1/* 2 3 HTML manglizer 4 -------------- 5 Copyright (C) 2004 by Michal Zalewski <lcamtuf@coredump.cx> 6 7 Fault reproduction utility. 8 9 */ 10 11 12#include <stdio.h> 13#include <unistd.h> 14#include <stdlib.h> 15#include <string.h> 16#include <time.h> 17 18#include "tags.h" 19 20#define R(x) (rand() % (x)) 21 22#define MAXTCOUNT 100 23#define MAXPCOUNT 20 24#define MAXSTR2 80 25 26void make_up_value(void) { 27 char c=R(2); 28 29 if (c) putchar('"'); 30 31 switch (R(31)) { 32 33 case 0: printf("javascript:"); make_up_value(); break; 34// case 1: printf("jar:"); make_up_value(); break; 35 case 2: printf("mk:"); make_up_value(); break; 36 case 3: printf("file:"); make_up_value(); break; 37 case 4: printf("http:"); make_up_value(); break; 38 case 5: printf("about:"); make_up_value(); break; 39 case 6: printf("_blank"); break; 40 case 7: printf("_self"); break; 41 case 8: printf("top"); break; 42 case 9: printf("left"); break; 43 case 10: putchar('&'); make_up_value(); putchar(';'); break; 44 case 11: make_up_value(); make_up_value(); break; 45 46 case 12 ... 20: { 47 int c = R(10) ? R(10) : (1 + R(MAXSTR2) * R(MAXSTR2)); 48 char* x = malloc(c); 49 memset(x,R(256),c); 50 fwrite(x,c,1,stdout); 51 free(x); 52 break; 53 } 54 55 case 21: printf("%s","%n%n%n%n%n%n"); break; 56 case 22: putchar('#'); break; 57 case 23: putchar('*'); break; 58 default: if (R(2)) putchar('-'); printf("%d",rand()); break; 59 60 } 61 62 if (c) putchar('"'); 63 64} 65 66 67void random_tag(void) { 68 int tn, tc; 69 70 do tn = R(MAXTAGS); while (!tags[tn][0]); 71 tc = R(MAXPCOUNT) + 1; 72 73 putchar('<'); 74 75 switch (R(10)) { 76 case 0: putchar(R(256)); break; 77 case 1: putchar('/'); 78 } 79 80 printf("%s", tags[tn][0]); 81 82 while (tc--) { 83 int pn; 84 switch (R(32)) { 85 case 0: putchar(R(256)); 86 case 1: break; 87 default: putchar(' '); 88 } 89 do pn = R(MAXPARS-1) + 1; while (!tags[tn][pn]); 90 printf("%s", tags[tn][pn]); 91 switch (R(32)) { 92 case 0: putchar(R(256)); 93 case 1: break; 94 default: putchar('='); 95 } 96 97 make_up_value(); 98 99 } 100 101 putchar('>'); 102 103} 104 105 106int main(int argc,char** argv) { 107 int tc,seed; 108 char* x = getenv("QUERY_STRING"); 109 110 if (!x || sscanf(x,"%x",&seed) != 1) { 111 printf("Content-type: text/plain\n\nMissing or invalid parameter.\n"); 112 exit(1); 113 } 114 115 printf("Content-Type: text/html;charset=utf-8\nRefresh: 0;URL=remangle.cgi?0x%08x\n\n", seed); 116 printf("<HTML><HEAD><META HTTP-EQUIV=\"Refresh\" content=\"0;URL=remangle.cgi?0x%08x\">\n", seed); 117 printf("<script language=\"javascript\">setTimeout('window.location=\"remangle.cgi?0x%08x\"', 1000);</script>\n", seed); 118 119 srand(seed); 120 121 tc = R(MAXTCOUNT) + 1; 122 while (tc--) random_tag(); 123 fflush(0); 124 return 0; 125} 126