Created
July 22, 2021 22:08
-
-
Save AmunRha/b5699267bf2ff6a8cc942ed7c3d90184 to your computer and use it in GitHub Desktop.
This is my solution to QilingLabs by thezero from ShielderSec.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This is my solution to the QilingLabs by thezero | |
# from ShielderSec | |
# Link: https://www.shielder.it/blog/2021/07/qilinglab-release/ | |
from qiling import * | |
from qiling.os.mapper import QlFsMappedObject | |
from qiling.const import QL_VERBOSE | |
import struct | |
rootfs = "/mnt/d/rootfs-master/x8664_linux" | |
binary = "qilinglab-x86_64" | |
def patch_uname(ql, name, *args, **kw): | |
buf = b'' | |
buf += b'QilingOS'.ljust(65, b'\x00') | |
buf += b'ql_vm'.ljust(65, b'\x00') | |
buf += b'99.0-RELEASE'.ljust(65, b'\x00') | |
buf += b'ChallengeStart'.ljust(65, b'\x00') | |
buf += b'ql_processor'.ljust(65, b'\x00') | |
buf += b''.ljust(65, b'\x00') | |
ql.mem.write(name, buf) | |
regreturn = 0 | |
return regreturn | |
def patch_getrandom(ql, buf, buflen, *args, **kw): | |
data = None | |
regreturn = None | |
try: | |
data = b'\x01'*32 | |
ql.mem.write(buf, data) | |
regreturn = len(data) | |
except: | |
regreturn = -1 | |
return regreturn | |
class Fake_urandom(QlFsMappedObject): | |
def read(self, size): | |
if size == 32: | |
return b"\x01"*32 | |
else: | |
return b"\x02" | |
def fstat(self): | |
return -1 | |
def close(self): | |
return 0 | |
def patch_challenge4(ql): | |
ql.mem.write((ql.reg.rbp-0x8), b'\x01') | |
def patch_rand(ql): | |
ql.reg.eax = 0 | |
def patch_infinity(ql): | |
ql.reg.al = 0 | |
def patch_sleep(ql): | |
ql.reg.rdi = 0 | |
def write_data_struct(ql): | |
data = ql.mem.read(ql.reg.rax, 24) | |
target = struct.unpack("<Q", data[0x10:])[0] | |
ql.mem.write(target, b'\x01') | |
def patch_tolower(ql): | |
return ql.reg.rdi | |
class Fake_cmdline(QlFsMappedObject): | |
def read(self, size): | |
return b'qilinglab' | |
def fstat(self): | |
return -1 | |
def close(self): | |
return 0 | |
def patch_cpuid(ql): | |
ql.reg.esi = 0x696C6951 | |
ql.reg.ecx = 0x614C676E | |
ql.reg.eax = 0x20202062 | |
def solve(path,rootfs): | |
ql = Qiling(path, rootfs, verbose=QL_VERBOSE.OFF) | |
ql.base = 0x0000555555554000 | |
# Challenge 1 | |
ql.mem.map(0x1337//4096*4096, 4096) | |
ql.mem.write(0x1337, struct.pack("<H",1337)) | |
# Challenge 2 | |
ql.set_syscall("uname", patch_uname) | |
# Challenge 3 | |
ql.add_fs_mapper("/dev/urandom", Fake_urandom()) | |
ql.set_syscall("getrandom", patch_getrandom) | |
# Challenge 4 | |
ql.hook_address(patch_challenge4, 0x0000555555554E40) | |
# Challenge 5 | |
ql.hook_address(patch_rand, 0x0000555555554E92) | |
# Challenge 6 | |
ql.hook_address(patch_infinity, 0x0000555555554F16) | |
# Challenge 7 | |
ql.set_api("sleep", patch_sleep) | |
# Challenge 8 | |
ql.hook_address(write_data_struct, 0x0000555555554FB5) | |
# Challenge 9 | |
ql.set_api("tolower", patch_tolower) | |
# Challenge 10 | |
ql.add_fs_mapper("/proc/self/cmdline", Fake_cmdline()) | |
# Challenge 11 | |
ql.hook_address(patch_cpuid, 0x0000555555555195) | |
# ql.debugger = True | |
ql.run() | |
if __name__ == "__main__": | |
solve([binary], rootfs) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment