red0xff/qilinglab_solution.py

## qilinglab_solution.py
import sys
from qiling import *
from qiling.const import QL_VERBOSE, QL_INTERCEPT
from qiling.os.mapper import QlFsMappedObject
import struct
import os

def level_1(ql):
    ql.mem.map(0x1000, 0x1000)
    ql.mem.write(0x1337, b"\x39\x05")

def hijacked_uname(ql, buf, *args, **kwargs):

    UNAME_OUT = b""
    UNAME_OUT += b"QilingOS".ljust(65, b"\x00")
    UNAME_OUT += b"DESKTOP-0B8APTR".ljust(65, b"\x00")
    UNAME_OUT += b"5.10.16.3-microsoft-standard-WSL2".ljust(65, b"\x00")
    UNAME_OUT += b"ChallengeStart".ljust(65, b"\x00")
    UNAME_OUT += b"x86_64".ljust(65, b"\x00")
    UNAME_OUT += b"localdomain".ljust(65, b"\x00")

    ql.mem.write(buf, UNAME_OUT)
    ql.os.set_syscall_return(0)

def level_2(ql):
    ql.set_syscall('uname', hijacked_uname)

class Fake_urandom(QlFsMappedObject):
    def read(self, size):
        if size == 1:
          return b"\xff"
        else:
          return b"\x00" * size
    def close(self):
        return 0


def my_get_random(ql):
    buf, buflen, flags = ql.reg.rdi, ql.reg.rsi, ql.reg.rdx
    ql.mem.write(buf, b"\x00" * buflen)
    ql.reg.rax = buflen

def level_3(ql):
    ql.add_fs_mapper("/dev/urandom", Fake_urandom)
    ql.set_api('getrandom', my_get_random)

def get_main_module_base(ql):
    return ql.mem.get_lib_base(os.path.split(ql.argv[0])[-1])

first_time = True
def set_loop_variable(ql):
    global first_time
    if first_time:
        first_time = False
        ql.reg.rip = get_main_module_base(ql)+0xe35

def level_4(ql):
    ql.hook_address(set_loop_variable, get_main_module_base(ql)+0xe40)

def my_rand(ql):
    ql.reg.rax = 0

def level_5(ql):
    ql.set_api('rand', my_rand)

def escape_loop(ql):
    ql.reg.rip += 2

def level_6(ql):
    ql.hook_address(escape_loop, get_main_module_base(ql)+0xf18)

def level_7(ql):
    ql.set_api('sleep', lambda q: 0)

def set_data_in_heap(ql):
    print(ql.mem.read(ql.reg.rax+0x10,8))
    ql.mem.write(struct.unpack(b'Q',bytes(ql.mem.read(ql.reg.rax + 0x10,8)))[0], b"\x01")

def level_8(ql):
    ql.hook_address(set_data_in_heap, get_main_module_base(ql)+0xfb5)

def no_tolower(ql):
    ql.reg.rax = ql.reg.rdi

def level_9(ql):
    ql.set_api('tolower', no_tolower)

class Fake_cmdline(QlFsMappedObject):
    def read(self, size):
      return b"qilinglab"
    def close(self):
      return 0

def level_10(ql):
    ql.add_fs_mapper('/proc/self/cmdline', Fake_cmdline)

def cpuid_hook(ql):
    ql.reg.rbx = 0x696c6951
    ql.reg.rcx = 0x614c676e
    ql.reg.rdx = 0x20202062
    ql.reg.rip += 2

def level_11(ql):
    ql.hook_address(cpuid_hook, get_main_module_base(ql)+0x118f)

def solve_challenges(path, rootfs):
    ql = Qiling(path, rootfs, verbose=QL_VERBOSE.DEBUG)
    #ql.debugger = True
    level_1(ql)
    level_2(ql)
    level_3(ql)
    level_4(ql)
    level_5(ql)
    level_6(ql)
    level_7(ql)
    level_8(ql)
    level_9(ql)
    level_10(ql)
    level_11(ql)
    ql.run()

if __name__ == "__main__":
    solve_challenges(["./qilinglab-x86_64"], "/")
	import sys
	from qiling import *
	from qiling.const import QL_VERBOSE, QL_INTERCEPT
	from qiling.os.mapper import QlFsMappedObject
	import struct
	import os

	def level_1(ql):
	ql.mem.map(0x1000, 0x1000)
	ql.mem.write(0x1337, b"\x39\x05")

	def hijacked_uname(ql, buf, args, *kwargs):

