aboutsummaryrefslogtreecommitdiffstats
path: root/README
blob: 109dd641b165fcc0fb1341bb0cd02bcd64ee062e (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72

enowars-5 printdoc
==================

An stl file info service.


setup
-----

The service is hosted with ynetd or similar, one process per client.

You submit an stl file and the service gives you details about the file:

- how many triangles
- file type (bin/ascii)
- name
- attributes (binary header parsing)

The file upload size has to be below a certain limit (4kB?).

The files are simply stored in a directory and cleaned up 
via a crontab which checks their *last modified* date.

The model name is used to create hash / id which also
acts as directory name for the actual stl and parsed info.

Error msg if too many verticies for one loop.. see vulnerability.

Error msg if invalid format.


countermeasures
---------------

Countermeasures against malicious players, who via an
unintended vulnerability gain remote code execution:


checker
-------

The flag is saved as a 3d model of the flag text. One needs
to orient it, take a screenshot and decode the text from the
image for automated exploitation.


vulnerability
-------------

If there are > 3 verticies in a `loop` in the stl, a warning
message is returned by preparing and `printf`ing a buffer,
however, WITHOUT a terminating null byte. As such, when
processing the string, we read into the stack-adjacent integer
that holds the file's attribute byte count. This value
is zero by default so the buffer overflow will go unnoticed.

We can set this value to 0x6e25 (= 28197), which corresponds
to the string '%n' on a little endian system.

When the warning prints, it will write the size of the
format string (which can be controlled via the model name)
to the address of the next value on the stack: the hash str.
By varying this value to write 256 aka 0x100 we terminate
the string with a null byte, making it an empty.

Next, the program will return the info of all scans that match
the hash prefix (files are saved in a directory <hash>-<timestamp>).
Since the hash is not empty the information for each scan will be
returned, including the id, which can be used to request the flag file.
generated by cgit v1.2.3-71-gd317 (git 2.46.0) at 2025-12-01 03:31:14 +0000