/*
Pseudo-code of the Bisection Algorithm.
This will be implemented in DotDotPwn v3.0

This example is in the slide 19:
https://media.blackhat.com/bh-us-11/Arsenal/BH_US_11_Nitrous_DotDotPwn_Slides.pdf

by nitr0us - "on my flight to Las Vegas"
August 2nd, 2011

Thanks to LightOS for this nice idea ;) .. cheers br0 !

OUTPUT:
[tr3w@DarkLight ~]$ ./a.out 
a: 1 	 b: 16
medium_point between a,b: 8
vulnerable (deepness = 8) == 0
bisection(8, 16)

a: 8 	 b: 16
medium_point between a,b: 12
vulnerable (deepness = 12) == 1
bisection(8, 12)

a: 8 	 b: 12
medium_point between a,b: 10
vulnerable (deepness = 10) == 0
bisection(10, 12)

a: 10 	 b: 12
medium_point between a,b: 11
vulnerable (deepness = 11) == 1

Traversal found ! Exact Deepness: 11

 */

#include<stdio.h>

// It simulates a vulnerability with a deepness of 11
// e.g. http://foo/../../../../../../../../../../../etc/passwd
int traversal(int deepness)
{
	if(deepness >= 11){ 
		return 1;
	} else {
		return 0;
	}
}

// Bisection Algorithm
int bisection(int a, int b){
	int medium_point, vulnerable = 0;

	printf("a: %d \t b: %d\n", a, b);

	medium_point = ((a + b) / 2);
	printf("medium_point between a,b: %d\n", medium_point);

	vulnerable = traversal(medium_point);	
	printf("vulnerable (deepness = %d) == %d\n", medium_point, vulnerable);

	if((b - a) <= 2 ){
		return medium_point;
	} else{
		if(vulnerable){
			b = medium_point;
		} else{
			a = medium_point;
		}

		printf("bisection(%d, %d)\n\n", a, b);

		return bisection(a, b);
	}
}

int main(){
    // A traversal vulnerability has been found in the deepness 16th
	printf("\nTraversal found ! Exact Deepness: %d\n", bisection(1, 16));

	return 0;
}