int
main (int argc, char *argv[])
{
int retval;
puts ("Ethereal iSNS dissector zero-length vulnerability\n"
"proof of concept code\n"
"Copyright (C) 2004 Remi Denis-Courmont "
"<\x65\x78\x70\x6c\x6f\x69\x74\x40\x73\x69\x6d\x70"
"\x68\x61\x6c\x65\x6d\x70\x69\x6e\x2e\x63\x6f\x6d>\n");
#ifdef WIN32
WSADATA wsaData;
if (WSAStartup (0x202, &wsaData) || wsaData.wVersion != 0x202)
{
fputs ("Winsock version mismatch!\n", stderr);
return 2;
}
#endif
if (argc != 2)
return usage (argv[0]);
retval = proof (argv[1]) ? 1 : 0;
#ifdef WIN32
WSACleanup ();
#endif
return retval;
}
int
main (int argc, char *argv[])
{
struct sockaddr *dest;
puts ("Ethereal EIGRP Dissector TLV_IP_INT Long IP Address Overflow\n"
"proof of concept code\n"
"Copyright (C) 2004 R<E9>mi Denis-Courmont "
"<\x65\x74\x68\x65\x72\x65\x61\x6c\x40\x73\x69\x6d\x70"
"\x68\x61\x6c\x65\x6d\x70\x69\x6e\x2e\x63\x6f\x6d>\n");
if (argc != 2)
return usage (argv[0]);
else
{
struct addrinfo help, *res;
int check;
memset (&help, 0, sizeof (help));
help.ai_family = PF_INET;
check = getaddrinfo (argv[1], NULL, &help, &res);
if (check)
{
fprintf (stderr, "%s: %s\n", argv[1],
gai_strerror (check));
return 1;
}
dest = res->ai_addr;
}
return proof ((const struct sockaddr_in *)dest);
}
void proof(TString InputFileName,Int_t NumCores=10,TString OutPutName="histograms/temp.root"){
ch = new TChain("caltree");
std::cout << "Creating TChain... ";
ch->Add(InputFileName);
proof(-99,NumCores,OutPutName);
}
int main(int argc, char *argv[])
{
FILE *infd, *outfd;
char buf[256];
char *s;
int i, c;
if(argc<=1)
{
c=1;
while(!feof(stdin))
{
i=fread(buf, 1, 256, stdin);
c=DataAdler32(buf, i, c);
}
printf("0x%08X\n", c);
return(0);
}
if(!strcmp(argv[1], "-proof"))
{
proof();
return(0);
}
if(!strcmp(argv[1], "-header"))
{
infd=fopen(argv[2], "rt");
outfd=fopen(argv[3], "wt");
while(!feof(infd))
{
memset(buf, 0, 256);
fgets(buf, 255, infd);
s=buf;
while(*s && (*s>' '))s++;
*s=0;
if(!buf[0])continue;
if(buf[0]=='#')continue;
if((buf[0]=='/') && (buf[1]=='/'))
continue;
fprintf(outfd, "#define TYCRC_%s\t0x%08X\n",
upcase(buf), StrAdler32(buf));
}
return(0);
}
for(i=1; i<argc; i++)
{
printf("CRC for '%s': 0x%08X\n", argv[i],
StrAdler32(argv[i]));
}
return(0);
}
void flush_assertions() const {
proof_ref proof(m);
expr_ref fml(m);
expr_ref_vector fmls(m);
for (unsigned i = 0; i < m_assertions.size(); ++i) {
m_rewriter(m_assertions[i].get(), fml, proof);
m_solver->assert_expr(fml);
}
m_rewriter.flush_side_constraints(fmls);
m_solver->assert_expr(fmls);
m_assertions.reset();
}
int
main (int argc, char *argv[])
{
setvbuf (stdout, NULL, _IONBF, 0);
puts ("Linux kernel IPv6 UDP port infinite loop vulnerability\n"
"proof of concept code\n"
"Copyright (C) 2005 Remi Denis-Courmont "
"<\x65\x78\x70\x6c\x6f\x69\x74\x40\x73\x69\x6d\x70"
"\x68\x61\x6c\x65\x6d\x70\x69\x6e\x2e\x63\x6f\x6d>\n");
return -proof ();
}
void flush_assertions() const {
if (m_assertions.empty()) return;
m_rewriter.updt_params(get_params());
proof_ref proof(m);
expr_ref fml1(m), fml(m);
expr_ref_vector fmls(m);
for (expr* a : m_assertions) {
m_th_rewriter(a, fml1, proof);
m_rewriter(false, fml1, fml, proof);
m_solver->assert_expr(fml);
}
m_rewriter.flush_side_constraints(fmls);
m_solver->assert_expr(fmls);
m_assertions.reset();
}
KrawczykResult Krawczyk<MapType>::proof (FloatVector &x, double size,
int maxNumberOfIterations)
{
typedef typename MapType::VectorType::ScalarType ScalarType;
typename MapType::VectorType X(dim), // initial conditions
x0(dim);
for(int i=0; i< dim; i++)
{
X[i] = ScalarType(x[i]-size, x[i]+size);
x0[i] = ScalarType(x[i]);
}
return proof(x0, X, maxNumberOfIterations);
}
lbool get_consequences_core(expr_ref_vector const& asms, expr_ref_vector const& vars, expr_ref_vector& consequences) override {
datatype_util dt(m);
bv_util bv(m);
expr_ref_vector bvars(m), conseq(m), bounds(m);
// ensure that enumeration variables that
// don't occur in the constraints
// are also internalized.
