STLDoctor 💉

The Plan 💡

• Plaintext service
• Interesting C bugs
• Exploit logic bugs, not RCE
• Learn about the STL format

Setup 🔧

• C binary that communicates via stdin and stdout
• Networking abstracted through hosting with socat
• File system backend with periodic clean up

Functionality 🎮

• Users can upload and search for files
• Register to upload private files
• Uploaded files are analyzed and information is returned to the user

1. Vuln 💉

• Flags are stored in the solidname of the STL
• Bug in upload info file parsing allows attacker to retrieve any public file

2. Vuln 💉

• Flags are stored in the solidname of a private file
• Buffer overflow in hash function allows enumeration of private user hashes
• Generate preimages of weak hash function to login as users

Goals Met 🎉

⭐ Plaintext file inspection service
⭐ Interesting and realisitic bugs
⭐ Combine different gadgets for exploit
⭐ Don't need to be an expert at fancy ROP
⭐ No SLA lost in TestCTF
⭐ Written in C

Issues 📉

💥 Exploits not directly related to STL format
💥 (Eno)checker has memory leaks

Lesssons Learned

• Many exploits are not suited for A/D ctfs
• How to write a FSM format parser
• Be careful with casts in C
• People just love C services 🤡

Exploit 1

Exploit 2