1/*
2
3   HTML manglizer
4   --------------
5   Copyright (C) 2004 by Michal Zalewski <lcamtuf@coredump.cx>
6
7   Fault reproduction utility.
8
9 */
10
11
12#include <stdio.h>
13#include <unistd.h>
14#include <stdlib.h>
15#include <string.h>
16#include <time.h>
17
18#include "tags.h"
19
20#define R(x) (rand() % (x))
21
22#define MAXTCOUNT 100
23#define MAXPCOUNT 20
24#define MAXSTR2   80
25
26void make_up_value(void) {
27  char c=R(2);
28
29  if (c) putchar('"');
30
31  switch (R(31)) {
32
33    case 0: printf("javascript:"); make_up_value(); break;
34//    case 1: printf("jar:"); make_up_value(); break;
35    case 2: printf("mk:"); make_up_value(); break;
36    case 3: printf("file:"); make_up_value(); break;
37    case 4: printf("http:"); make_up_value(); break;
38    case 5: printf("about:"); make_up_value(); break;
39    case 6: printf("_blank"); break;
40    case 7: printf("_self"); break;
41    case 8: printf("top"); break;
42    case 9: printf("left"); break;
43    case 10: putchar('&'); make_up_value(); putchar(';'); break;
44    case 11: make_up_value(); make_up_value(); break;
45
46    case 12 ... 20: {
47        int c = R(10) ? R(10) : (1 + R(MAXSTR2) * R(MAXSTR2));
48        char* x = malloc(c);
49        memset(x,R(256),c);
50        fwrite(x,c,1,stdout);
51        free(x);
52        break;
53      }
54
55    case 21: printf("%s","%n%n%n%n%n%n"); break;
56    case 22: putchar('#'); break;
57    case 23: putchar('*'); break;
58    default: if (R(2)) putchar('-'); printf("%d",rand()); break;
59
60  }
61
62  if (c) putchar('"');
63
64}
65
66
67void random_tag(void) {
68  int tn, tc;
69
70  do tn = R(MAXTAGS); while (!tags[tn][0]);
71  tc = R(MAXPCOUNT) + 1;
72
73  putchar('<');
74
75  switch (R(10)) {
76    case 0: putchar(R(256)); break;
77    case 1: putchar('/');
78  }
79
80  printf("%s", tags[tn][0]);
81
82  while (tc--) {
83    int pn;
84    switch (R(32)) {
85      case 0: putchar(R(256));
86      case 1: break;
87      default: putchar(' ');
88    }
89    do pn = R(MAXPARS-1) + 1; while (!tags[tn][pn]);
90    printf("%s", tags[tn][pn]);
91    switch (R(32)) {
92      case 0: putchar(R(256));
93      case 1: break;
94      default: putchar('=');
95    }
96
97    make_up_value();
98
99  }
100
101  putchar('>');
102
103}
104
105
106int main(int argc,char** argv) {
107  int tc,seed;
108  char* x = getenv("QUERY_STRING");
109
110  if (!x || sscanf(x,"%x",&seed) != 1) {
111    printf("Content-type: text/plain\n\nMissing or invalid parameter.\n");
112    exit(1);
113  }
114
115  printf("Content-Type: text/html;charset=utf-8\nRefresh: 0;URL=remangle.cgi?0x%08x\n\n", seed);
116  printf("<HTML><HEAD><META HTTP-EQUIV=\"Refresh\" content=\"0;URL=remangle.cgi?0x%08x\">\n", seed);
117  printf("<script language=\"javascript\">setTimeout('window.location=\"remangle.cgi?0x%08x\"', 1000);</script>\n", seed);
118
119  srand(seed);
120
121  tc = R(MAXTCOUNT) + 1;
122  while (tc--) random_tag();
123  fflush(0);
124  return 0;
125}
126