title: STLDoctor
output: index.html
controls: false

--

<style>

.footnote {
	font-size: 16pt;
	position: absolute;
	color: gray;
	bottom: 0px;
	right: 0px;
}

.slide-content {
	position: relative;
}

.slide-content > ul >li {
	padding: 7px 0px;
}

.slide-content > p > img {
	width: 100%;
}

</style>

--

# STLDoctor 💉

--

### The Plan 💡

<!-- Familiar with C and wondered about non-standard
     buffer-/integer overflow C bugs -->
<!-- Plaintext file inspection service -->
<!-- Interesting and realisitic bugs -->
<!-- Written in C -->
<!-- Have to combine 'gadgets' for exploit, but
     as a logic bug, not RCE -->
- Plaintext service
- Interesting C bugs
- Exploit logic bugs, not RCE
- Learn about the STL format

<img style="width: 240px !important; transform: rotate(90deg); height: 240px; position:absolute; top:150px; right:70px;" src="https://upload.wikimedia.org/wikipedia/commons/9/9b/STL_sample_2.png">

--

### Setup 🔧

- C binary that communicates via `stdin` and `stdout`
- Networking abstracted through hosting with `socat`
- File system backend with periodic clean up

![socat](media/socat.gif)

--

### Functionality 🎮

<!-- file system backend separates user accounts and stl files location for non-guests -->
<!-- guest account files can be downloaded by knowing their modelname,
     premium account files can only be downloaded by authenticated users -->

- Users can upload and search for files
- Register to upload private files
- Uploaded files are analyzed and information is returned to the user

---

<!-- Sample interaction demonstrating how you would retrieve a file you uploaded -->

![FileSearch](media/search.gif)

--

### 1. Vuln 💉

- Flags are stored in the solidname of the STL
- Bug in upload info file parsing allows attacker to retrieve any public file

--

### 2. Vuln 💉

- Flags are stored in the solidname of a private file
- Buffer overflow in hash function allows enumeration of private user hashes
- Generate preimages of weak hash function to login as users

--

### Goals Met 🎉

<!-- dont need to be an expert at fancy exploitation to exploit,
     just basic knowledge of C and testing code snippets to see
     if they do what you expect them to in different cases -->

⭐ Plaintext file inspection service <br>
⭐ Interesting and realisitic bugs <br>
⭐ Combine different gadgets for exploit <br>
⭐ Don't need to be an expert at fancy ROP <br>
⭐ No SLA lost in TestCTF <br>
⭐ Written in C

--

### Issues 📉

<!-- Currently, the exploits dont require you to understand the
	STL file format, however, to make sure that the service
	is working correctly, you need to inspect the code -->

<!-- Still considering encoding of flags as STL, but want to
	avoid -->

💥 Exploits not directly related to STL format <br>
💥 (Eno)checker has memory leaks

--

### Lesssons Learned 

<!-- from the feedback I gathered, that not a lot of people write C code
     often, but this also means it is a great opportunity for learning
     something new. -->

- Many exploits are not suited for A/D ctfs
- How to write a FSM format parser
- Be careful with casts in C
- People just *love* C services 🤡

--

--

--

# Exploit 1

--

![exploit-1-1](media/exploit-1-1.png)

--

![exploit-1-2](media/exploit-1-2.png)

--

![exploit-1-3](media/exploit-1-3.png)

--

![exploit-1-4](media/exploit-1-4.png)

--

![exploit-1-5](media/exploit-1-5.png)

--

# Exploit 2

--

![exploit-2-1](media/exploit-2-1.png)



<script>
	// var slide_headers = document.querySelectorAll(".slide-content > h3");
	// for (var i = 0; i < slide_headers.length; i++) {
	// 	var img = document.createElement('img')
	// 	img.src = "logo.png";
	// 	img.style = "height: 2.4ex; padding-right: 10px; float:right";
	// 	slide_headers[i].append(img);
	// }
</script>