Documentation
¶
Index ¶
- Variables
- func P16(addr binutils.Addr) []byte
- func P32(addr binutils.Addr) []byte
- func P64(addr binutils.Addr) []byte
- func U16(data []byte) binutils.Addr
- func U32(data []byte) binutils.Addr
- func U64(data []byte) binutils.Addr
- type Builder
- func (pb *Builder) Addr(addr binutils.Addr)
- func (pb *Builder) Append(b []byte)
- func (pb *Builder) AppendByte(b uint8)
- func (pb *Builder) Build() []byte
- func (pb *Builder) Cap() int
- func (pb *Builder) Delimiter() byte
- func (pb *Builder) Fill(b byte, n int)
- func (pb *Builder) FmtReadRegister(register string)
- func (pb *Builder) FmtReadStack(stackAddr binutils.Addr, leakAddrs ...binutils.Addr)
- func (pb *Builder) Len() int
- func (pb *Builder) PadTo(b byte, n int) error
- func (pb *Builder) Reset()
Constants ¶
This section is empty.
Variables ¶
var (
ErrPayloadBiggerThenPaddingLength = errors.New("payload bigger then padding length")
)
Functions ¶
func P16 ¶
P16 returns the binutils representation of addr as a little-endian uint16. The returned byte slice has a length of 2 bytes.
The function is used to encode addresses in payload messages.
func P32 ¶
P32 returns the binutils representation of addr as a little-endian uint32. The returned byte slice has a length of 4 bytes.
The function is used to encode addresses in payload messages.
func P64 ¶
P64 returns the binutils representation of addr as a little-endian uint64. The returned byte slice has a length of 8 bytes.
The function is used to encode addresses in payload messages.
func U16 ¶
U16 returns the binutils representation of data as a little-endian uint16. The function takes a byte slice of length 2 as input and returns the corresponding binutils representation as an Addr.
The function is used to decode addresses in payload messages.
func U32 ¶
U32 returns the binutils representation of data as a little-endian uint32. The function takes a byte slice of length 4 as input and returns the corresponding binutils representation as an Addr.
The function is used to decode addresses in payload messages.
Types ¶
type Builder ¶ added in v0.0.2
type Builder struct {
// contains filtered or unexported fields
}
func NewBuilder ¶ added in v0.0.2
NewBuilder returns a new Builder for constructing payloads.
The builder is configured with the given CPU architecture and byte order and starts with an empty payload.
Example:
b := payload.NewBuilder(binutils.ArchAmd64, binary.LittleEndian)
b.Fill('A', 64)
b.Addr(0xdeadbeef)
func (*Builder) Addr ¶ added in v0.0.3
Addr appends the binutils representation of addr to the payload. The function uses the configured CPU architecture and byte order to encode the address.
The function is used to encode addresses in payload messages.
Example:
b := payload.NewBuilder(binutils.ArchAmd64, binary.LittleEndian) b.Addr(0xdeadbeef)
The function appends the following byte sequences to the payload:
- For 64-bit architectures, 8 bytes (uint64 in little-endian byte order)
- For 32-bit architectures, 4 bytes (uint32 in little-endian byte order)
- For 16-bit architectures, 2 bytes (uint16 in little-endian byte order)
- For 8-bit architectures, 1 byte (uint8 in little-endian byte order)
func (*Builder) AppendByte ¶ added in v0.0.2
AppendByte appends a single byte to the payload. It takes a uint8 as input and appends the corresponding byte to the payload.
func (*Builder) Delimiter ¶ added in v0.0.3
Delimiter returns the delimiter byte used in format string specifiers.
The delimiter is used to separate format specifiers from the payload. By default, the delimiter is '-' (hyphen).
func (*Builder) Fill ¶ added in v0.0.2
Fill fills the payload with n bytes of value b. It is used to fill the payload with a certain value. For example, if you want to fill the payload with 10 bytes of value 0x00, you can call pb.Fill(0x00, 10).
func (*Builder) FmtReadRegister ¶ added in v0.0.3
FmtReadRegister appends a format string payload fragment that leaks the value of a CPU register via a format string vulnerability.
The register must be one of the integer/pointer argument registers defined by the System V AMD64 ABI calling convention.
Supported registers (including aliases):
- rdi, edi, di, dil — 1st argument (%1$p)
- rsi, esi, si, sil — 2nd argument (%2$p)
- rdx, edx, dx, dl — 3rd argument (%3$p)
- rcx, ecx, cx, cl — 4th argument (%4$p)
- r8, r8d, r8w, r8b — 5th argument (%5$p)
- r9, r9d, r9w, r9b — 6th argument (%6$p)
The appended bytes correspond to positional format specifiers (e.g. "%1$p") and are intended for use in exploitation scenarios where a variadic function such as printf is called without proper format string validation.
If an unsupported register name is provided, FmtReadRegister panics.
Function supports only i386 and amd64 architectures
func (*Builder) FmtReadStack ¶ added in v0.0.3
FmtReadStack appends parts of a payload that use a format string vulnerability to leak values from the stack.
stackAddr is the base address of the stack frame (typically the value of RSP/ESP at the moment of the vulnerable printf call).
leakAddresses are absolute addresses located on the stack whose values should be leaked. For each address, the function calculates its positional argument index relative to stackAddr and appends a corresponding "%<n>$p" format specifier.
The argument index is computed as:
(leakAddr - stackAddr) / (architecture bitness / 8)
For amd64, the first six arguments are passed via registers (rdi, rsi, rdx, rcx, r8, r9) according to the System V ABI, so the index is additionally shifted by 6.
Supported architectures:
- i386
- amd64
The function panics if called on an unsupported architecture.
func (*Builder) PadTo ¶ added in v0.0.3
PadTo pads the payload with byte b until it reaches a length of n. If the payload is already bigger than n, it returns an error. It is used to pad the payload with a certain value until it reaches a certain length. For example, if you want to pad the payload with 0x00 until it reaches a length of 64, you can call pb.PadTo(0x00, 64).
Source Files