Home | History | Annotate | Download | only in mangleme 
      1 /*
      2 
      3    HTML manglizer
      4    --------------
      5    Copyright (C) 2004 by Michal Zalewski <lcamtuf (at) coredump.cx>
      6 
      7    HTML manglizer library. Logs random seeds to error-log; find the last entry before
      8    crash, then pass it to remangle.cgi to reproduce the problem.
      9 
     10  */
     11 
     12 
     13 #include <stdio.h>
     14 #include <unistd.h>
     15 #include <stdlib.h>
     16 #include <string.h>
     17 #include <time.h>
     18 
     19 #include "tags.h"
     20 
     21 #define R(x) (rand() % (x))
     22 
     23 #define MAXTCOUNT 100
     24 #define MAXPCOUNT 20
     25 #define MAXSTR2   80
     26 
     27 void make_up_value(void) {
     28   char c=R(2);
     29 
     30   if (c) putchar('"');
     31 
     32   switch (R(31)) {
     33 
     34     case 0: printf("javascript:"); make_up_value(); break;
     35 //    case 1: printf("jar:"); make_up_value(); break;
     36     case 2: printf("mk:"); make_up_value(); break;
     37     case 3: printf("file:"); make_up_value(); break;
     38     case 4: printf("http:"); make_up_value(); break;
     39     case 5: printf("about:"); make_up_value(); break;
     40     case 6: printf("_blank"); break;
     41     case 7: printf("_self"); break;
     42     case 8: printf("top"); break;
     43     case 9: printf("left"); break;
     44     case 10: putchar('&'); make_up_value(); putchar(';'); break;
     45     case 11: make_up_value(); make_up_value(); break;
     46 
     47     case 12 ... 20: {
     48         int c = R(10) ? R(10) : (1 + R(MAXSTR2) * R(MAXSTR2));
     49         char* x = malloc(c);
     50         memset(x,R(256),c);
     51         fwrite(x,c,1,stdout);
     52         free(x);
     53         break;
     54       }
     55 
     56     case 21: printf("%s","%n%n%n%n%n%n"); break;
     57     case 22: putchar('#'); break;
     58     case 23: putchar('*'); break;
     59     default: if (R(2)) putchar('-'); printf("%d",rand()); break;
     60 
     61   }
     62 
     63   if (c) putchar('"');
     64 
     65 }
     66 
     67 
     68 void random_tag(void) {
     69   int tn, tc;
     70 
     71   do tn = R(MAXTAGS); while (!tags[tn][0]);
     72   tc = R(MAXPCOUNT) + 1;
     73 
     74   putchar('<');
     75 
     76   switch (R(10)) {
     77     case 0: putchar(R(256)); break;
     78     case 1: putchar('/');
     79   }
     80 
     81   printf("%s", tags[tn][0]);
     82 
     83   while (tc--) {
     84     int pn;
     85     switch (R(32)) {
     86       case 0: putchar(R(256));
     87       case 1: break;
     88       default: putchar(' ');
     89     }
     90     do pn = R(MAXPARS-1) + 1; while (!tags[tn][pn]);
     91     printf("%s", tags[tn][pn]);
     92     switch (R(32)) {
     93       case 0: putchar(R(256));
     94       case 1: break;
     95       default: putchar('=');
     96     }
     97 
     98     make_up_value();
     99 
    100   }
    101 
    102   putchar('>');
    103 
    104 }
    105 
    106 
    107 int main(int argc,char** argv) {
    108   int tc,seed;
    109 
    110   printf("Content-Type: text/html;charset=utf-8\nRefresh: 0;URL=mangle.cgi\n\n");
    111   printf("<HTML><HEAD><META HTTP-EQUIV=\"Refresh\" content=\"0;URL=mangle.cgi\">\n");
    112   printf("<script language=\"javascript\">setTimeout('window.location=\"mangle.cgi\"', 1000);</script>\n");
    113 
    114   seed = (time(0) ^ (getpid() << 16));
    115   fprintf(stderr,"[%u] Mangle attempt 0x%08x (%s) -- %s\n", (int)time(0), seed, getenv("HTTP_USER_AGENT"), getenv("REMOTE_ADDR"));
    116   srand(seed);
    117 
    118   tc = R(MAXTCOUNT) + 1;
    119   while (tc--) random_tag();
    120   fflush(0);
    121   return 0;
    122 }
    123