1563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark/* 2563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark 3563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark HTML manglizer 4563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark -------------- 5563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark Copyright (C) 2004 by Michal Zalewski <lcamtuf@coredump.cx> 6563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark 7563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark HTML manglizer library. Logs random seeds to error-log; find the last entry before 8563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark crash, then pass it to remangle.cgi to reproduce the problem. 9563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark 10563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark */ 11563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark 12563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark 13563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark#include <stdio.h> 14563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark#include <unistd.h> 15563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark#include <stdlib.h> 16563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark#include <string.h> 17563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark#include <time.h> 18563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark 19563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark#include "tags.h" 20563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark 21563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark#define R(x) (rand() % (x)) 22563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark 23563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark#define MAXTCOUNT 100 24563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark#define MAXPCOUNT 20 25563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark#define MAXSTR2 80 26563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark 27563af33bc48281d19dce701398dbb88cb54fd7ecCary Clarkvoid make_up_value(void) { 28563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark char c=R(2); 29563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark 30563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark if (c) putchar('"'); 31563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark 32563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark switch (R(31)) { 33563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark 34563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark case 0: printf("javascript:"); make_up_value(); break; 35563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark// case 1: printf("jar:"); make_up_value(); break; 36563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark case 2: printf("mk:"); make_up_value(); break; 37563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark case 3: printf("file:"); make_up_value(); break; 38563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark case 4: printf("http:"); make_up_value(); break; 39563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark case 5: printf("about:"); make_up_value(); break; 40563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark case 6: printf("_blank"); break; 41563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark case 7: printf("_self"); break; 42563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark case 8: printf("top"); break; 43563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark case 9: printf("left"); break; 44563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark case 10: putchar('&'); make_up_value(); putchar(';'); break; 45563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark case 11: make_up_value(); make_up_value(); break; 46563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark 47563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark case 12 ... 20: { 48563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark int c = R(10) ? R(10) : (1 + R(MAXSTR2) * R(MAXSTR2)); 49563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark char* x = malloc(c); 50563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark memset(x,R(256),c); 51563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark fwrite(x,c,1,stdout); 52563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark free(x); 53563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark break; 54563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark } 55563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark 56563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark case 21: printf("%s","%n%n%n%n%n%n"); break; 57563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark case 22: putchar('#'); break; 58563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark case 23: putchar('*'); break; 59563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark default: if (R(2)) putchar('-'); printf("%d",rand()); break; 60563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark 61563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark } 62563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark 63563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark if (c) putchar('"'); 64563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark 65563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark} 66563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark 67563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark 68563af33bc48281d19dce701398dbb88cb54fd7ecCary Clarkvoid random_tag(void) { 69563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark int tn, tc; 70563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark 71563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark do tn = R(MAXTAGS); while (!tags[tn][0]); 72563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark tc = R(MAXPCOUNT) + 1; 73563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark 74563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark putchar('<'); 75563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark 76563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark switch (R(10)) { 77563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark case 0: putchar(R(256)); break; 78563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark case 1: putchar('/'); 79563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark } 80563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark 81563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark printf("%s", tags[tn][0]); 82563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark 83563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark while (tc--) { 84563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark int pn; 85563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark switch (R(32)) { 86563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark case 0: putchar(R(256)); 87563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark case 1: break; 88563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark default: putchar(' '); 89563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark } 90563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark do pn = R(MAXPARS-1) + 1; while (!tags[tn][pn]); 91563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark printf("%s", tags[tn][pn]); 92563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark switch (R(32)) { 93563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark case 0: putchar(R(256)); 94563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark case 1: break; 95563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark default: putchar('='); 96563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark } 97563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark 98563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark make_up_value(); 99563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark 100563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark } 101563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark 102563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark putchar('>'); 103563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark 104563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark} 105563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark 106563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark 107563af33bc48281d19dce701398dbb88cb54fd7ecCary Clarkint main(int argc,char** argv) { 108563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark int tc,seed; 109563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark 110563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark printf("Content-Type: text/html;charset=utf-8\nRefresh: 0;URL=mangle.cgi\n\n"); 111563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark printf("<HTML><HEAD><META HTTP-EQUIV=\"Refresh\" content=\"0;URL=mangle.cgi\">\n"); 112563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark printf("<script language=\"javascript\">setTimeout('window.location=\"mangle.cgi\"', 1000);</script>\n"); 113563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark 114563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark seed = (time(0) ^ (getpid() << 16)); 115563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark fprintf(stderr,"[%u] Mangle attempt 0x%08x (%s) -- %s\n", (int)time(0), seed, getenv("HTTP_USER_AGENT"), getenv("REMOTE_ADDR")); 116563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark srand(seed); 117563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark 118563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark tc = R(MAXTCOUNT) + 1; 119563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark while (tc--) random_tag(); 120563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark fflush(0); 121563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark return 0; 122563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark} 123