pdfmaker (misc 75)

Just a tiny application, that lets the user write some files and compile them with pdflatex. What can possibly go wrong?

nc 78.46.224.91 24242

If you can’t download the application, please use this link.

What is the goal?

There are some interesting parts in pdfmaker_public.py. initConnection copies flag file into the self.directory with the name of:

"33C3" + "%X" % randint(0, 2**31) + "%X" % randint(0, 2**31)

Since the answer would be in the 33C3XXXXXXXXXXXXXXXX file, we should get the list of filenames in its directory. Note that create method can create log, tex, sty, mp, bib files.

Behavior of \write18

@daehee found this helpful link: “Pwning coworkers thanks to LaTeX”. According to the post, \write18 normally executes any program listed in shell_escape_commands:

shell_escape_commands = \
bibtex,bibtex8,\
extractbb,\
kpsewhich,\
makeindex,\
mpost,\
repstopdf,\

Note that mpost is in there, and we can create mp file! As denoted by the link, mpost takes the -tex option for text labels, so we can execute arbitrary program.

ROP (Reverse 250)

Description

Who doesn’t like ROP?
Let’s try some new features introduced in 2.3.

rop.iseq

Hint

None

If the above link doesn’t work, please use this link.

New features?

Well, see the Ruby 2.3.0 news.

RubyVM::InstructionSequence#to_binary and .load_from_binary are introduced as experimental features. With these features, we can make a ISeq (bytecode) pre-compilation system.

Yes, so this is about using RubyVM::InstructionSequence.load_from_binary. Let’s just start with:

RubyVM::InstructionSequence.load_from_binary(File.read('rop.iseq'))

But you can face this kind of error:

RuntimeError: unmatched platform
        from (irb):1:in `load_from_binary'
        from (irb):1
        from /usr/bin/irb:11:in `<main>'

By checking strings rop.iseq, we can find x86_64-linux. So we need Ruby 2.3 on Linux x86_64 platform. You can see the platform by ruby --version. This is the version of my one:

ruby 2.3.1p112 (2016-04-26 revision 54768) [x86_64-linux]

Slack application

Slack, you may know. It rocks, and I’m also involved in several teams. Their site is great, but more teams, more tabs in my browser. I decided to use their Windows app which provides handy shortcuts for switching between teams.

Today I just remotely connected to my Windows desktop from my notebook. But then, I realized the Slack window is shrinked. Maybe the reason is my notebook’s screen size, but I don’t know. Its content area became too small to read, so I wanted its window size back.

Actually the default window size was my taste, so I wanted to just reset its customized window size. And I found it, so here I am to share with you.

Resetting Slack’s window size

Slack 2.2.1

First of all, note that this is not the permanent solution since it’s not a part of Slack API or something that is guaranteed by them. My Windows machine is 64-bit and the version of Slack is 2.2.1.

So here is a way to resetting the window size of Slack.

1. Quit your Slack application.
2. Navigate to %APPDATA%\Slack. The value of %APPDATA% is something like C:\Users\{username}\AppData\Roaming.
3. Open redux-state.json to edit.

4. Find windowSettings under state’s app. Its value would be like:

   \"windowSettings\":{\"size\":[1152,832],\"position\":[384,104],\"isMaximized\":false}
   

5. Delete the whole windowSettings entry above. If you delete only a part of value of windowSettings, application may crash.
6. Open Slack again. It will set the default window size automatically.

Slack 2.4.1, 3.3.3

With updates of Slack, settings related to window were separated and moved to another location. Here is a way to resetting the window size:

1. Quit your Slack application.
2. Navigate to %APPDATA%\Slack\storage. The value of %APPDATA% is something like C:\Users\{username}\AppData\Roaming.
3. Open slack-windowFrame to edit.
4. Delete the whole content, but do not delete the file itself.
5. Open Slack again. It will set the default window size automatically.

Slack 4.13.0

With updates of Slack, settings including window-related ones are merged and moved to another location. Here is a way to resetting the window size:

1. Quit your Slack application.
2. Navigate to %APPDATA%\Slack\storage. The value of %APPDATA% is something like C:\Users\{username}\AppData\Roaming.
3. Open root-state.json to edit.

