OT: A self-extracting executable tiny ELF32 payload
2 views
Skip to first unread message
Roberto A. Foglietta
Jun 24, 2026, 4:57:13 AM (6 days ago) Jun 24
to isar-users
# uzpexec
https://github.com/robang74/gzcmd.sh/blob/main/README.md#uzpexec
> [!NOTE]
>
> Suggested file extension: **`.uzp`**
Utility for executing an ELF binary directly from stdin pipe:
- it runs binary via SSH/wget
- it runs gzip compressed binary
- it self-extract and execute
without writing it on the remote/local systems (memfd_create).
```sh
make clean tests
```
The [uzpexec](uzpexec.asm) (micro gzip pipe exec, written in
Assembler) replaces the previous `upexec` comparison which offers as
extra the integrated support for `gzip` inflate on the standard input
pipe. Pre-compiled v0.68 elf32 available
[here](https://github.com/robang74/working-in-progress/raw/refs/heads/main/uchaosys.qemu/uzpexec).
#### USAGE
- `{ cat uzpexec; gzip -7c $elf; } > $elf.uzp`
- `cp uzpexec $elf.uzp; gzip -c $elf >> $elf.uzp`
- `wget $url/$elf[.gz] -O- | uzpexec [args]`
It works as a single block 512-bytes self-inflating executable payload
replacing also `gzcmd.sh` with the sole requirement of `/bin/zcat`
available.
---
### Quick customisations
Quick customisations by `sed` and other stings-based editor is supported:
- `{ cat uzpexec | sed 's/zcat\x00/xzcat/'; xz -7c $elf; } > $elf.uxp`
Alternative to `zcat` are `xzcat` for XZ compression, or `lzcat` for LZMA.
The alternatives that are natively compatible with `-f -` are fully supported.
```
; =====================================================================
; COMPACT DATA SECTION (Appended to code)
; =====================================================================
copy_vers: db "(c) 2026 robang74 l.MIT v0.68 git.new/ttRvFBu", 0
; filename can be changed by sed up to 7 chars + ending \0
; zcat -f is cat when input isn't gzip, options up to -6c\0
; /bin/zcat can be changed by sed up to 31 chars + ending \0
; - for example: /usr/local/bin/xzcat is 20 chars + ending \0
; eof_strng helps to find the EOF, and where \0 padding starts
filename: db "uzpexec", 0
zcat_path: db "/bin/zcat", 0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0
force_arg: db "-f", 0,0, 0,0,0,0
dash_arg: db "-", 0,0,0, 0,0,0,0
eof_strng: db "elf_eof", 0
; =====================================================================
; PADDING: Aligned exactly to 512 bytes (as per skip request)
; =====================================================================
file_end: ; Physical end of the binary file!
times (512 - ($ - $$)) db 0 ; Padding to 512 bytes for skip=1
```
Since `zcat` is a shell script, it can be changed to pair the input
with the proper decompressing tool. While a tiny `xcat` binary in ASM
would be much faster in properly pairing the matches.
Best regards,
--
Roberto A. Foglietta
+49.176.274.75.661
+39.349.33.30.697
https://github.com/robang74/gzcmd.sh/blob/main/README.md#uzpexec
> [!NOTE]
>
> Suggested file extension: **`.uzp`**
Utility for executing an ELF binary directly from stdin pipe:
- it runs binary via SSH/wget
- it runs gzip compressed binary
- it self-extract and execute
without writing it on the remote/local systems (memfd_create).
```sh
make clean tests
```
The [uzpexec](uzpexec.asm) (micro gzip pipe exec, written in
Assembler) replaces the previous `upexec` comparison which offers as
extra the integrated support for `gzip` inflate on the standard input
pipe. Pre-compiled v0.68 elf32 available
[here](https://github.com/robang74/working-in-progress/raw/refs/heads/main/uchaosys.qemu/uzpexec).
