Alternating Payload, Automated offset calculation/ID during Buffer Overflow Analysis
I designed this during my activity analyzing exploiting a sensitive buffer overflow on the SPARC architecture. It suits my needs, and I like publicizing to my blog posts. It makes backup of my data and knowledge base. So I like it. This will work on x86 too I think but I didn’t test it.
to view the raw hex output I do the following on the SPARC machine:
$ ./alternating_payload2 108 | od -A x -X 000000 01414141 01424242 01434343 01444444 000010 01454545 01464646 01474747 01484848 000020 01494949 014a4a4a 014b4b4b 014c4c4c 000030 014d4d4d 014e4e4e 014f4f4f 01505050 000040 01515151 01525252 01535353 01545454 000050 01555555 01565656 01575757 01585858 000060 01595959 015a5a5a 02414141 00006c bazz@blade72[pts/3][~/tools/tmp/latest]
the -A specifies the addressing offsets to be in hex vs. the default octal. -X does 4-byte long hex sections.
alternating_payload.c
#include <stdio.h> #include <stdlib.h> // SPARC uses sys/inttypes.h #ifdef __sun #include <sys/inttypes.h> #else #include <stdint.h> #endif // this form provides buffer experimentation foundation // buffer will be created up to numbytes desired, but < MAX, specified // on the command line argument // form: 0x[01-ff][41-5a][41-5a][41-5a] // 0x41-0x5a range is chars 'A' to 'Z' // An extended range < 'A' to > 'Z' could modify this program to extend //the MAX length of the buffer #define CHAR_RANGE (('Z'-'A')+1) // 'Z' - 'A' is 25, but we know // there are 26 letters in the alphabet. I call this inclusive subtraction, // when I add 1 to get the real desired value. There is also inclusive // addition I think. I'm using terms I created. // little proof program to figure this out /* #include <stdio.h> // Conclusion: Inclusive Subtraction requires add 1 int main() { printf("Derp Face, I'm ready :) \n"); printf("'Z' - 'A' = %d", ('Z'-'A')+1); return 0; } */ #define MAX (CHAR_RANGE * 255 * 4) // Arbitrary MAX that is derived from the following formula: // 26a * 255b * 4c // a [letters of the alphabet] // b [ byte field width excluding 0 (null byte)] // c [ 4 bytes per entry ie. 0x01414141 ] #define RANGE (26*4) // does the following operation to get the offset: // [(msb - 1) * 26] + (lsb - 0x41) unsigned long getSmashOffset(const unsigned long *smashval) { uint8_t msb,lsb; msb = ( *smashval >> 24 ) & 0xff; lsb = *smashval & 0xff; msb--; msb *= 26; lsb -= 0x41; return msb+lsb; } int main(int argc, char **argv) { char a=0x41; char c=1; int i, rc=0; if (argc != 2) { printf ("You're doing it wrong! \n"); printf ("Usage: %s [numbytes <= %d]|[smashed-stack-val]\n", argv[0], MAX); exit (1); } unsigned long arg, numbytes,smashval; arg = numbytes = strtoul( argv[1], (void *)0, 0 ); if (arg > MAX) { if (arg < 0x01414141) { printf ("You can't have an overflow amount > %d\n", MAX); exit(2); } else { printf ("%lu\n", getSmashOffset(&arg)); return 0; } } for (i=0; i < numbytes; i+= 4) { // if (!rc) printf("%c%c%c%c",c,a,a,a); // else printf("%c%c%c%c", a,a,a,a); a ++; if (a == 'Z'+1) a = 0x41; rc += 4; if (rc == RANGE) { rc=0; c++; if (!c) c++; } } return 0; }
Nice analysis whether this formula to create software ??