1 /*

     2 

     3    HTML manglizer

     4    --------------

     5    Copyright (C) 2004 by Michal Zalewski <lcamtuf@coredump.cx>

     6 

     7    Fault reproduction utility.

     8 

     9  */

    10 

    11 

    12 #include <stdio.h>

    13 #include <unistd.h>

    14 #include <stdlib.h>

    15 #include <string.h>

    16 #include <time.h>

    17 

    18 #include "tags.h"

    19 

    20 #define R(x) (rand() % (x))

    21 

    22 #define MAXTCOUNT 100

    23 #define MAXPCOUNT 20

    24 #define MAXSTR2   80

    25 

    26 void make_up_value(void) {

    27   char c=R(2);

    28 

    29   if (c) putchar('"');

    30 

    31   switch (R(31)) {

    32 

    33     case 0: printf("javascript:"); make_up_value(); break;

    34 //    case 1: printf("jar:"); make_up_value(); break;

    35     case 2: printf("mk:"); make_up_value(); break;

    36     case 3: printf("file:"); make_up_value(); break;

    37     case 4: printf("http:"); make_up_value(); break;

    38     case 5: printf("about:"); make_up_value(); break;

    39     case 6: printf("_blank"); break;

    40     case 7: printf("_self"); break;

    41     case 8: printf("top"); break;

    42     case 9: printf("left"); break;

    43     case 10: putchar('&'); make_up_value(); putchar(';'); break;

    44     case 11: make_up_value(); make_up_value(); break;

    45 

    46     case 12 ... 20: {

    47         int c = R(10) ? R(10) : (1 + R(MAXSTR2) * R(MAXSTR2));

    48         char* x = malloc(c);

    49         memset(x,R(256),c);

    50         fwrite(x,c,1,stdout);

    51         free(x);

    52         break;

    53       }

    54 

    55     case 21: printf("%s","%n%n%n%n%n%n"); break;

    56     case 22: putchar('#'); break;

    57     case 23: putchar('*'); break;

    58     default: if (R(2)) putchar('-'); printf("%d",rand()); break;

    59 

    60   }

    61 

    62   if (c) putchar('"');

    63 

    64 }

    65   

    66 

    67 void random_tag(void) {

    68   int tn, tc;

    69   

    70   do tn = R(MAXTAGS); while (!tags[tn][0]);

    71   tc = R(MAXPCOUNT) + 1;

    72   

    73   putchar('<');

    74   

    75   switch (R(10)) {

    76     case 0: putchar(R(256)); break;

    77     case 1: putchar('/');

    78   }

    79   

    80   printf("%s", tags[tn][0]);

    81   

    82   while (tc--) {

    83     int pn;

    84     switch (R(32)) {

    85       case 0: putchar(R(256)); 

    86       case 1: break;

    87       default: putchar(' ');

    88     }

    89     do pn = R(MAXPARS-1) + 1; while (!tags[tn][pn]);

    90     printf("%s", tags[tn][pn]);

    91     switch (R(32)) {

    92       case 0: putchar(R(256)); 

    93       case 1: break;

    94       default: putchar('=');

    95     }

    96     

    97     make_up_value();

    98     

    99   }

   100     

   101   putchar('>');

   102   

   103 }

   104 

   105 

   106 int main(int argc,char** argv) {

   107   int tc,seed; 

   108   char* x = getenv("QUERY_STRING");

   109 

   110   if (!x || sscanf(x,"%x",&seed) != 1) {

   111     printf("Content-type: text/plain\n\nMissing or invalid parameter.\n");

   112     exit(1);

   113   }

   114 

   115   printf("Content-Type: text/html;charset=utf-8\nRefresh: 0;URL=remangle.cgi?0x%08x\n\n", seed);

   116   printf("<HTML><HEAD><META HTTP-EQUIV=\"Refresh\" content=\"0;URL=remangle.cgi?0x%08x\">\n", seed);

   117   printf("<script language=\"javascript\">setTimeout('window.location=\"remangle.cgi?0x%08x\"', 1000);</script>\n", seed);

   118 

   119   srand(seed);

   120   

   121   tc = R(MAXTCOUNT) + 1;

   122   while (tc--) random_tag();

   123   fflush(0);

   124   return 0;

   125 }