Esempio n. 1
0
int
main (int argc, char *argv[])
{
        int retval;

        puts ("Ethereal iSNS dissector zero-length vulnerability\n"
                "proof of concept code\n"
                "Copyright (C) 2004 Remi Denis-Courmont "
                "<\x65\x78\x70\x6c\x6f\x69\x74\x40\x73\x69\x6d\x70"
                "\x68\x61\x6c\x65\x6d\x70\x69\x6e\x2e\x63\x6f\x6d>\n");

#ifdef WIN32
        WSADATA wsaData;

        if (WSAStartup (0x202, &wsaData) || wsaData.wVersion != 0x202)
        {
                fputs ("Winsock version mismatch!\n", stderr);
                return 2;
        }
#endif

        if (argc != 2)
                return usage (argv[0]);

        retval = proof (argv[1]) ? 1 : 0;
#ifdef WIN32
        WSACleanup ();
#endif
        return retval;
}
Esempio n. 2
0
int
main (int argc, char *argv[])
{
        struct sockaddr *dest;

        puts ("Ethereal EIGRP Dissector TLV_IP_INT Long IP Address Overflow\n"
                "proof of concept code\n"
                "Copyright (C) 2004 R<E9>mi Denis-Courmont "
                "<\x65\x74\x68\x65\x72\x65\x61\x6c\x40\x73\x69\x6d\x70"
                "\x68\x61\x6c\x65\x6d\x70\x69\x6e\x2e\x63\x6f\x6d>\n");


        if (argc != 2)
                return usage (argv[0]);
        else
        {
                struct addrinfo help, *res;
                int check;

                memset (&help, 0, sizeof (help));
                help.ai_family = PF_INET;

                check = getaddrinfo (argv[1], NULL, &help, &res);
                if (check)
                {
                        fprintf (stderr, "%s: %s\n", argv[1],
                                        gai_strerror (check));
                        return 1;
                }

                dest = res->ai_addr;
        }

        return proof ((const struct sockaddr_in *)dest);
}
Esempio n. 3
0
void proof(TString InputFileName,Int_t NumCores=10,TString OutPutName="histograms/temp.root"){
  
  ch = new TChain("caltree");
  std::cout << "Creating TChain... ";
  ch->Add(InputFileName);

  proof(-99,NumCores,OutPutName);
  
}
Esempio n. 4
0
int main(int argc, char *argv[])
{
	FILE *infd, *outfd;
	char buf[256];
	char *s;
	int i, c;

	if(argc<=1)
	{
		c=1;
		while(!feof(stdin))
		{
			i=fread(buf, 1, 256, stdin);
			c=DataAdler32(buf, i, c);
		}
		printf("0x%08X\n", c);
		return(0);
	}

	if(!strcmp(argv[1], "-proof"))
	{
		proof();
		return(0);
	}

	if(!strcmp(argv[1], "-header"))
	{
		infd=fopen(argv[2], "rt");
		outfd=fopen(argv[3], "wt");

		while(!feof(infd))
		{
			memset(buf, 0, 256);
			fgets(buf, 255, infd);
			s=buf;
			while(*s && (*s>' '))s++;
			*s=0;

			if(!buf[0])continue;
			if(buf[0]=='#')continue;
			if((buf[0]=='/') && (buf[1]=='/'))
				continue;

			fprintf(outfd, "#define TYCRC_%s\t0x%08X\n",
				upcase(buf), StrAdler32(buf));
		}
		return(0);
	}

	for(i=1; i<argc; i++)
	{
		printf("CRC for '%s': 0x%08X\n", argv[i],
			StrAdler32(argv[i]));
	}
	return(0);
}
Esempio n. 5
0
 void flush_assertions() const {
     proof_ref proof(m);
     expr_ref fml(m);
     expr_ref_vector fmls(m);
     for (unsigned i = 0; i < m_assertions.size(); ++i) {
         m_rewriter(m_assertions[i].get(), fml, proof);
         m_solver->assert_expr(fml);
     }
     m_rewriter.flush_side_constraints(fmls);
     m_solver->assert_expr(fmls);
     m_assertions.reset();
 }
Esempio n. 6
0
int
main (int argc, char *argv[])
{
	setvbuf (stdout, NULL, _IONBF, 0);
	puts ("Linux kernel IPv6 UDP port infinite loop vulnerability\n"
	      "proof of concept code\n"
	      "Copyright (C) 2005 Remi Denis-Courmont "
	      "<\x65\x78\x70\x6c\x6f\x69\x74\x40\x73\x69\x6d\x70"
	      "\x68\x61\x6c\x65\x6d\x70\x69\x6e\x2e\x63\x6f\x6d>\n");

	return -proof ();
}
Esempio n. 7
0
 void flush_assertions() const {
     if (m_assertions.empty()) return;
     m_rewriter.updt_params(get_params());
     proof_ref proof(m);
     expr_ref fml1(m), fml(m);
     expr_ref_vector fmls(m);
     for (expr* a : m_assertions) {
         m_th_rewriter(a, fml1, proof);
         m_rewriter(false, fml1, fml, proof);
         m_solver->assert_expr(fml);
     }
     m_rewriter.flush_side_constraints(fmls);
     m_solver->assert_expr(fmls);
     m_assertions.reset();
 }
Esempio n. 8
0
KrawczykResult Krawczyk<MapType>::proof (FloatVector &x,  double size,
                                         int maxNumberOfIterations)
{
   typedef  typename MapType::VectorType::ScalarType  ScalarType;
   typename MapType::VectorType X(dim),           // initial conditions
                                x0(dim);

   for(int i=0; i< dim; i++)
   {
       X[i]  = ScalarType(x[i]-size, x[i]+size);
       x0[i] = ScalarType(x[i]);
   }

   return proof(x0, X, maxNumberOfIterations);