#### USAGE
- `{ cat uzpexec; gzip -7c $elf; } > $elf.uzp`
- `cp uzpexec $elf.uzp; gzip -c $elf >> $elf.uzp`
- `wget $url/$elf[.gz] -O- | uzpexec [args]`
It works as a single block 512-bytes self-inflating executable payload
replacing also `gzcmd.sh` with the sole requirement of `/bin/zcat`
available.
---
### Quick customisations
Quick customisations by `sed` and other stings-based editor is supported:
- `{ cat uzpexec | sed 's/zcat\x00/xzcat/'; xz -7c $elf; } > $elf.uxp`
Alternative to `zcat` are `xzcat` for XZ compression, or `lzcat` for LZMA.
The alternatives that are natively compatible with `-f -` are fully supported.
```
; =====================================================================
; COMPACT DATA SECTION (Appended to code)
; =====================================================================
copy_vers: db "(c) 2026 robang74 l.MIT v0.68 git.new/ttRvFBu", 0
; filename can be changed by sed up to 7 chars + ending \0
; zcat -f is cat when input isn't gzip, options up to -6c\0
; /bin/zcat can be changed by sed up to 31 chars + ending \0
; - for example: /usr/local/bin/xzcat is 20 chars + ending \0
; eof_strng helps to find the EOF, and where \0 padding starts
filename: db "uzpexec", 0
zcat_path: db "/bin/zcat", 0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0
force_arg: db "-f", 0,0, 0,0,0,0
dash_arg: db "-", 0,0,0, 0,0,0,0
eof_strng: db "elf_eof", 0
; =====================================================================
; PADDING: Aligned exactly to 512 bytes (as per skip request)
; =====================================================================
file_end: ; Physical end of the binary file!
times (512 - ($ - $$)) db 0 ; Padding to 512 bytes for skip=1
```
Since `zcat` is a shell script, it can be changed to pair the input
with the proper decompressing tool. While a tiny `xcat` binary in ASM
would be much faster in properly pairing the matches.
Best regards,
--
Roberto A. Foglietta
+49.176.274.75.661
+39.349.33.30.697
Roberto A. Foglietta
Jun 29, 2026, 1:04:08 PM (13 hours ago) Jun 29
to isar-users
On Wed, 24 Jun 2026 at 10:56, Roberto A. Foglietta
<roberto....@gmail.com> wrote:
>
> # uzpexec
>
> https://github.com/robang74/gzcmd.sh/blob/main/README.md#uzpexec
uzpexec (512B) release v0.87 includes uzpack standalone (3KB) to
convert almost every binary and scripts, in an easy way.
The uzpexec (micro gzip pipe exec, written in Assembler, 512 bytes of
payload equivalent to a single dd standard I/O block) offers native
support for gzip self-inflate self-execution, running in RAM also when
started by the STDIN pipe. Pre-compiled ELF32 (for all x86) available
in releases. Development happens in 'devel' branch.
~> https://github.com/robang74/uzpexec
Project name changed but it is the same repository.
No more uzpexec notifications will be sent to this m-list.
For information or being kept informed write me in.
<roberto....@gmail.com> wrote:
>
> # uzpexec
>
> https://github.com/robang74/gzcmd.sh/blob/main/README.md#uzpexec
uzpexec (512B) release v0.87 includes uzpack standalone (3KB) to
convert almost every binary and scripts, in an easy way.
The uzpexec (micro gzip pipe exec, written in Assembler, 512 bytes of
payload equivalent to a single dd standard I/O block) offers native
support for gzip self-inflate self-execution, running in RAM also when
started by the STDIN pipe. Pre-compiled ELF32 (for all x86) available
in releases. Development happens in 'devel' branch.
~> https://github.com/robang74/uzpexec
Project name changed but it is the same repository.
No more uzpexec notifications will be sent to this m-list.
For information or being kept informed write me in.
Reply all
Reply to author
Forward
0 new messages