BGGP6: Download & Polyglot

Writeup for:

https://github.com/binarygolf/BGGP/issues/164

 

Firstly... mistakes were made! I decided I'd like to create a polyglot to cover BGGP #2 and missed the spec that it needed to be a binary (well a binary or bytecode) polyglot, so I mistakenly set off creating a Shell & SQL polyglot that I was really pleased with...

 

/*: 2>/dev/null;curl https://binary.golf/5/5 #*/SELECT 6

 

This makes good use of comments, firstly /*.../* is a comment in SQL, so whatever I put in here is ignored, and the /* that's interpreted by Shell is a file, followed by no-op : with the error dissapearing into the dev/null black hole via 2>/dev/null. This handled the error from the file and I could tack on ;curl https://binary.golf/5/5 to download the contents for BGGP 5 and lastly the # char meant the */SELECT 6 to the right would be ignored.

 

This weird interspersing of comments and errors being sent to dev/null I was pleased with. It was only a few bytes and a valid Shell and SQL file as I saw it output 5 and 6 respectively when executing via command line, great!

 

Then while submitting this entry, I noticed the words, "binary polyglot", so actually read the spec and realised my effort was no good, it wasn't a binary at all. Damn! I'd need to work on this more.

 

So I did some research on ELF and PDF files as I knew they were commonly used for polyglots, but couldn't make it work with my own polyglot too (I was determined to still use it). Then I looked to zip files and was pleased to be reminded that the PK header didn't have to be at byte 0 and it would be looked for - which was perfect as I could put the polyglot I already had at the start. Nothing wasted!

 

Okay, time to make a zip file that displayed 2. I decided to make an empty file, with a filename 2 as that would be enough. (so you could unzip and see 2). Python would help me create this plus jam the polyglot at the start. I came up with...

 

import zipfile

import io

import os

 

# Create ZIP with empty file named "2"

zip_buffer = io.BytesIO()

with zipfile.ZipFile(zip_buffer, 'w', compression=zipfile.ZIP_STORED) as zf:

zf.writestr('2', '') # Empty file named "2"

 

zip_data = zip_buffer.getvalue()

 

shell_sql = '/*: 2>/dev/null;curl https://binary.golf/5/5 #*/SELECT 6;'

polyglot = shell_sql.encode() + zip_data

 

output_file = '6.zip'

with open(output_file, 'wb') as f:

f.write(polyglot)

 

os.chmod(output_file, 0o755)

 

But there was a problem. When trying to execute the SQL it would error:

 

6

Parse error near line 1: near "PK": syntax error

PK

^--- error here

 

...as it was reading the start of the zip file (the PK keader). I knew there was another type of comment syntax that could be used with SQL... the -- syntax, so I could add that just before PK to stop it being read as SQL. Now we had the following format:

 

/*: 2>/dev/null;curl https://binary.golf/5/5 #*/SELECT 6;--PK<rest of zip binary>

 

...and it worked! Now we had zip as the binary host file, with Shell and SQL at the beginning and they were all executing what they shoud due to their respective commenting and the error I didn't want to see from Shell disappearing into dev/null:

 

└─▶ sh 6.zip

Another #BGGP5 download!! @binarygolf https://binary.golf

 

└─▶ sqlite3 :memory: < 6.zip

6

 

└─▶ unzip -Z -1 6-polyglot.shql 2>/dev/null

2

 

I'd try to get the unzip command working without sending the error: "warning [6-polyglot.shql]: 59 extra bytes at beginning or within zipfile (attempting to process anyway)" but not sure if much could be done about that.

 

Now I was really happy - a Zip/Shell/SQL polyglot (BGGP 2) that downloaded the URL (BGGP 5) and output 6 also (BGGP 6)