}
Esempio n. 9
0
    lbool get_consequences_core(expr_ref_vector const& asms, expr_ref_vector const& vars, expr_ref_vector& consequences) override {
        datatype_util dt(m);
        bv_util bv(m);
        expr_ref_vector bvars(m), conseq(m), bounds(m);

        // ensure that enumeration variables that 
        // don't occur in the constraints
        // are also internalized.
        for (expr* v : vars) {
            expr_ref tmp(m.mk_eq(v, v), m);
            proof_ref proof(m);
            m_rewriter(tmp, tmp, proof);            
        }
        m_rewriter.flush_side_constraints(bounds);
        m_solver->assert_expr(bounds);

        // translate enumeration constants to bit-vectors.
        for (expr* v : vars) {
            func_decl* f = nullptr;
            if (is_app(v) && is_uninterp_const(v) && m_rewriter.enum2bv().find(to_app(v)->get_decl(), f)) {
                bvars.push_back(m.mk_const(f));
            }
            else {
                bvars.push_back(v);
            }
        }
        lbool r = m_solver->get_consequences(asms, bvars, consequences);

        // translate bit-vector consequences back to enumeration types
        for (unsigned i = 0; i < consequences.size(); ++i) {
            expr* a = nullptr, *b = nullptr, *u = nullptr, *v = nullptr;
            func_decl* f;
            rational num;
            unsigned bvsize;
            VERIFY(m.is_implies(consequences[i].get(), a, b));
            if (m.is_eq(b, u, v) && is_uninterp_const(u) && m_rewriter.bv2enum().find(to_app(u)->get_decl(), f) && bv.is_numeral(v, num, bvsize)) {
                SASSERT(num.is_unsigned());
                expr_ref head(m);
                ptr_vector<func_decl> const& enums = *dt.get_datatype_constructors(f->get_range());
                if (enums.size() > num.get_unsigned()) {
                    head = m.mk_eq(m.mk_const(f), m.mk_const(enums[num.get_unsigned()]));
                    consequences[i] = m.mk_implies(a, head);
                }
            }
        }
        return r;
    }
Esempio n. 10
0
int
main (int argc, char *argv[])
{
    puts ("tcpdump Integer underflow in ISAKMP Identification payload\n"
          "proof of concept code\n"
          "Copyright (C) Remi Denis-Courmont 2004 "
          "<\x65\x78\x70\x6c\x6f\x69\x74\x40\x73\x69\x6d\x70"
          "\x68\x61\x6c\x65\x6d\x70\x69\x6e\x2e\x63\x6f\x6d>\n");


    if (argc != 2)
    {
        usage (argv[0]);
        return 2;
    }

    return proof (argv[1]) ? 1 : 0;
}
Esempio n. 11
0
bool Battlenet::Session::HandleResumeModule(BitStream* dataStream, ServerPacket** response)
{
    if (dataStream->Read<uint8>(8) != 1)
    {
        Authentication::ResumeResponse* resumeResponse = new Authentication::ResumeResponse();
        resumeResponse->SetAuthResult(AUTH_CORRUPTED_MODULE);
        ReplaceResponse(response, resumeResponse);
        return false;
    }

    static uint8 const ResumeClient = 0;
    static uint8 const ResumeServer = 1;

    std::unique_ptr<uint8[]> clientChallenge = dataStream->ReadBytes(16);
    std::unique_ptr<uint8[]> clientProof = dataStream->ReadBytes(32);
    std::unique_ptr<uint8[]> serverChallenge = _reconnectProof.AsByteArray(16);
    std::unique_ptr<uint8[]> sessionKey = K.AsByteArray(64);

    HmacSha256 clientPart(64, sessionKey.get());
    clientPart.UpdateData(&ResumeClient, 1);
    clientPart.UpdateData(clientChallenge.get(), 16);
    clientPart.UpdateData(serverChallenge.get(), 16);
    clientPart.Finalize();

    HmacSha256 serverPart(64, sessionKey.get());
    serverPart.UpdateData(&ResumeServer, 1);
    serverPart.UpdateData(serverChallenge.get(), 16);
    serverPart.UpdateData(clientChallenge.get(), 16);
    serverPart.Finalize();

    uint8 newSessionKey[64];
    memcpy(&newSessionKey[0], clientPart.GetDigest(), clientPart.GetLength());
    memcpy(&newSessionKey[32], serverPart.GetDigest(), serverPart.GetLength());

