diff options
| author | Benedict <benedict@0xb8000.de> | 2017-01-26 12:47:42 +0100 |
|---|---|---|
| committer | Benedict <benedict@0xb8000.de> | 2017-02-21 13:00:27 +0100 |
| commit | 18acbfa8d29fd1ca9c90fb252b735b2901bbe7fa (patch) | |
| tree | 9e994cceb6a3e66eb2e7a11ea79734de0bb02f3f | |
| parent | 96447557db2f8a3c2e5f4c32f0cc9d3fb2d5582f (diff) | |
set7: task50: completed
| -rw-r--r-- | lib/lib.c | 3 | ||||
| -rw-r--r-- | lib/lib7.c | 13 | ||||
| -rw-r--r-- | lib/lib7.h | 8 | ||||
| -rw-r--r-- | set7/task49.c | 14 | ||||
| -rw-r--r-- | set7/task50.c | 78 |
5 files changed, 102 insertions, 14 deletions
@@ -34,7 +34,8 @@ int isprintable(char *string, int length) int i; for(i=0;i<length;i++) { - if(!(isprint(string[i]) || isspace(string[i]))) { + // ` is only for task50 ... + if(!(isprint(string[i]) || isspace(string[i])) || string[i] == '`') { return 0; } } diff --git a/lib/lib7.c b/lib/lib7.c new file mode 100644 index 0000000..b3e05da --- /dev/null +++ b/lib/lib7.c @@ -0,0 +1,13 @@ +#include "lib7.h" +#include "lib2.h" + +int cbc_mac(char *msg, unsigned int msg_len, char *iv, char *key, char *mac) +{ + int padding_len = 0; + + char *msg_padded = __pkcs7_padding(msg, msg_len, 16, &padding_len); + char *res = malloc(msg_len+padding_len); + aes_cbc(msg_padded, msg_len+padding_len, res, key, iv, 1); + char *ciphertext = malloc(msg_len+padding_len); + memcpy(mac, &res[msg_len+padding_len-16], 16); +} diff --git a/lib/lib7.h b/lib/lib7.h new file mode 100644 index 0000000..724e70d --- /dev/null +++ b/lib/lib7.h @@ -0,0 +1,8 @@ +#ifndef __LIB_7__ +#define __LIB_7__ + + + +int cbc_mac(char *msg, unsigned int msg_len, char *iv, char *key, char *mac); + +#endif diff --git a/set7/task49.c b/set7/task49.c index 62650ba..932a171 100644 --- a/set7/task49.c +++ b/set7/task49.c @@ -3,21 +3,9 @@ #include "../lib/lib3.h" #include "../lib/lib4.h" #include "../lib/lib5.h" -#include <time.h> -#include <openssl/aes.h> +#include "../lib/lib7.h" -int cbc_mac(char *msg, unsigned int msg_len, char *iv, char *key, char *mac) -{ - int padding_len = 0; - - char *msg_padded = __pkcs7_padding(msg, msg_len, 16, &padding_len); - char *res = malloc(msg_len+padding_len); - aes_cbc(msg_padded, msg_len+padding_len, res, key, iv, 1); - char *ciphertext = malloc(msg_len+padding_len); - memcpy(mac, &res[msg_len+padding_len-16], 16); -} - int cbc_mac_forge_controlled_iv(char *msg_is, char *msg_should, char *iv) { // generate iv and mac and concat all diff --git a/set7/task50.c b/set7/task50.c new file mode 100644 index 0000000..554add7 --- /dev/null +++ b/set7/task50.c @@ -0,0 +1,78 @@ +#include "../lib/lib.h" +#include "../lib/lib2.h" +#include "../lib/lib3.h" +#include "../lib/lib4.h" +#include "../lib/lib5.h" +#include "../lib/lib7.h" + +void generate_random_printable_bytes(char *s, unsigned int length) +{ + int i; + + for(i=0;i<length;i++) + s[i] = random_number_between(33,127); +} + +// simple length extension could work with the same hash, +// to avoid that we get syntax error because of obsucre input +// makes everthings after our alter a comment, additionally ensure that +// all characters are printable aka. [33,127] +int main() +{ + int i, value; + char *__msg = "alert('MZA who was that?');\n"; + char *msg = malloc(strlen(__msg)); + memcpy(msg, __msg, strlen(__msg)); + char *key = "YELLOW SUBMARINE"; + char iv[15]; + char mac[16]; + char hex_mac[32]; + + memset(iv, 0, 16); + cbc_mac(msg, strlen(msg), iv, key, mac); + hex_binary_to_string(mac, hex_mac, 16); + //printf("mac is: %s\n", hex_mac); + + char *__expand = "alert('Ayo, the Wu is back!'); //"; + char *expand = malloc(strlen(__expand)+16+16); + memcpy(expand, __expand, strlen(__expand)); + // generate a printable version + // ensure that padding is 0x09 (=> TAB \t) + for(i=0;i<16;i++) { + value = 16 - ((strlen(__expand)+i) % 16); + // add character until value == 9 to expand + if(value != 16) + expand[strlen(__expand)+i] = '/'; + else + expand[strlen(__expand)+i] = '\0'; + } + int expand_len = strlen(expand); + // now we have a full with 7 bytes we can change + 9 bytes padding (TAB) + // we want to change the 7 bytes so that the result is printable + char *concat = malloc(strlen(msg)+expand_len+9); + int pad_len; + while(1) { + // construct a first block of msg so that mac[i] ^ msg[i] + generate_random_printable_bytes(&expand[expand_len], 7); + memset(iv, 0 ,16); + cbc_mac(expand, expand_len+7, iv, key, mac); + char *expand_padded = __pkcs7_padding(expand, expand_len+7, 16, &pad_len); + if (pad_len != 9) + printf("ERROR: padding length is nor 9: %i\n", pad_len); + memcpy(concat, expand_padded, expand_len+7+pad_len); + memcpy(&concat[expand_len+pad_len+7], msg, strlen(msg)); + + for(i=0;i<16;i++) + concat[i+pad_len+7+expand_len] = mac[i] ^ msg[i]; + + if(isprintable(&concat[pad_len+6+expand_len], 17) == 1) + break; + } + //printf("printable string is:\n"); + printf("%s", concat); + memset(iv, 0, 16); + cbc_mac(concat, strlen(msg)+expand_len+pad_len+7, iv, key, mac); + hex_binary_to_string(mac, hex_mac, 16); + //printf("mac is: %s\n", hex_mac); + +} |