1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
|
title: STLDoctor
output: index.html
controls: false
--
<style>
.footnote {
font-size: 16pt;
position: absolute;
color: gray;
bottom: 0px;
right: 0px;
}
.slide-content {
position: relative;
}
.slide-content > ul >li {
padding: 7px 0px;
}
.slide-content > p > img {
width: 100%;
}
</style>
--
# STLDoctor 💉
--
### The Plan 💡
<!-- Familiar with C and wondered about non-standard
buffer-/integer overflow C bugs -->
<!-- Plaintext file inspection service -->
<!-- Interesting and realisitic bugs -->
<!-- Written in C -->
<!-- Have to combine 'gadgets' for exploit, but
as a logic bug, not RCE -->
- Plaintext service
- Interesting C bugs
- Exploit logic bugs, not RCE
- Learn about the STL format
<img style="width: 240px !important; transform: rotate(90deg); height: 240px; position:absolute; top:150px; right:70px;" src="https://upload.wikimedia.org/wikipedia/commons/9/9b/STL_sample_2.png">
--
### Setup 🔧
- C binary that communicates via `stdin` and `stdout`
- Networking abstracted through hosting with `socat`
- File system backend with periodic clean up
--
### Functionality 🎮
<!-- file system backend separates user accounts and stl files location for non-guests -->
<!-- guest account files can be downloaded by knowing their modelname,
premium account files can only be downloaded by authenticated users -->
- Users can upload and search for files
- Register to upload private files
- Uploaded files are analyzed and information is returned to the user
---
<!-- Sample interaction demonstrating how you would retrieve a file you uploaded -->
--
### 1. Vuln 💉
- Flags are stored in the solidname of the STL
- Bug in upload info file parsing allows attacker to retrieve any public file
--
### 2. Vuln 💉
- Flags are stored in the solidname of a private file
- Buffer overflow in hash function allows enumeration of private user hashes
- Generate preimages of weak hash function to login as users
--
### Goals Met 🎉
<!-- dont need to be an expert at fancy exploitation to exploit,
just basic knowledge of C and testing code snippets to see
if they do what you expect them to in different cases -->
⭐ Plaintext file inspection service <br>
⭐ Interesting and realisitic bugs <br>
⭐ Combine different gadgets for exploit <br>
⭐ Don't need to be an expert at fancy ROP <br>
⭐ No SLA lost in TestCTF <br>
⭐ Written in C
--
### Issues 📉
<!-- Currently, the exploits dont require you to understand the
STL file format, however, to make sure that the service
is working correctly, you need to inspect the code -->
<!-- Still considering encoding of flags as STL, but want to
avoid -->
💥 Exploits not directly related to STL format <br>
💥 (Eno)checker has memory leaks
--
### Lesssons Learned
<!-- from the feedback I gathered, that not a lot of people write C code
often, but this also means it is a great opportunity for learning
something new. -->
- Many exploits are not suited for A/D ctfs
- How to write a FSM format parser
- Be careful with casts in C
- People just *love* C services 🤡
--
--
--
# Exploit 1
--
--
--
--
--
--
# Exploit 2
--
<script>
// var slide_headers = document.querySelectorAll(".slide-content > h3");
// for (var i = 0; i < slide_headers.length; i++) {
// var img = document.createElement('img')
// img.src = "logo.png";
// img.style = "height: 2.4ex; padding-right: 10px; float:right";
// slide_headers[i].append(img);
// }
</script>
|