4. Find mainWindowSettings under settings. Its value would be like:

   "mainWindowSettings":{"fullScreen":false,"maximized":false,"bounds":{"x":172,"y":52,"width":1024,"height":768}}
   

5. Delete the whole mainWindowSettings entry above.
6. Open Slack again. It will set the default window size automatically.

Keep calm and use Slack!

Now you can adopt a character!

1. Select your character
2. Make your donation

Then you’re done. After the donation, your character along with your name will be listed in Sponsors of Adopted Characters. You support Unicode Consortium by donation while expressing your interests in the adopted character as チルノ adopted ⑨.

I chose ‘유’ (U+C720, HANGUL SYLLABLE YU), which is my family name written in Korean. And this is one of the first adoptions of hangul character.

Chayoung You (유차영)is now a Bronze sponsor of HANGUL SYLLABLE YU!#UnicodeSponsor https://t.co/puZ4jUucBk pic.twitter.com/10gKB3lRwH

— Unicode Consortium (@unicode) April 25, 2016

A bug in Ruby 1.8.7

There is a bug in Ruby 1.8.7’s exponentiation. See “Exponentiation in Ruby 1.8.7 Returns Wrong Answers”.

>> 2 ** 62
=> 4611686018427387904
>> 2 ** 63
=> -9223372036854775808
>> 2 ** 64
=> 0

Note that following gives the correct result:

>> 2 ** 62 * 2
=> 9223372036854775808

Supporting an ancient Ruby

Seeing this bug, I wanted to reproduce this by myself, so I just tried to install Ruby 1.8.7 on OS X 10.11.4. As I’m using chruby, I used ruby-install.

ruby-install ruby 1.8.7

But there are several errors:

...
gcc -I. -I../.. -I../../. -I../.././ext/openssl -DRUBY_EXTCONF_H=\"extconf.h\" -I/usr/local/opt/openssl/include -I/usr/local/opt/readline/include -I/usr/local/opt/libyaml/include -I/usr/local/opt/gdbm/include  -D_XOPEN_SOURCE -D_DARWIN_C_SOURCE   -fno-common -g -O2 -pipe -fno-common   -c ossl.c
ossl.c:118:1: error: unknown type name 'STACK'; did you mean '_STACK'?
OSSL_IMPL_SK2ARY(x509, X509)
^
ossl.c:95:22: note: expanded from macro 'OSSL_IMPL_SK2ARY'
ossl_##name##_sk2ary(STACK *sk)                 \
                     ^
/usr/local/opt/openssl/include/openssl/stack.h:72:3: note: '_STACK' declared here
} _STACK;                       /* Use STACK_OF(...) instead */
  ^
...
4 errors generated.
make[1]: *** [ossl.o] Error 1
make: *** [all] Error 1
!!! Compiling ruby 1.8.7 failed!

This is because of the version of OpenSSL used for compilation is too high for Ruby 1.8.7, see rbenv/ruby-build#445. After some searching about OpenSSL and Ruby 1.8.7, I found that RVM is using openssl098 for Ruby 1.8.7 compilation. But, unfortunately, they decided to remove it from homebrew/versions tap because of deprecation and security issues. See Homebrew/homebrew-versions#1150 for the issue and the commit removing openssl098.

Building Ruby 1.8.7

As I just wanted to reproduce a bug, I used the openssl098.rb right before the removal.

brew install https://github.com/Homebrew/homebrew-versions/raw/586b7e9012a3ed1f9df6c43d0483c65549349289/openssl098.rb

Then we can provide --with-openssl-dir option to ruby-install.

ruby-install ruby 1.8.7 -- --with-openssl-dir=/usr/local/opt/openssl098

It’ll be successful! You can use Ruby 1.8.7 on OS X El Capitan.

$ ruby --version
ruby 1.8.7 (2008-05-31 patchlevel 0) [i686-darwin15.4.0]

Finally I was able to reproduce the bug.

>> 2 ** 62
=> 4611686018427387904
>> 2 ** 63
=> -9223372036854775808
>> 2 ** 64
=> 0

Also, for Ruby 1.8.7-p374, you don’t need openssl098, but you may need X11. If you don’t need tk, then try the following command:

ruby-install ruby 1.8.7-p374 -- --without-tk

This version of Ruby 1.8.7 still has the same bug.