -### Goals Met 🎉 - - - -⭐ Plaintext file inspection service
-⭐ Interesting and realisitic bugs
-⭐ Combine different gadgets for exploit
-⭐ Don't need to be an expert at fancy ROP
-⭐ No SLA lost in TestCTF
-⭐ Written in C - --- - -### Issues 📉 - - - - - -💥 Exploits not directly related to STL format
-💥 (Eno)checker has memory leaks - --- - -### Lesssons Learned - - - -- Many exploits are not suited for A/D ctfs -- How to write a FSM format parser -- Be careful with casts in C -- People just *love* C services 🤡 - --- - --- - --- - -# Exploit 1 - --- - -![exploit-1-1](media/exploit-1-1.png) - --- - -![exploit-1-2](media/exploit-1-2.png) - --- - -![exploit-1-3](media/exploit-1-3.png) - --- - -![exploit-1-4](media/exploit-1-4.png) - --- - -![exploit-1-5](media/exploit-1-5.png) - --- - -# Exploit 2 - --- - -![exploit-2-1](media/exploit-2-1.png) - - - - diff --git a/documentation/slides/stldoctor.pdf b/documentation/slides/stldoctor.pdf deleted file mode 100644 index ddfe89b..0000000 Binary files a/documentation/slides/stldoctor.pdf and /dev/null differ -- cgit v1.2.3-71-gd317