/*

The Shellcoder's Handbook. Edycja polska
Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
Sinan Eren, Neel Mehta, Riley Hassell
Wydawnictwo Helion


Rozdzia 15
Fuzzing
dtlogin SPIKE

Komentarze i uwagi prosz przesya na adres jack@infosecinstitute.com 
lub za porednictwem witryny http://www.infosecinstitute.com 

*/

//xdmcp_request.spk
//dla SPIKE 2.6 lub nowszej wersji
//port 177 UDP
//sposb wywoania:
//[dave@localhost src]$ ./generic_send_udp 192.168.1.104 177 ~/spikePRIVATE/xdmcp_request.spk 2 28 2 
//[dave@localhost src]$ ./generic_send_udp 192.168.1.104 177 ~/spikePRIVATE/xdmcp_request.spk 4 19 1

//wersja
s_binary("00 01");
//kod operacji (request=07)
//3 oznacza jeden bajt
//5 oznacza dwa bajty zapisane w kolejnoci od bardziej znaczcego
s_int_variable(0x0007,5);
//dugo komunikatu
//s_binary("00 17 ");
s_binary_block_size_halfword_bigendian("message");
s_block_start("message");
//numer display'a
s_int_variable(0x0001,5);
//poczenia
s_binary("01");
//typ
s_int_variable(0x0000,5);
//address 192.168.1.100
//poczenie 1
s_binary("01");
//rozamiar w bajtach
//s_binary("00 04");
s_binary_block_size_halfword_bigendian("ip");
//ip
s_block_start("ip");
s_binary("c0 a8 01 64");
s_block_end("ip");
//nazwa do uwierzytelniania
//s_binary("00 00");
s_binary_block_size_halfword_bigendian("authname");
s_block_start("authname");
s_string_variable("");
s_block_end("authname");

//dane do uwierzytelniania
s_binary_block_size_halfword_bigendian("authdata");
s_block_start("authdata");
s_string_variable("");
s_block_end("authdata");
//s_binary("00 00");
//authorization names (2)
//3 is one byte
s_int_variable(0x02,3);

s_binary_block_size_halfword_bigendian("MIT");
s_block_start("MIT");
s_string_variable("MIT-MAGIC-COOKIE-1");
s_block_end("MIT");


s_binary_block_size_halfword_bigendian("XC");
s_block_start("XC");
s_string_variable("XC-QUERY-SECURITY-1");
s_block_end("XC");


//manufacture display id
s_binary_block_size_halfword_bigendian("DID");
s_block_start("DID");
s_string_variable("");
s_block_end("DID");

s_block_end("message");
