• 33C3 CTF 2016: pdfmaker write-up

    pdfmaker (misc 75)

    Just a tiny application, that lets the user write some files and compile them with pdflatex. What can possibly go wrong?

    nc 78.46.224.91 24242

    If you can’t download the application, please use this link.

    What is the goal?

    There are some interesting parts in pdfmaker_public.py. initConnection copies flag file into the self.directory with the name of:

    "33C3" + "%X" % randint(0, 2**31) + "%X" % randint(0, 2**31)
    

    Since the answer would be in the 33C3XXXXXXXXXXXXXXXX file, we should get the list of filenames in its directory. Note that create method can create log, tex, sty, mp, bib files.

    Behavior of \write18

    @daehee found this helpful link: “Pwning coworkers thanks to LaTeX”. According to the post, \write18 normally executes any program listed in shell_escape_commands:

    shell_escape_commands = \
    bibtex,bibtex8,\
    extractbb,\
    kpsewhich,\
    makeindex,\
    mpost,\
    repstopdf,\
    

    Note that mpost is in there, and we can create mp file! As denoted by the link, mpost takes the -tex option for text labels, so we can execute arbitrary program.

    Read on →

  • HITCON CTF 2016: ROP write-up

    ROP (Reverse 250)

    Description

    Who doesn’t like ROP?
    Let’s try some new features introduced in 2.3.

    rop.iseq

    Hint

    None

    If the above link doesn’t work, please use this link.

    New features?

    Well, see the Ruby 2.3.0 news.

    RubyVM::InstructionSequence#to_binary and .load_from_binary are introduced as experimental features. With these features, we can make a ISeq (bytecode) pre-compilation system.

    Yes, so this is about using RubyVM::InstructionSequence.load_from_binary. Let’s just start with:

    RubyVM::InstructionSequence.load_from_binary(File.read('rop.iseq'))
    

    But you can face this kind of error:

    RuntimeError: unmatched platform
            from (irb):1:in `load_from_binary'
            from (irb):1
            from /usr/bin/irb:11:in `<main>'
    

    By checking strings rop.iseq, we can find x86_64-linux. So we need Ruby 2.3 on Linux x86_64 platform. You can see the platform by ruby --version. This is the version of my one:

    ruby 2.3.1p112 (2016-04-26 revision 54768) [x86_64-linux]
    

    Read on →

  • How to reset window size of Slack on Windows

    Slack application

    Slack, you may know. It rocks, and I’m also involved in several teams. Their site is great, but more teams, more tabs in my browser. I decided to use their Windows app which provides handy shortcuts for switching between teams.

    Today I just remotely connected to my Windows desktop from my notebook. But then, I realized the Slack window is shrinked. Maybe the reason is my notebook’s screen size, but I don’t know. Its content area became too small to read, so I wanted its window size back.

    Actually the default window size was my taste, so I wanted to just reset its customized window size. And I found it, so here I am to share with you.

    Resetting Slack’s window size

    First of all, note that this is not the permanent solution since it’s not a part of Slack API or something that is guaranteed by them. My Windows machine is 64-bit and the version of Slack is 2.2.1.

    Slack 2.2.1

    So here is a way to resetting the window size of Slack.

    1. Quit your Slack application.
    2. Navigate to %APPDATA%\Slack. The value of %APPDATA% is something like C:\Users\{username}\AppData\Roaming.
    3. Open redux-state.json to edit.
    4. Find windowSettings under state’s app. Its value would be like:

      \"windowSettings\":{\"size\":[1152,832],\"position\":[384,104],\"isMaximized\":false}
      
    5. Delete the whole windowSettings entry above. If you delete only a part of value of windowSettings, application may crash.
    6. Open Slack again. It will set the default window size automatically.

    Keep calm and use Slack!

  • Unicode Adopt-a-Character

    Now you can adopt a character!

    1. Select your character
    2. Make your donation

    Then you’re done. After the donation, your character along with your name will be listed in Sponsors of Adopted Characters. You support Unicode Consortium by donation while expressing your interests in the adopted character as チルノ adopted ⑨.

    I chose ‘유’ (U+C720, HANGUL SYLLABLE YU), which is my family name written in Korean. And this is one of the first adoptions of hangul character.

  • Installing Ruby 1.8.7 on OS X El Capitan

    A bug in Ruby 1.8.7

    There is a bug in Ruby 1.8.7’s exponentiation. See “Exponentiation in Ruby 1.8.7 Returns Wrong Answers”.

    >> 2 ** 62
    => 4611686018427387904
    >> 2 ** 63
    => -9223372036854775808
    >> 2 ** 64
    => 0
    

    Note that following gives the correct result:

    >> 2 ** 62 * 2
    => 9223372036854775808
    

    Supporting an ancient Ruby

    Seeing this bug, I wanted to reproduce this by myself, so I just tried to install Ruby 1.8.7 on OS X 10.11.4. As I’m using chruby, I used ruby-install.

    ruby-install ruby 1.8.7
    

    But there are several errors:

    ...
    gcc -I. -I../.. -I../../. -I../.././ext/openssl -DRUBY_EXTCONF_H=\"extconf.h\" -I/usr/local/opt/openssl/include -I/usr/local/opt/readline/include -I/usr/local/opt/libyaml/include -I/usr/local/opt/gdbm/include  -D_XOPEN_SOURCE -D_DARWIN_C_SOURCE   -fno-common -g -O2 -pipe -fno-common   -c ossl.c
    ossl.c:118:1: error: unknown type name 'STACK'; did you mean '_STACK'?
    OSSL_IMPL_SK2ARY(x509, X509)
    ^
    ossl.c:95:22: note: expanded from macro 'OSSL_IMPL_SK2ARY'
    ossl_##name##_sk2ary(STACK *sk)                 \
                         ^
    /usr/local/opt/openssl/include/openssl/stack.h:72:3: note: '_STACK' declared here
    } _STACK;                       /* Use STACK_OF(...) instead */
      ^
    ...
    4 errors generated.
    make[1]: *** [ossl.o] Error 1
    make: *** [all] Error 1
    !!! Compiling ruby 1.8.7 failed!
    

    This is because of the version of OpenSSL used for compilation is too high for Ruby 1.8.7, see rbenv/ruby-build#445. After some searching about OpenSSL and Ruby 1.8.7, I found that RVM is using openssl098 for Ruby 1.8.7 compilation. But, unfortunately, they decided to remove it from homebrew/versions tap because of deprecation and security issues. See Homebrew/homebrew-versions#1150 for the issue and the commit removing openssl098.

    Building Ruby 1.8.7

    As I just wanted to reproduce a bug, I used the openssl098.rb right before the removal.

    brew install https://github.com/Homebrew/homebrew-versions/raw/586b7e9012a3ed1f9df6c43d0483c65549349289/openssl098.rb
    

    Then we can provide --with-openssl-dir option to ruby-install.

    ruby-install ruby 1.8.7 -- --with-openssl-dir=/usr/local/opt/openssl098
    

    It’ll be successful! You can use Ruby 1.8.7 on OS X El Capitan.

    $ ruby --version
    ruby 1.8.7 (2008-05-31 patchlevel 0) [i686-darwin15.4.0]
    

    Finally I was able to reproduce the bug.

    >> 2 ** 62
    => 4611686018427387904
    >> 2 ** 63
    => -9223372036854775808
    >> 2 ** 64
    => 0
    

    Also, for Ruby 1.8.7-p374, you don’t need openssl098, but you may need X11. If you don’t need tk, then try the following command:

    ruby-install ruby 1.8.7-p374 -- --without-tk
    

    This version of Ruby 1.8.7 still has the same bug.