def verify_injection(team, config_file):
config = load_config(config_file)
timeout = config["exploit_timeout"]["injection_phase"]
repo_owner = config['repo_owner']
repo_name = config['teams'][team]['repo_name']
bug_branches = config['teams'][team]['bug_branches']
clone(repo_owner, repo_name)
branches = bug_branches if len(bug_branches) > 0 \
else list_branches(repo_name)
if "master" in branches:
branches.remove("master") # master branch is not verification target
for branch in branches:
checkout(repo_name, branch)
exploit_dir = get_exploit_dir(repo_name, branch, config, team)
bug_branch_result, _ = \
verify_exploit(exploit_dir, repo_name, branch, timeout, config)
checkout(repo_name, "master")
master_result, _ = \
verify_exploit(exploit_dir, repo_name, "master", timeout, config)
rmdir(exploit_dir)
if master_result == False and bug_branch_result == True:
print('[*] Successflly verified branch "%s".' % branch)
elif bug_branch_result == True:
print ('[*] Exploit for branch "%s" works, but it also works on ' \
'master branch, which indicates some error.' % branch)
sys.exit()
else:
print('[*] Failed to verify exploit in branch "%s".' % branch)
sys.exit()
rmdir(repo_name)
def submit(exploit_dir, service_dir, branch, target, config_file, token=None):
config = load_config(config_file)
timeout = config["exploit_timeout"]["exercise_phase"]
prompt_checkout_warning(service_dir)
verified_branch = None
result, _ = verify_exploit(exploit_dir, service_dir, branch, timeout,
config)
if result:
verified_branch = branch
if verified_branch is None:
print("[*] Your exploit did not work against any of the branch")
sys.exit()
print("[*] Your exploit has been verified against branch '%s'" %
verified_branch)
# Not encrypt exploit
signer = config["player"]
encrypted_exploit = encrypt_exploit(exploit_dir, target, config, signer)
if encrypted_exploit is None:
print "[*] Failed to encrypt exploit"
sys.exit(0)
# Submit an issue with the encrypted exploit
issue_title = "exploit-%s" % verified_branch
github = Github(config["player"], token)
submit_issue(issue_title, encrypted_exploit, target, config, github)
# Clean up
rmfile(encrypted_exploit)
def verify_exploit_main(prog, options):
desc = 'verify written exploit'
parser = argparse.ArgumentParser(description=desc, prog=prog)
add_exploit(parser)
add_service_dir(parser)
add_branch(parser)
add_conf(parser)
parser.add_argument("--encrypt",
dest="encrypt",
action="store_true",
default=False,
help="specify whether to encrypt the verified exploit")
parser.add_argument("--timeout",
metavar="SEC",
required=True,
help="specify timeout for exploit")
args = parser.parse_args(options)
prompt_checkout_warning(args.service_dir)
config = load_config(args.conf)
verify_exploit(args.exploit, args.service_dir, args.branch,
int(args.timeout), config, args.encrypt)
def submit(exploit_dir, service_dir, branch, target, config_file, token=None, confirm=True):
config = load_config(config_file)
timeout = config["exploit_timeout"]["exercise_phase"]
if confirm:
prompt_checkout_warning(service_dir)
verified_branch = None
result, _ = verify_exploit(exploit_dir, service_dir, branch, timeout, config)
if result:
verified_branch = branch
if verified_branch is None :
print("[*] Your exploit did not work against any of the branch")
sys.exit()
print("[*] Your exploit has been verified against branch '%s'"
% verified_branch)
# Not encrypt exploit
signer = config["player"]
encrypted_exploit = encrypt_exploit(exploit_dir, target, config, signer)
if encrypted_exploit is None:
print("[*] Failed to encrypt exploit")
sys.exit(0)
# Submit an issue with the encrypted exploit
issue_title = "exploit-%s" % verified_branch
github = Github(config["player"], token)
issue_number, issue_url = submit_issue(issue_title, encrypted_exploit, target, config, github)
# Clean up
rmfile(encrypted_exploit)
# Add NetID
signer_pubkey = config["individual"][signer]['pub_key_id']
create_comment(config['repo_owner'], config['teams'][target]['repo_name'], issue_number, "My NetID is %s, and my pub key id is %s" % (config["player_team"], signer_pubkey), github)
# Add Public Key
public_key = export_public_key(config, signer)
create_comment(config['repo_owner'], config['teams'][target]['repo_name'], issue_number, public_key, github)
print("Success! Your issue url is:", issue_url)
def verify_issue(defender,
repo_name,
issue_no,
config,
github,
target_commit=None):
timeout = config["exploit_timeout"]["exercise_phase"]
repo_owner = config['repo_owner']
title, submitter, create_time, content = \
get_github_issue(repo_owner, repo_name, issue_no, github)
# Issue convention: "exploit-[branch_name]"
target_branch = title[8:]
clone(repo_owner, repo_name)
# Write the fetched issue content to temp file
tmpfile = "/tmp/gitctf_%s.issue" % random_string(6)
tmpdir = "/tmp/gitctf_%s.dir" % random_string(6)
with open(tmpfile, "w") as f:
f.write(content)
# Decrypt the exploit
mkdir(tmpdir)
team = defender
decrypt_exploit(tmpfile, config, team, tmpdir, submitter)
rmfile(tmpfile)
# Now iterate through branches and verify exploit
# zchn: not sure about this, was: branches = list_branches(repo_name)
bug_branches = config['teams'][team]['bug_branches']
branches = bug_branches + ['master'] if len(bug_branches) > 0 \
else list_branches(repo_name)
candidates = []
if (target_branch in branches) and (target_commit is None):
# Iterate through branches and collect candidates
commit = get_latest_commit_hash(repo_name, create_time, target_branch)
candidates.append((target_branch, commit))
verified_branch = None
verified_commit = None
log = 'About %s (exploit-service branch)\n' % title
for (branch, commit) in candidates:
if branch in title:
result, log = verify_exploit(tmpdir, repo_name, commit, timeout, \
config, log=log)
else:
result, _ = verify_exploit(tmpdir, repo_name, commit, timeout, \
config)
if result:
verified_branch = branch
verified_commit = commit
break
rmdir(tmpdir)
rmdir(repo_name)
if verified_branch is None:
print("[*] The exploit did not work against branch '%s'" % \
target_branch)
else:
print("[*] The exploit has been verified against branch '%s'" %
verified_branch)
return (verified_branch, verified_commit, submitter, log)