• Stars
    star
    246
  • Rank 164,726 (Top 4 %)
  • Language
    Python
  • License
    MIT License
  • Created almost 10 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

🐩 Poodle (Padding Oracle On Downgraded Legacy Encryption) attack CVE-2014-3566 🐩

Poodle PoC 🐩 🐩 🐩

A proof of concept of the Poodle Attack (Padding Oracle On Downgraded Legacy Encryption) :

a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0

The Poodle attack allow you to retrieve encrypted data send by a client to a server if the Transport Layer Security used is SSLv3. It does not allow you to retrieve the private key used to encrypt the request.

imgonline-com-ua-twotoone-luefsrwi2n8iqy

1. 🐩 Concept of the attack 🐩

SSLv3 and CBC cipher mode

SSLv3 is a protocol to encrypt/decrypt and secure your data. In our case, he uses the CBC cipher mode chainning . The plaintext is divided into block regarding the encryption alogithm (AES,DES, 3DES) and the length is a mulitple of 8 or 16. If the plaintext don't fill the length, a padding is added at the end to complete the missing space. I strongly advice you to open this images of encryption and decryption to read this readme.

Encryption Decryption
Ci = Ek(Pi ⊕ Ci-1), and C0 = IV Pi = Dk(Ci) ⊕ Ci-1, and C0 = IV

Basically this is just some simple XOR, you can also watch this video (not me) https://www.youtube.com/watch?v=0D7OwYp6ZEc.

A request send over HTTPS using SSLv3 will be ciphered with AES/DES and the mode CBC. The particularity of SSlv3 over TLS1.x is the padding. In SSLv3 the padding is fill with random bytes except the last byte equal to the length of the padding.

Example:

T|E|X|T|0xab|0x10|0x02 where 0xab|0x10|0x02 is the padding.
T|E|X|T|E|0x5c|0x01 where 0x5c|0x01 is the padding.

Also the last block can be fill with a full block of padding meaning the last block can be full a random byte except the last byte.

T|E|X|T|E|0x5c|0x01|0x3c|0x09|0x5d|0x08|0x04|0x07 where |0x5c|0x01|0x3c|0x09|0x5d|0x08|0x04|0x07 is the padding on only the 0x07 is know by the attacker. So if an attacker is able to influence the padding block, he will be able to know that the last byte of the last block is equal to the length of a block.

Influence the padding

An attacker must be able to make the victim send requests (using javascript by exploiting an XSS for example). Then he can control the path and the data of each request:

Example: adding "A" byte to the path of the request

GET / HTTP/1.1\r\nSECRET COOKIE\r\n\r\n
GET /AAA HTTP/1.1\r\nSECRET COOKIE\r\n\r\nDATA

With this technique he can influence the padding.

HMAC

SSLv3 also use HMAC to check the integrity and authenticate of the plaintext.

keyed-hash message authentication code (HMAC) is a specific type of message authentication code (MAC) involving a cryptographic hash function (hence the 'H') in combination with a secret cryptographic key

With this an attacker can't intercept and alter the request then send it back. If the server encounter a problem, he will send an HMAC error.

MAC-then-encrypt

The protocl SSLv3 use the following routine: he receives the data from the client, decrypt the data, check the integrity with the HMAC.

MAC-then-Encrypt: Does not provide any integrity on the ciphertext, since we have no way of knowing until we decrypt the message whether it was indeed authentic or spoofed. Plaintext integrity. If the cipher scheme is malleable it may be possible to alter the message to appear valid and have a valid MAC. This is a theoretical point, of course, since practically speaking the MAC secret > should provide protection. Here, the MAC cannot provide any information on the plaintext either, since it is encrypted.

https://crypto.stackexchange.com/questions/202/should-we-mac-then-encrypt-or-encrypt-then-mac

This mean that we can alter the ciphered text without the server knowing it. this is great, really :)

2. 🔑 Cryptography 🔑

First the last block need to be full of padding, like we see previously the attacker use path of the request and check the length of the request.

  • He saves the length of the original cipher
  • He adds one byte in the path and check the length.
    • If the length doesn't change he adds another byte etc.
    • Else : the length of the cipher request change, he knows the last block is full of padding.