	UNAME_OUT = b""
	UNAME_OUT += b"QilingOS".ljust(65, b"\x00")
	UNAME_OUT += b"DESKTOP-0B8APTR".ljust(65, b"\x00")
	UNAME_OUT += b"5.10.16.3-microsoft-standard-WSL2".ljust(65, b"\x00")
	UNAME_OUT += b"ChallengeStart".ljust(65, b"\x00")
	UNAME_OUT += b"x86_64".ljust(65, b"\x00")
	UNAME_OUT += b"localdomain".ljust(65, b"\x00")

	ql.mem.write(buf, UNAME_OUT)
	ql.os.set_syscall_return(0)

	def level_2(ql):
	ql.set_syscall('uname', hijacked_uname)

	class Fake_urandom(QlFsMappedObject):
	def read(self, size):
	if size == 1:
	return b"\xff"
	else:
	return b"\x00" * size
	def close(self):
	return 0


	def my_get_random(ql):
	buf, buflen, flags = ql.reg.rdi, ql.reg.rsi, ql.reg.rdx
	ql.mem.write(buf, b"\x00" * buflen)
	ql.reg.rax = buflen

	def level_3(ql):
	ql.add_fs_mapper("/dev/urandom", Fake_urandom)
	ql.set_api('getrandom', my_get_random)

	def get_main_module_base(ql):
	return ql.mem.get_lib_base(os.path.split(ql.argv[0])[-1])

	first_time = True
	def set_loop_variable(ql):
	global first_time
	if first_time:
	first_time = False
	ql.reg.rip = get_main_module_base(ql)+0xe35

	def level_4(ql):
	ql.hook_address(set_loop_variable, get_main_module_base(ql)+0xe40)

	def my_rand(ql):
	ql.reg.rax = 0

	def level_5(ql):
	ql.set_api('rand', my_rand)

	def escape_loop(ql):
	ql.reg.rip += 2

	def level_6(ql):
	ql.hook_address(escape_loop, get_main_module_base(ql)+0xf18)

	def level_7(ql):
	ql.set_api('sleep', lambda q: 0)

	def set_data_in_heap(ql):
	print(ql.mem.read(ql.reg.rax+0x10,8))
	ql.mem.write(struct.unpack(b'Q',bytes(ql.mem.read(ql.reg.rax + 0x10,8)))[0], b"\x01")

	def level_8(ql):
	ql.hook_address(set_data_in_heap, get_main_module_base(ql)+0xfb5)

	def no_tolower(ql):
	ql.reg.rax = ql.reg.rdi

	def level_9(ql):
	ql.set_api('tolower', no_tolower)

	class Fake_cmdline(QlFsMappedObject):
	def read(self, size):
	return b"qilinglab"
	def close(self):
	return 0

	def level_10(ql):
	ql.add_fs_mapper('/proc/self/cmdline', Fake_cmdline)

	def cpuid_hook(ql):
	ql.reg.rbx = 0x696c6951
	ql.reg.rcx = 0x614c676e
	ql.reg.rdx = 0x20202062
	ql.reg.rip += 2

	def level_11(ql):
	ql.hook_address(cpuid_hook, get_main_module_base(ql)+0x118f)

	def solve_challenges(path, rootfs):
	ql = Qiling(path, rootfs, verbose=QL_VERBOSE.DEBUG)
	#ql.debugger = True
	level_1(ql)
	level_2(ql)
	level_3(ql)
	level_4(ql)
	level_5(ql)
	level_6(ql)
	level_7(ql)
	level_8(ql)
	level_9(ql)
	level_10(ql)
	level_11(ql)
	ql.run()

	if __name__ == "__main__":
	solve_challenges(["./qilinglab-x86_64"], "/")