1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
|
/*
* decode_citrix.c
*
* Citrix ICA.
*
* http://www.securityfocus.com/templates/archive.pike?list=1&date=200 \
* 0-04-15&msg=Pine.BSO.4.20.0003290949280.2640-100000@naughty.monkey.org
*
* Thanks to Jeremie Kass <jeremie@monkey.org> for providing me with
* traffic traces.
*
* Copyright (c) 2000 Dug Song <dugsong@monkey.org>
*
* $Id: decode_citrix.c,v 1.5 2001/03/15 08:32:59 dugsong Exp $
*/
#include "config.h"
#include <sys/types.h>
#include <stdio.h>
#include <string.h>
#include "buf.h"
#include "decode.h"
static u_char ica_magic[] = { 0x32, 0x26, 0x85, 0x92, 0x58 };
int
decode_citrix(u_char *buf, int len, u_char *obuf, int olen)
{
struct buf inbuf, outbuf;
u_char key, c, t[2];
int i;
buf_init(&inbuf, buf, len);
buf_init(&outbuf, obuf, olen);
while ((i = buf_index(&inbuf, ica_magic, sizeof(ica_magic))) >= 0) {
buf_skip(&inbuf, i);
if (buf_len(&inbuf) < 60)
break;
buf_skip(&inbuf, 17);
if (buf_get(&inbuf, &key, 1) != 1)
break;
buf_skip(&inbuf, 42);
if (buf_get(&inbuf, &c, 1) != 1)
break;
c ^= ('C' | key);
buf_put(&outbuf, &c, 1);
i = 0;
while (buf_get(&inbuf, t, 2) == 2) {
c = t[0] ^ t[1] ^ key;
if (c == '\0') {
buf_put(&outbuf, "\n", 1);
if (++i > 2) break;
}
buf_put(&outbuf, &c, 1);
}
}
buf_end(&outbuf);
return (buf_len(&outbuf));
}
|
