Rating:

# Snappaste (Part 2) Writeup

Here's an improved version of our pasting service. Some weird stuff was happening in the previous version, so we added an integrity check for the pastes. Also, due to misuse, we began limiting the size of the pasted snippets (please don't paste Kali Linux ISOs, thanks).

To compile, Use the following commands:

gcc -c -std=c99 zlib/*.c
g++ -c -std=c++14 snappaste.cc

By Michael Maltsev

## Solution

By using WinMerge we could observe the next major differences between the versions:

- dword data_crc32; added in PASTE_NETWORK_HEADER

c
// Prevent service misuse
throw std::invalid_argument("data size too big :(");
}


- The next code was added:

c
// TODO: remove after testing
if (true) {
if (backdoor) {
backdoor = false;
}
}
}


- CRC validation.

This time we can't change backdoor variable because we don't have the previous integer overflow. Lets try to find new vulnerabilities with the added code.

Actually, this code:

c


Is giving us opportunity to leak the flag because it is being copied into the paste_received->data_size location, but it is being overwritten later with our data:

python


When we tried giving large paste_received->data_size value, but small actually compressed data (to see the rest of the flag), we are failing at the next CRC check:

python


Because we don't know the flag content, we can't really guess/bruteforce the CRC.

What we CAN do is to guess one letter at a time.

Lets first guess the flag length:

`python
guessed_length = 38