uglyform

uglyform is a small C program from 2010. It is a proof of concept for a buffer overflow, and it has only one ambition, the ambition every exploitation writeup eventually has to satisfy: to show that the attacker’s code, not the program’s, is now running.

The convention for that proof is calc.exe. You overflow the buffer, you redirect execution, and a calculator appears: harmless, instantly recognizable, the universal “it worked” of exploitation. uglyform makes the same point with a different gesture. Instead of launching the calculator it opens a form. The README says exactly that: it “opens a form on a vulnerable buffer (instead of open calc.exe or others).” What it demonstrates is identical; what it shows is a little plainer. An ordinary window, the kind any program might draw, standing in for arbitrary code execution.

The repository is candid about being unfinished. Its own note reads: “Still missing ASM code for the shellcode, will publish it later.” Sixteen years on, later has not arrived. The assembly half of the proof of concept was never pushed. What remains is uglyform.c and a short README: four commits, no shellcode, a fragment.

It is kept here as part of the public record rather than as a finished artifact. Early proof-of-concept code is worth preserving even when it is incomplete. It dates the work, it shows the shape of the thinking, and an honest “this part was never published” tells a reader more than a tidy reconstruction would.

The source is on GitHub: github.com/dukptkey/uglyform.