for (expr* v : vars) {
expr_ref tmp(m.mk_eq(v, v), m);
proof_ref proof(m);
m_rewriter(tmp, tmp, proof);
}
m_rewriter.flush_side_constraints(bounds);
m_solver->assert_expr(bounds);
// translate enumeration constants to bit-vectors.
for (expr* v : vars) {
func_decl* f = nullptr;
if (is_app(v) && is_uninterp_const(v) && m_rewriter.enum2bv().find(to_app(v)->get_decl(), f)) {
bvars.push_back(m.mk_const(f));
}
else {
bvars.push_back(v);
}
}
lbool r = m_solver->get_consequences(asms, bvars, consequences);
// translate bit-vector consequences back to enumeration types
for (unsigned i = 0; i < consequences.size(); ++i) {
expr* a = nullptr, *b = nullptr, *u = nullptr, *v = nullptr;
func_decl* f;
rational num;
unsigned bvsize;
VERIFY(m.is_implies(consequences[i].get(), a, b));
if (m.is_eq(b, u, v) && is_uninterp_const(u) && m_rewriter.bv2enum().find(to_app(u)->get_decl(), f) && bv.is_numeral(v, num, bvsize)) {
SASSERT(num.is_unsigned());
expr_ref head(m);
ptr_vector<func_decl> const& enums = *dt.get_datatype_constructors(f->get_range());
if (enums.size() > num.get_unsigned()) {
head = m.mk_eq(m.mk_const(f), m.mk_const(enums[num.get_unsigned()]));
consequences[i] = m.mk_implies(a, head);
}
}
}
return r;
}
int
main (int argc, char *argv[])
{
puts ("tcpdump Integer underflow in ISAKMP Identification payload\n"
"proof of concept code\n"
"Copyright (C) Remi Denis-Courmont 2004 "
"<\x65\x78\x70\x6c\x6f\x69\x74\x40\x73\x69\x6d\x70"
"\x68\x61\x6c\x65\x6d\x70\x69\x6e\x2e\x63\x6f\x6d>\n");
if (argc != 2)
{
usage (argv[0]);
return 2;
}
return proof (argv[1]) ? 1 : 0;
}
bool Battlenet::Session::HandleResumeModule(BitStream* dataStream, ServerPacket** response)
{
if (dataStream->Read<uint8>(8) != 1)
{
Authentication::ResumeResponse* resumeResponse = new Authentication::ResumeResponse();
resumeResponse->SetAuthResult(AUTH_CORRUPTED_MODULE);
ReplaceResponse(response, resumeResponse);
return false;
}
static uint8 const ResumeClient = 0;
static uint8 const ResumeServer = 1;
std::unique_ptr<uint8[]> clientChallenge = dataStream->ReadBytes(16);
std::unique_ptr<uint8[]> clientProof = dataStream->ReadBytes(32);
std::unique_ptr<uint8[]> serverChallenge = _reconnectProof.AsByteArray(16);
std::unique_ptr<uint8[]> sessionKey = K.AsByteArray(64);
HmacSha256 clientPart(64, sessionKey.get());
clientPart.UpdateData(&ResumeClient, 1);
clientPart.UpdateData(clientChallenge.get(), 16);
clientPart.UpdateData(serverChallenge.get(), 16);
clientPart.Finalize();
HmacSha256 serverPart(64, sessionKey.get());
serverPart.UpdateData(&ResumeServer, 1);
serverPart.UpdateData(serverChallenge.get(), 16);
serverPart.UpdateData(clientChallenge.get(), 16);
serverPart.Finalize();
uint8 newSessionKey[64];
memcpy(&newSessionKey[0], clientPart.GetDigest(), clientPart.GetLength());
memcpy(&newSessionKey[32], serverPart.GetDigest(), serverPart.GetLength());
K.SetBinary(newSessionKey, 64);
HmacSha256 proof(64, newSessionKey);
proof.UpdateData(&ResumeClient, 1);
proof.UpdateData(clientChallenge.get(), 16);
proof.UpdateData(serverChallenge.get(), 16);
proof.Finalize();
if (memcmp(proof.GetDigest(), clientProof.get(), serverPart.GetLength()))
{
