Last active
July 23, 2021 19:31
-
-
Save red0xff/76192a44371127b97bf8e5de33bb6d12 to your computer and use it in GitHub Desktop.
My solution to qilinglab : https://www.shielder.it/blog/2021/07/qilinglab-release/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import sys | |
from qiling import * | |
from qiling.const import QL_VERBOSE, QL_INTERCEPT | |
from qiling.os.mapper import QlFsMappedObject | |
import struct | |
import os | |
def level_1(ql): | |
ql.mem.map(0x1000, 0x1000) | |
ql.mem.write(0x1337, b"\x39\x05") | |
def hijacked_uname(ql, buf, *args, **kwargs): | |
UNAME_OUT = b"" | |
UNAME_OUT += b"QilingOS".ljust(65, b"\x00") | |
UNAME_OUT += b"DESKTOP-0B8APTR".ljust(65, b"\x00") | |
UNAME_OUT += b"5.10.16.3-microsoft-standard-WSL2".ljust(65, b"\x00") | |
UNAME_OUT += b"ChallengeStart".ljust(65, b"\x00") | |
UNAME_OUT += b"x86_64".ljust(65, b"\x00") | |
UNAME_OUT += b"localdomain".ljust(65, b"\x00") | |
ql.mem.write(buf, UNAME_OUT) | |
ql.os.set_syscall_return(0) | |
def level_2(ql): | |
ql.set_syscall('uname', hijacked_uname) | |
class Fake_urandom(QlFsMappedObject): | |
def read(self, size): | |
if size == 1: | |
return b"\xff" | |
else: | |
return b"\x00" * size | |
def close(self): | |
return 0 | |
def my_get_random(ql): | |
buf, buflen, flags = ql.reg.rdi, ql.reg.rsi, ql.reg.rdx | |
ql.mem.write(buf, b"\x00" * buflen) | |
ql.reg.rax = buflen | |
def level_3(ql): | |
ql.add_fs_mapper("/dev/urandom", Fake_urandom) | |
ql.set_api('getrandom', my_get_random) | |
def get_main_module_base(ql): | |
return ql.mem.get_lib_base(os.path.split(ql.argv[0])[-1]) | |
first_time = True | |
def set_loop_variable(ql): | |
global first_time | |
if first_time: | |
first_time = False | |
ql.reg.rip = get_main_module_base(ql)+0xe35 | |
def level_4(ql): | |
ql.hook_address(set_loop_variable, get_main_module_base(ql)+0xe40) | |
def my_rand(ql): | |
ql.reg.rax = 0 | |
def level_5(ql): | |
ql.set_api('rand', my_rand) | |
def escape_loop(ql): | |
ql.reg.rip += 2 | |
def level_6(ql): | |
ql.hook_address(escape_loop, get_main_module_base(ql)+0xf18) | |
def level_7(ql): | |
ql.set_api('sleep', lambda q: 0) | |
def set_data_in_heap(ql): | |
print(ql.mem.read(ql.reg.rax+0x10,8)) | |
ql.mem.write(struct.unpack(b'Q',bytes(ql.mem.read(ql.reg.rax + 0x10,8)))[0], b"\x01") | |
def level_8(ql): | |
ql.hook_address(set_data_in_heap, get_main_module_base(ql)+0xfb5) | |
def no_tolower(ql): | |
ql.reg.rax = ql.reg.rdi | |
def level_9(ql): | |
ql.set_api('tolower', no_tolower) | |
class Fake_cmdline(QlFsMappedObject): | |
def read(self, size): | |
return b"qilinglab" | |
def close(self): | |
return 0 | |
def level_10(ql): | |
ql.add_fs_mapper('/proc/self/cmdline', Fake_cmdline) | |
def cpuid_hook(ql): | |
ql.reg.rbx = 0x696c6951 | |
ql.reg.rcx = 0x614c676e | |
ql.reg.rdx = 0x20202062 | |
ql.reg.rip += 2 | |
def level_11(ql): | |
ql.hook_address(cpuid_hook, get_main_module_base(ql)+0x118f) | |
def solve_challenges(path, rootfs): | |
ql = Qiling(path, rootfs, verbose=QL_VERBOSE.DEBUG) | |
#ql.debugger = True | |
level_1(ql) | |
level_2(ql) | |
level_3(ql) | |
level_4(ql) | |
level_5(ql) | |
level_6(ql) | |
level_7(ql) | |
level_8(ql) | |
level_9(ql) | |
level_10(ql) | |
level_11(ql) | |
ql.run() | |
if __name__ == "__main__": | |
solve_challenges(["./qilinglab-x86_64"], "/") | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment