CTF, you fucked

I’m not sure about CTF for Windows, but no doubts CTF for MacOS is a piece of dog crap. How CTF works on MacOS: it installs DCMApp.app, which is actually a HTTP-server which is listening on 13800/tcp:

Andreys-MacBook-Pro:~ apanfilov$ cat /Applications/DCMApp.app/Contents/Info.plist 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>CFBundleDevelopmentRegion</key>
	<string>English</string>
	<key>CFBundleExecutable</key>
	<string>CTFHTTPServer</string>
	<key>CFBundleIconFile</key>
	<string>icon.icns</string>
	<key>LSUIElement</key>
	<true/>
</dict>
</plist>
Andreys-MacBook-Pro:~ apanfilov$ ps -ef | grep CTFHTTPServer
  501 67706     1   0  1:21am ??         0:06.77 /Applications/DCMApp.app/Contents/MacOS/CTFHTTPServer -psn_0_9234638
  501 67707 67706   0  1:21am ??         0:00.87 /Applications/DCMApp.app/Contents/MacOS/CTFHTTPServer -psn_0_9234638
  501 71255 69468   0  3:50am ttys007    0:00.00 grep CTFHTTPServer
Andreys-MacBook-Pro:~ apanfilov$ lsof -i -n -P | grep 13800
CTFHTTPSe 67706 apanfilov   10u  IPv4 0x4bfdf3517d667f4d      0t0    TCP 127.0.0.1:13800 (LISTEN)
Andreys-MacBook-Pro:~ apanfilov$ 

and as result we have:

Simple echo servlet:

/**
 * @author Andrey B. Panfilov <andrey@panfilov.tel>
 */
public class EchoServlet extends HttpServlet implements Servlet {

	@Override
	protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
		String name = req.getParameter("filename");
		byte[] content = req.getParameter("content").getBytes();
		resp.setHeader("Content-type", "application/octet-stream");
		resp.setContentLength(content.length);
		resp.setHeader("Content-Disposition", "attachment; filename*=UTF-8''" + Rfc5987Util.encode(name));
		resp.getOutputStream().write(content);
	}

}

That is to say if you have CTF installed any internet site may upload/download arbitrary information to/from your computer.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s