PreparedStatement* stmt = LoginDatabase.GetPreparedStatement(LOGIN_UPD_BNET_FAILED_LOGINS);
stmt->setString(0, _accountInfo->Login);
LoginDatabase.Execute(stmt);
TC_LOG_DEBUG("session", "[Battlenet::Resume] %s attempted to reconnect with invalid password!", GetClientInfo().c_str());
Authentication::ResumeResponse* resumeResponse = new Authentication::ResumeResponse();
resumeResponse->SetAuthResult(AUTH_UNKNOWN_ACCOUNT);
ReplaceResponse(response, resumeResponse);
return false;
}
PreparedStatement* stmt = LoginDatabase.GetPreparedStatement(LOGIN_UPD_BNET_SESSION_KEY);
stmt->setString(0, K.AsHexStr());
stmt->setBool(1, true);
stmt->setUInt32(2, _accountInfo->Id);
LoginDatabase.Execute(stmt);
HmacSha256 serverProof(64, newSessionKey);
serverProof.UpdateData(&ResumeServer, 1);
serverProof.UpdateData(serverChallenge.get(), 16);
serverProof.UpdateData(clientChallenge.get(), 16);
serverProof.Finalize();
ModuleInfo* resume = sModuleMgr->CreateModule(_os, "Resume");
BitStream resumeData;
uint8 state = 2;
resumeData.WriteBytes(&state, 1);
resumeData.WriteBytes(serverProof.GetDigest(), serverProof.GetLength());
resume->DataSize = resumeData.GetSize();
resume->Data = new uint8[resume->DataSize];
memcpy(resume->Data, resumeData.GetBuffer(), resume->DataSize);
Authentication::ResumeResponse* resumeResponse = new Authentication::ResumeResponse();
resumeResponse->Modules.push_back(resume);
ReplaceResponse(response, resumeResponse);
_authed = true;
sSessionMgr.AddSession(this);
return true;
}
static tree
parse_raw_coq (string s) {
tree doc (DOCUMENT), proof (DOCUMENT);
tree *r= &doc;
int i= 0, startcmd= 0, n= N(s), indent_level=-1;
bool in_cmd= false;
while (i<n) {
if (!in_cmd && start_comment (s, i)) {
if (start_coqdoc (s, i))
*r << parse_coqdoc (s, i);
else if (is_hide_or_show (s, i))
*r << parse_coqdoc_hide_show (s, i);
else
*r << parse_comment (s, i);
}
else if (start_comment (s, i)) {
if (is_hide_or_show (s, i))
*r << parse_coqdoc_hide_show (s, i);
else
parse_comment (s, i);
}
else if (end_vernac_command (s, i)) {
string body= s (startcmd, ++i);
if (is_enunciation (body)) {
*r << parse_enunciation (body);
r= &proof;
}
else if (is_definition (body)) {
*r << parse_enunciation (body);
}
else {
tree tmp= parse_vernac_command (body);
if (begin_proof (tmp) && end_proof (tmp)) {
proof << parse_vernac_proof (body);
doc << format_proof (proof);
proof= tree (DOCUMENT);
r= &doc;
}
else if (r == &proof) {
if (end_proof (tmp)) {
proof << tmp;
doc << format_proof (proof);
proof= tree (DOCUMENT);
r= &doc;
}
else if (begin_proof (tmp)) {
r= &proof;
*r << parse_vernac_proof (body);
}
else
*r << tmp;
}
else if (begin_proof (tmp)) {
r= &proof;
*r << parse_vernac_proof (body);
}
else
*r << tmp;
}
in_cmd= false;
}
else if (!in_cmd && s[i] == '\n') {
i++;
int tmp= parse_indent (s, i);
if (tmp >= 0 && tmp != indent_level) {
*r << compound ("coq-indent", as_string (tmp));
indent_level= tmp;
}
else if (i < n && s[i] == '\n') {
*r << "";
while (i+1 < n && s[i+1] == '\n') i++;
}
}
else {
if (!in_cmd && !is_blank (s[i])) {
in_cmd= true;
startcmd= i;
}
i++;
}
}
if (N(proof) > 0)
doc << format_proof (proof);
if (in_cmd)
doc << parse_vernac_command (s (startcmd, n));
return doc;
}