1 /*

     2 

     3    HTML manglizer

     4    --------------

     5    Copyright (C) 2004 by Michal Zalewski <lcamtuf@coredump.cx>

     6 

     7    HTML manglizer library. Logs random seeds to error-log; find the last entry before

     8    crash, then pass it to remangle.cgi to reproduce the problem.

     9 

    10  */

    11 

    12 

    13 #include <stdio.h>

    14 #include <unistd.h>

    15 #include <stdlib.h>

    16 #include <string.h>

    17 #include <time.h>

    18 

    19 #include "tags.h"

    20 

    21 #define R(x) (rand() % (x))

    22 

    23 #define MAXTCOUNT 100

    24 #define MAXPCOUNT 20

    25 #define MAXSTR2   80

    26 

    27 void make_up_value(void) {

    28   char c=R(2);

    29   

    30   if (c) putchar('"');

    31 

    32   switch (R(31)) {

    33 

    34     case 0: printf("javascript:"); make_up_value(); break;

    35 //    case 1: printf("jar:"); make_up_value(); break;

    36     case 2: printf("mk:"); make_up_value(); break;

    37     case 3: printf("file:"); make_up_value(); break;

    38     case 4: printf("http:"); make_up_value(); break;

    39     case 5: printf("about:"); make_up_value(); break;

    40     case 6: printf("_blank"); break;

    41     case 7: printf("_self"); break;

    42     case 8: printf("top"); break;

    43     case 9: printf("left"); break;

    44     case 10: putchar('&'); make_up_value(); putchar(';'); break;

    45     case 11: make_up_value(); make_up_value(); break;

    46  

    47     case 12 ... 20: {

    48         int c = R(10) ? R(10) : (1 + R(MAXSTR2) * R(MAXSTR2));

    49         char* x = malloc(c);

    50         memset(x,R(256),c);

    51         fwrite(x,c,1,stdout);

    52         free(x);

    53         break;

    54       }

    55       

    56     case 21: printf("%s","%n%n%n%n%n%n"); break;

    57     case 22: putchar('#'); break;

    58     case 23: putchar('*'); break;

    59     default: if (R(2)) putchar('-'); printf("%d",rand()); break;

    60     

    61   }

    62 

    63   if (c) putchar('"');

    64 

    65 }

    66   

    67 

    68 void random_tag(void) {

    69   int tn, tc;

    70   

    71   do tn = R(MAXTAGS); while (!tags[tn][0]);

    72   tc = R(MAXPCOUNT) + 1;

    73   

    74   putchar('<');

    75   

    76   switch (R(10)) {

    77     case 0: putchar(R(256)); break;

    78     case 1: putchar('/');

    79   }

    80   

    81   printf("%s", tags[tn][0]);

    82   

    83   while (tc--) {

    84     int pn;

    85     switch (R(32)) {

    86       case 0: putchar(R(256)); 

    87       case 1: break;

    88       default: putchar(' ');

    89     }

    90     do pn = R(MAXPARS-1) + 1; while (!tags[tn][pn]);

    91     printf("%s", tags[tn][pn]);

    92     switch (R(32)) {

    93       case 0: putchar(R(256)); 

    94       case 1: break;

    95       default: putchar('=');

    96     }

    97     

    98     make_up_value();

    99     

   100   }

   101     

   102   putchar('>');

   103   

   104 }

   105 

   106 

   107 int main(int argc,char** argv) {

   108   int tc,seed;

   109   

   110   printf("Content-Type: text/html;charset=utf-8\nRefresh: 0;URL=mangle.cgi\n\n");

   111   printf("<HTML><HEAD><META HTTP-EQUIV=\"Refresh\" content=\"0;URL=mangle.cgi\">\n");

   112   printf("<script language=\"javascript\">setTimeout('window.location=\"mangle.cgi\"', 1000);</script>\n");

   113 

   114   seed = (time(0) ^ (getpid() << 16));

   115   fprintf(stderr,"[%u] Mangle attempt 0x%08x (%s) -- %s\n", (int)time(0), seed, getenv("HTTP_USER_AGENT"), getenv("REMOTE_ADDR"));

   116   srand(seed);

   117   

   118   tc = R(MAXTCOUNT) + 1;

   119   while (tc--) random_tag();

   120   fflush(0);

   121   return 0;

   122 }