Created
July 22, 2021 23:28
-
-
Save Freakston/b2887f2b8160e4ea1e1e8896e7df744a to your computer and use it in GitHub Desktop.
Qilinglab
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# rootfs https://github.com/qilingframework/rootfs | |
# Link: https://www.shielder.it/blog/2021/07/qilinglab-release/ | |
from qiling.os.mapper import QlFsMappedObject | |
from qiling import Qiling | |
from qiling.const import QL_VERBOSE | |
import sys | |
import struct | |
def challenge1(ql:Qiling): | |
a = bytearray.fromhex("0539") | |
a.reverse() | |
a = bytes(a) | |
ql.mem.write(0x1337, a) | |
def uname_hook(ql: Qiling, address, *args, **kw): | |
buf = b'' | |
buf += b'QilingOS'.ljust(65, b'\x00') | |
buf += b'ql_vm'.ljust(65, b'\x00') | |
buf += b'69.0-RELEASE'.ljust(65, b'\x00') | |
buf += b'ChallengeStart'.ljust(65, b'\x00') | |
buf += b'ql_processor'.ljust(65, b'\x00') | |
buf += b''.ljust(65, b'\x00') | |
ql.mem.write(address, buf) | |
regreturn = 0 | |
return regreturn | |
def challenge3(ql:Qiling): | |
# Write a random byte ? | |
a = bytes(bytearray.fromhex("5a")) | |
ql.mem.write(ql.reg.rsi,a) | |
def getrand_hook(ql: Qiling, address, *args, **kw): | |
data = ql.mem.read(0x80000000dd20, 0x20) | |
data = bytes(data) | |
ql.mem.write(address, data) | |
def debug_shiz(ql: Qiling): | |
print("Debug:") | |
print(ql.reg.rax) | |
print("Debug: END") | |
def challenge4(ql: Qiling): | |
a = bytearray.fromhex("01") | |
a.reverse() | |
a = bytes(a) | |
ql.mem.write(ql.reg.rbp-0x8,a) | |
def challenge6(ql: Qiling): | |
ql.mem.write(ql.reg.rbp-0x5,bytes(1)) | |
def challenge9(ql:Qiling): | |
ql.mem.write(ql.reg.rdx,bytes(ql.mem.read(ql.reg.rax, 27))) | |
def sleep_hook(ql: Qiling): | |
ql.reg.rdi = 0 | |
def challenge11(ql: Qiling): | |
ql.reg.rsi = 0x696C6951 | |
ql.reg.rcx = 0x614C676E | |
ql.reg.rax = 0x20202062 | |
def my_rand(ql: Qiling): | |
# we hook call to rand and make sure it returns only 0's | |
ql.reg.rax = 0 | |
def challenge8(ql: Qiling): | |
data = ql.mem.read(ql.reg.rax, 24) | |
target = struct.unpack("<Q", data[0x10:])[0] | |
ql.mem.write(target, b'\x01') | |
class cmdline(QlFsMappedObject): | |
def read(self, size): | |
return b'qilinglab' | |
def fstat(self): | |
return -1 | |
def close(self): | |
return 0 | |
def run_sandbox(path, rootfs, verbose): | |
ql = Qiling(path, rootfs, verbose=verbose,console=False) | |
ql.hook_address(challenge1, 0x555555554B92) | |
ql.hook_address(challenge3, 0x555555554D91) | |
ql.hook_address(challenge4, 0x555555554E33) | |
ql.hook_address(challenge6, 0x555555554F12) | |
ql.hook_address(sleep_hook, 0x555555554F3C) | |
ql.hook_address(challenge8, 0x555555554FB5) | |
ql.hook_address(challenge9, 0x555555555051) | |
ql.add_fs_mapper("/proc/self/cmdline", cmdline()) # challenge 10 | |
ql.hook_address(challenge11, 0x555555555195) | |
ql.set_api('rand', my_rand) | |
# ql.hook_address(debug_shiz, 0x555555554F16) | |
ql.mem.map(0x1337//4096*4096, 4096) | |
ql.set_syscall("uname", uname_hook) | |
ql.set_syscall("getrandom", getrand_hook) | |
#ql.debugger = True | |
ql.run() | |
if __name__ == "__main__": | |
file = sys.argv[1] | |
run_sandbox([file], "rootfs/x8664_linux", QL_VERBOSE.DEBUG) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment