1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
#include "../lib/lib.h"
#include "../lib/lib2.h"
#include "../lib/lib3.h"
#include "../lib/lib4.h"
#include "../lib/lib5.h"
#include "../lib/lib7.h"
void generate_random_printable_bytes(char *s, unsigned int length)
{
int i;
for(i=0;i<length;i++)
s[i] = random_number_between(33,127);
}
// simple length extension could work with the same hash,
// to avoid that we get syntax error because of obsucre input
// makes everthings after our alter a comment, additionally ensure that
// all characters are printable aka. [33,127]
int main()
{
int i, value;
char *__msg = "alert('MZA who was that?');\n";
char *msg = malloc(strlen(__msg));
memcpy(msg, __msg, strlen(__msg));
char *key = "YELLOW SUBMARINE";
char iv[15];
char mac[16];
char hex_mac[32];
memset(iv, 0, 16);
cbc_mac(msg, strlen(msg), iv, key, mac);
hex_binary_to_string(mac, hex_mac, 16);
//printf("mac is: %s\n", hex_mac);
char *__expand = "alert('Ayo, the Wu is back!'); //";
char *expand = malloc(strlen(__expand)+16+16);
memcpy(expand, __expand, strlen(__expand));
// generate a printable version
// ensure that padding is 0x09 (=> TAB \t)
for(i=0;i<16;i++) {
value = 16 - ((strlen(__expand)+i) % 16);
// add character until value == 9 to expand
if(value != 16)
expand[strlen(__expand)+i] = '/';
else
expand[strlen(__expand)+i] = '\0';
}
int expand_len = strlen(expand);
// now we have a full with 7 bytes we can change + 9 bytes padding (TAB)
// we want to change the 7 bytes so that the result is printable
char *concat = malloc(strlen(msg)+expand_len+9);
int pad_len;
while(1) {
// construct a first block of msg so that mac[i] ^ msg[i]
generate_random_printable_bytes(&expand[expand_len], 7);
memset(iv, 0 ,16);
cbc_mac(expand, expand_len+7, iv, key, mac);
char *expand_padded = __pkcs7_padding(expand, expand_len+7, 16, &pad_len);
if (pad_len != 9)
printf("ERROR: padding length is nor 9: %i\n", pad_len);
memcpy(concat, expand_padded, expand_len+7+pad_len);
memcpy(&concat[expand_len+pad_len+7], msg, strlen(msg));
for(i=0;i<16;i++)
concat[i+pad_len+7+expand_len] = mac[i] ^ msg[i];
if(isprintable(&concat[pad_len+6+expand_len], 17) == 1)
break;
}
//printf("printable string is:\n");
printf("%s", concat);
memset(iv, 0, 16);
cbc_mac(concat, strlen(msg)+expand_len+pad_len+7, iv, key, mac);
hex_binary_to_string(mac, hex_mac, 16);
//printf("mac is: %s\n", hex_mac);
}
|
