1563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark/*
2563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark
3563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark   HTML manglizer
4563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark   --------------
5563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark   Copyright (C) 2004 by Michal Zalewski <lcamtuf@coredump.cx>
6563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark
7563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark   HTML manglizer library. Logs random seeds to error-log; find the last entry before
8563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark   crash, then pass it to remangle.cgi to reproduce the problem.
9563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark
10563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark */
11563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark
12563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark
13563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark#include <stdio.h>
14563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark#include <unistd.h>
15563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark#include <stdlib.h>
16563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark#include <string.h>
17563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark#include <time.h>
18563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark
19563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark#include "tags.h"
20563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark
21563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark#define R(x) (rand() % (x))
22563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark
23563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark#define MAXTCOUNT 100
24563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark#define MAXPCOUNT 20
25563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark#define MAXSTR2   80
26563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark
27563af33bc48281d19dce701398dbb88cb54fd7ecCary Clarkvoid make_up_value(void) {
28563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark  char c=R(2);
29563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark
30563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark  if (c) putchar('"');
31563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark
32563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark  switch (R(31)) {
33563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark
34563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark    case 0: printf("javascript:"); make_up_value(); break;
35563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark//    case 1: printf("jar:"); make_up_value(); break;
36563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark    case 2: printf("mk:"); make_up_value(); break;
37563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark    case 3: printf("file:"); make_up_value(); break;
38563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark    case 4: printf("http:"); make_up_value(); break;
39563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark    case 5: printf("about:"); make_up_value(); break;
40563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark    case 6: printf("_blank"); break;
41563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark    case 7: printf("_self"); break;
42563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark    case 8: printf("top"); break;
43563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark    case 9: printf("left"); break;
44563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark    case 10: putchar('&'); make_up_value(); putchar(';'); break;
45563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark    case 11: make_up_value(); make_up_value(); break;
46563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark
47563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark    case 12 ... 20: {
48563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark        int c = R(10) ? R(10) : (1 + R(MAXSTR2) * R(MAXSTR2));
49563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark        char* x = malloc(c);
50563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark        memset(x,R(256),c);
51563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark        fwrite(x,c,1,stdout);
52563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark        free(x);
53563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark        break;
54563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark      }
55563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark
56563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark    case 21: printf("%s","%n%n%n%n%n%n"); break;
57563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark    case 22: putchar('#'); break;
58563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark    case 23: putchar('*'); break;
59563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark    default: if (R(2)) putchar('-'); printf("%d",rand()); break;
60563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark
61563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark  }
62563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark
63563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark  if (c) putchar('"');
64563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark
65563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark}
66563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark
67563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark
68563af33bc48281d19dce701398dbb88cb54fd7ecCary Clarkvoid random_tag(void) {
69563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark  int tn, tc;
70563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark
71563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark  do tn = R(MAXTAGS); while (!tags[tn][0]);
72563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark  tc = R(MAXPCOUNT) + 1;
73563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark
74563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark  putchar('<');
75563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark
76563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark  switch (R(10)) {
77563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark    case 0: putchar(R(256)); break;
78563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark    case 1: putchar('/');
79563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark  }
80563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark
81563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark  printf("%s", tags[tn][0]);
82563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark
83563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark  while (tc--) {
84563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark    int pn;
85563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark    switch (R(32)) {
86563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark      case 0: putchar(R(256));
87563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark      case 1: break;
88563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark      default: putchar(' ');
89563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark    }
90563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark    do pn = R(MAXPARS-1) + 1; while (!tags[tn][pn]);
91563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark    printf("%s", tags[tn][pn]);
92563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark    switch (R(32)) {
93563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark      case 0: putchar(R(256));
94563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark      case 1: break;
95563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark      default: putchar('=');
96563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark    }
97563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark
98563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark    make_up_value();
99563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark
100563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark  }
101563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark
102563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark  putchar('>');
103563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark
104563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark}
105563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark
106563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark
107563af33bc48281d19dce701398dbb88cb54fd7ecCary Clarkint main(int argc,char** argv) {
108563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark  int tc,seed;
109563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark
110563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark  printf("Content-Type: text/html;charset=utf-8\nRefresh: 0;URL=mangle.cgi\n\n");
111563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark  printf("<HTML><HEAD><META HTTP-EQUIV=\"Refresh\" content=\"0;URL=mangle.cgi\">\n");
112563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark  printf("<script language=\"javascript\">setTimeout('window.location=\"mangle.cgi\"', 1000);</script>\n");
113563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark
114563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark  seed = (time(0) ^ (getpid() << 16));
115563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark  fprintf(stderr,"[%u] Mangle attempt 0x%08x (%s) -- %s\n", (int)time(0), seed, getenv("HTTP_USER_AGENT"), getenv("REMOTE_ADDR"));
116563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark  srand(seed);
117563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark
118563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark  tc = R(MAXTCOUNT) + 1;
119563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark  while (tc--) random_tag();
120563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark  fflush(0);
121563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark  return 0;
122563af33bc48281d19dce701398dbb88cb54fd7ecCary Clark}
123