Skip to content

Instantly share code, notes, and snippets.

@AmunRha

AmunRha/QilingLabs2021_Solution.py

Created July 22, 2021 22:08
Show Gist options
  • Save AmunRha/b5699267bf2ff6a8cc942ed7c3d90184 to your computer and use it in GitHub Desktop.
Save AmunRha/b5699267bf2ff6a8cc942ed7c3d90184 to your computer and use it in GitHub Desktop.
Download ZIP
This is my solution to QilingLabs by thezero from ShielderSec.
Raw
QilingLabs2021_Solution.py
# This is my solution to the QilingLabs by thezero
# from ShielderSec
# Link: https://www.shielder.it/blog/2021/07/qilinglab-release/
from qiling import *
from qiling.os.mapper import QlFsMappedObject
from qiling.const import QL_VERBOSE
import struct
rootfs = "/mnt/d/rootfs-master/x8664_linux"
binary = "qilinglab-x86_64"
def patch_uname(ql, name, *args, **kw):
buf = b''
buf += b'QilingOS'.ljust(65, b'\x00')
buf += b'ql_vm'.ljust(65, b'\x00')
buf += b'99.0-RELEASE'.ljust(65, b'\x00')
buf += b'ChallengeStart'.ljust(65, b'\x00')
buf += b'ql_processor'.ljust(65, b'\x00')
buf += b''.ljust(65, b'\x00')
ql.mem.write(name, buf)
regreturn = 0
return regreturn
def patch_getrandom(ql, buf, buflen, *args, **kw):
data = None
regreturn = None
try:
data = b'\x01'*32
ql.mem.write(buf, data)
regreturn = len(data)
except:
regreturn = -1
return regreturn
class Fake_urandom(QlFsMappedObject):
def read(self, size):
if size == 32:
return b"\x01"*32
else:
return b"\x02"
def fstat(self):
return -1
def close(self):
return 0
def patch_challenge4(ql):
ql.mem.write((ql.reg.rbp-0x8), b'\x01')
def patch_rand(ql):
ql.reg.eax = 0
def patch_infinity(ql):
ql.reg.al = 0
def patch_sleep(ql):
ql.reg.rdi = 0
def write_data_struct(ql):
data = ql.mem.read(ql.reg.rax, 24)
target = struct.unpack("<Q", data[0x10:])[0]
ql.mem.write(target, b'\x01')
def patch_tolower(ql):
return ql.reg.rdi
class Fake_cmdline(QlFsMappedObject):
def read(self, size):
return b'qilinglab'
def fstat(self):
return -1
def close(self):
return 0
def patch_cpuid(ql):
ql.reg.esi = 0x696C6951
ql.reg.ecx = 0x614C676E
ql.reg.eax = 0x20202062
def solve(path,rootfs):
ql = Qiling(path, rootfs, verbose=QL_VERBOSE.OFF)
ql.base = 0x0000555555554000
# Challenge 1
ql.mem.map(0x1337//4096*4096, 4096)
ql.mem.write(0x1337, struct.pack("<H",1337))
# Challenge 2
ql.set_syscall("uname", patch_uname)
# Challenge 3
ql.add_fs_mapper("/dev/urandom", Fake_urandom())
ql.set_syscall("getrandom", patch_getrandom)
# Challenge 4
ql.hook_address(patch_challenge4, 0x0000555555554E40)
# Challenge 5
ql.hook_address(patch_rand, 0x0000555555554E92)
# Challenge 6
ql.hook_address(patch_infinity, 0x0000555555554F16)
# Challenge 7
ql.set_api("sleep", patch_sleep)
# Challenge 8
ql.hook_address(write_data_struct, 0x0000555555554FB5)
# Challenge 9
ql.set_api("tolower", patch_tolower)
# Challenge 10
ql.add_fs_mapper("/proc/self/cmdline", Fake_cmdline())
# Challenge 11
ql.hook_address(patch_cpuid, 0x0000555555555195)
# ql.debugger = True
ql.run()
if __name__ == "__main__":
solve([binary], rootfs)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment