From 18acbfa8d29fd1ca9c90fb252b735b2901bbe7fa Mon Sep 17 00:00:00 2001
From: Benedict <benedict@0xb8000.de>
Date: Thu, 26 Jan 2017 12:47:42 +0100
Subject: set7: task50: completed

---
 set7/task49.c | 14 +----------
 set7/task50.c | 78 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 79 insertions(+), 13 deletions(-)
 create mode 100644 set7/task50.c

(limited to 'set7')

diff --git a/set7/task49.c b/set7/task49.c
index 62650ba..932a171 100644
--- a/set7/task49.c
+++ b/set7/task49.c
@@ -3,21 +3,9 @@
 #include "../lib/lib3.h"
 #include "../lib/lib4.h"
 #include "../lib/lib5.h"
-#include <time.h>
-#include <openssl/aes.h>
+#include "../lib/lib7.h"
 
 
-int cbc_mac(char *msg, unsigned int msg_len, char *iv, char *key, char *mac)
-{
-	int padding_len = 0;
-
-	char *msg_padded = __pkcs7_padding(msg, msg_len, 16, &padding_len);
-	char *res = malloc(msg_len+padding_len);
-	aes_cbc(msg_padded, msg_len+padding_len, res, key, iv, 1);
-	char *ciphertext = malloc(msg_len+padding_len);
-	memcpy(mac, &res[msg_len+padding_len-16], 16);
-}
-
 int cbc_mac_forge_controlled_iv(char *msg_is, char *msg_should, char *iv)
 {
 	// generate iv and mac and concat all
diff --git a/set7/task50.c b/set7/task50.c
new file mode 100644
index 0000000..554add7
--- /dev/null
+++ b/set7/task50.c
@@ -0,0 +1,78 @@
+#include "../lib/lib.h"
+#include "../lib/lib2.h"
+#include "../lib/lib3.h"
+#include "../lib/lib4.h"
+#include "../lib/lib5.h"
+#include "../lib/lib7.h"
+
+void generate_random_printable_bytes(char *s, unsigned int length)
+{
+	int i;
+
+	for(i=0;i<length;i++)
+		s[i] = random_number_between(33,127);
+}
+
+// simple length extension could work with the same hash,
+// to avoid that we get syntax error because of obsucre input
+// makes everthings after our alter a comment, additionally ensure that
+// all characters are printable aka. [33,127]
+int main()
+{
+	int i, value;
+	char *__msg = "alert('MZA who was that?');\n";
+	char *msg = malloc(strlen(__msg));
+	memcpy(msg, __msg, strlen(__msg));
+	char *key = "YELLOW SUBMARINE";
+	char iv[15];
+	char mac[16];
+	char hex_mac[32];
+
+	memset(iv, 0, 16);
+	cbc_mac(msg, strlen(msg), iv, key, mac);
+	hex_binary_to_string(mac, hex_mac, 16);
+	//printf("mac is: %s\n", hex_mac);
+
+	char *__expand = "alert('Ayo, the Wu is back!'); //";
+	char *expand = malloc(strlen(__expand)+16+16);
+	memcpy(expand, __expand, strlen(__expand));
+	// generate a printable version
+	// ensure that padding is 0x09 (=> TAB \t)
+	for(i=0;i<16;i++) {
+		value = 16 - ((strlen(__expand)+i) % 16);
+		// add character until value == 9 to expand
+		if(value != 16)
+			expand[strlen(__expand)+i] = '/';
+		else
+			expand[strlen(__expand)+i] = '\0';
+	}
+	int expand_len = strlen(expand);
+	// now we have a full with 7 bytes we can change + 9 bytes padding (TAB)
+	// we want to change the 7 bytes so that the result is printable
+	char *concat = malloc(strlen(msg)+expand_len+9);
+	int pad_len;
+	while(1) {
+		// construct a first block of msg so that mac[i] ^ msg[i]
+		generate_random_printable_bytes(&expand[expand_len], 7);
+		memset(iv, 0 ,16);
+		cbc_mac(expand, expand_len+7, iv, key, mac);
+		char *expand_padded = __pkcs7_padding(expand, expand_len+7, 16, &pad_len);
+		if (pad_len != 9)
+			printf("ERROR: padding length is nor 9: %i\n", pad_len);
+		memcpy(concat, expand_padded, expand_len+7+pad_len);
+		memcpy(&concat[expand_len+pad_len+7], msg, strlen(msg));
+
+		for(i=0;i<16;i++)
+			concat[i+pad_len+7+expand_len] = mac[i] ^ msg[i];
+
+		if(isprintable(&concat[pad_len+6+expand_len], 17) == 1)
+			break;
+	}
+	//printf("printable string is:\n");
+	printf("%s", concat);
+	memset(iv, 0, 16);
+	cbc_mac(concat, strlen(msg)+expand_len+pad_len+7, iv, key, mac);
+	hex_binary_to_string(mac, hex_mac, 16);
+	//printf("mac is: %s\n", hex_mac);
+
+}
-- 
cgit v1.2.3-70-g09d2