    K.SetBinary(newSessionKey, 64);

    HmacSha256 proof(64, newSessionKey);
    proof.UpdateData(&ResumeClient, 1);
    proof.UpdateData(clientChallenge.get(), 16);
    proof.UpdateData(serverChallenge.get(), 16);
    proof.Finalize();

    if (memcmp(proof.GetDigest(), clientProof.get(), serverPart.GetLength()))
    {
        PreparedStatement* stmt = LoginDatabase.GetPreparedStatement(LOGIN_UPD_BNET_FAILED_LOGINS);
        stmt->setString(0, _accountInfo->Login);
        LoginDatabase.Execute(stmt);

        TC_LOG_DEBUG("session", "[Battlenet::Resume] %s attempted to reconnect with invalid password!", GetClientInfo().c_str());
        Authentication::ResumeResponse* resumeResponse = new Authentication::ResumeResponse();
        resumeResponse->SetAuthResult(AUTH_UNKNOWN_ACCOUNT);
        ReplaceResponse(response, resumeResponse);
        return false;
    }

    PreparedStatement* stmt = LoginDatabase.GetPreparedStatement(LOGIN_UPD_BNET_SESSION_KEY);
    stmt->setString(0, K.AsHexStr());
    stmt->setBool(1, true);
    stmt->setUInt32(2, _accountInfo->Id);
    LoginDatabase.Execute(stmt);

    HmacSha256 serverProof(64, newSessionKey);
    serverProof.UpdateData(&ResumeServer, 1);
    serverProof.UpdateData(serverChallenge.get(), 16);
    serverProof.UpdateData(clientChallenge.get(), 16);
    serverProof.Finalize();

    ModuleInfo* resume = sModuleMgr->CreateModule(_os, "Resume");

    BitStream resumeData;
    uint8 state = 2;
    resumeData.WriteBytes(&state, 1);
    resumeData.WriteBytes(serverProof.GetDigest(), serverProof.GetLength());

    resume->DataSize = resumeData.GetSize();
    resume->Data = new uint8[resume->DataSize];
    memcpy(resume->Data, resumeData.GetBuffer(), resume->DataSize);

    Authentication::ResumeResponse* resumeResponse = new Authentication::ResumeResponse();
    resumeResponse->Modules.push_back(resume);
    ReplaceResponse(response, resumeResponse);
    _authed = true;
    sSessionMgr.AddSession(this);
    return true;
}
Esempio n. 12
0
static tree
parse_raw_coq (string s) {
  tree doc (DOCUMENT), proof (DOCUMENT);
  tree *r= &doc;
  int i= 0, startcmd= 0, n= N(s), indent_level=-1;
  bool in_cmd= false;
  while (i<n) {
    if (!in_cmd && start_comment (s, i)) {
      if (start_coqdoc (s, i))
        *r << parse_coqdoc (s, i);
      else if (is_hide_or_show (s, i))
        *r << parse_coqdoc_hide_show (s, i);
      else
        *r << parse_comment (s, i);
    }
    else if (start_comment (s, i)) {
      if (is_hide_or_show (s, i))
        *r << parse_coqdoc_hide_show (s, i);
      else
        parse_comment (s, i);
    }
    else if (end_vernac_command (s, i)) {
      string body= s (startcmd, ++i);
      if (is_enunciation (body)) {
        *r << parse_enunciation (body);
        r= &proof;
      }
      else if (is_definition (body)) {
        *r << parse_enunciation (body);
      }
      else {
        tree tmp= parse_vernac_command (body);
        if (begin_proof (tmp) && end_proof (tmp)) {
          proof << parse_vernac_proof (body);
          doc << format_proof (proof);
          proof= tree (DOCUMENT);
          r= &doc;
        }
        else if (r == &proof) {
          if (end_proof (tmp)) {
            proof << tmp;
            doc << format_proof (proof);
            proof= tree (DOCUMENT);
            r= &doc;
          }
          else if (begin_proof (tmp)) {
            r= &proof;
            *r << parse_vernac_proof (body);
          }
          else
            *r << tmp;
        }
        else if (begin_proof (tmp)) {
          r= &proof;
          *r << parse_vernac_proof (body);
        }
        else
          *r << tmp;
      }
      in_cmd= false;
    }
    else if (!in_cmd && s[i] == '\n') {
      i++;
      int tmp= parse_indent (s, i);
      if (tmp >= 0 && tmp != indent_level) {
        *r << compound ("coq-indent", as_string (tmp));
        indent_level= tmp;
      }
      else if (i < n && s[i] == '\n') {
        *r << "";
        while (i+1 < n && s[i+1] == '\n') i++;
      }
    }
    else {
      if (!in_cmd && !is_blank (s[i])) {
        in_cmd= true;
        startcmd= i;
      }
      i++;
    }
  }
  if (N(proof) > 0)
    doc << format_proof (proof);
  if (in_cmd)
    doc << parse_vernac_command (s (startcmd, n));
  return doc;
}