#!/usr/bin/perl
# ezboard-fix.pl
#
# EasyBoard 2000 Buffer Overflow Vulnerability Fix for x86 Linux version
#
# Run this program in the directory where ezboard.cgi exists.
#
# Programmed by Jin Ho You, jhyou@chonnam.chonnam.ac.kr, 2002/02/11

LOOP:
for $cgi_file ("ezboard.cgi","ezadmin.cgi", "ezman.cgi") {
    if (! -e $cgi_file) {
        print "$cgi_file does not exist.\n";
        next LOOP;
    }

    $cgi_content=`cat $cgi_file`;

    if (index($cgi_content, "EasyBoard 2000") == -1 ||
        index($cgi_content, "ld-linux.so") == -1) {
        print "$cgi_file is not EasyBoard 2000 for x86 Linux.\n";
        next LOOP;
    }

    @obj_header = split(' ', `objdump -h $cgi_file | grep rodata`);
    $moff_section = hex($obj_header[3]);
    $foff_section = hex($obj_header[5]);
    $foff_fmtstr = index($cgi_content, "--%s");
    $moff_fmtstr = $moff_section + $foff_fmtstr - $foff_section;
    $foff_push = index($cgi_content, pack("V",$moff_fmtstr));
    if ($foff_push == -1) {
        print "$cgi_file is already fixed!\n";
        next LOOP;
    }

    printf "$cgi_file: '--%%s' = 0x%08x, push '--%%s' = 0x%08x\n",
            $foff_fmtstr, $foff_push;

    open(CGI, "+<$cgi_file") or die "cannot open $cgi_file: $!";
    seek(CGI, $foff_fmtstr + 17, SEEK_SET);
    print CGI "--%.200s";
    seek(CGI, $foff_push, SEEK_SET);
    print CGI pack("V", $moff_fmtstr + 17);
    close(CGI);
}