Since the last block except the last byte is full of random bytes he can replace this last block Cn by the block he wants to decrypt Ci. The altered request is send to the server.

The server :

  • remove the padding regarding the length of the last byte
  • get the hmac from the request = HMAC
  • get the plaintext
  • compare hmac(plaintext) and HMAC
    • if equal => good padding
    • else => bad padding

By replacing the last block the attacker also changes the the last byte of the last block (the length of the padding). There is 1/256 the last byte replace in the padding block is the same than the orginal, in this case there will be no padding error and the attacker can use this XOR operation to retrieve the last byte of the block Ci by following this operation :

Pn = Dk(Cn) ⊕ Cn-1
Pn = Dk(Ci) ⊕ Cn-1
Pn = Dk(Ci) ⊕ Cn-1
xxxxxxx7 = Dk(Ci) ⊕ Cn-1
Dk(Ci) = xxxxxxx7 ⊕ Cn-1
Pi ⊕ Ci-1 = xxxxxxx7 ⊕ Cn-1
Pi = Ci-1 ⊕ xxxxxxx7 ⊕ Cn-1

(xxxxxxx7 or xxxxxxx15 and x random byte)

The last byte of the block can be retrieve Pi[7] = Ci-1[7] ⊕ xxxxxxx7 ⊕ Cn-1[7] In case of padding the attacker need to close the SSL session to make another handshake (new AES key) and get new cipher then replace the last block etc. (generaly +300 handshake needed)

Once one byte is retrieve he will get all the other byte of the block by adding a byte in the path and remove one byte in the data :

Request to retrieve byte E,I,K,O
GET /a SECRET_COOKIE dataazerty PADDING_7
GET /aa SECRET_COOKIE dataazert PADDING_7
GET /aaa SECRET_COOKIE dataazer PADDING_7
GET /aaaa SECRET_COOKIE dataaze PADDING_7

About TLS1.0

Even though TLS specifications require servers to check the padding, some implementations fail to validate it properly, which makes some servers vulnerable to POODLE even if they disable SSL 3.0

TLS is normaly safe against Poodle, but some implementations don't check the padding, it's like if we used SSLv3, this is why some TLS version are vulnerable.

3. 💥 Start the attack 💥

There is three files in this repository:

  • poodle-poc.py -> A Proof Of Concept that doesn't require any prerequise
  • parallelization-poodle.py -> ANother Proof Of Concept but using parallelization (really fast)
  • poodle-exploit.py -> An exploit for real-case scenario
1. The poodle-poc.py file

This poc explore the cryptography behind the attack. This file allow us to understand how the attack works in a simple way.

python3 poodle-poc.py
2. The poodle-poc.py file

The file parallelization-poodle.py is a project, and idea :) check #1

python3 parallelization-poodle.py

asciicast

3. The poodle-exploit.py file

This is the real exploit. Really usefull with you want to make a proof a concept about the Poodle Attack for a client during a pentest if he used old server and browser. Just put the ip of your malicious proxy into the config browser with the correct port, the proxy will take care of the rest.

Requirement:

  • make sure the client and the browser can communicate with the protocol SSLv3 only, force only SSLv3 in firefox using security.tls.version.min: 0 for example. Alternatively, if the client also use TLS you can force the downgrade
  • make sure the server is vulnerable, use the tool testssl.sh image
  • make sure you can inject Javascript on the client side (XSS)
  • make sure you can intercept the connection between the client and the server

💀 If you have these prerequisites you can start the attack 💀:

Tow options ara available for this exploit:

  1. Setup the IP adress and the port of the proxy directly on the client side and run the exploit ( go to the part 3)
  2. Setup an ARP spoofing attack to redirect all the traffic between the client and the server on your machine
  • Enable the forwarding and set an Iptable rule to redirect the traffic from the client to your proxy
$> echo 1 > /proc/sys/net/ipv4/ip_forward
$> iptables -i vmnet1 -t nat -A PREROUTING -p tcp --dport 1337 -j REDIRECT --to-ports 1337
  • Use the tool arpspoof, ettercap or bettercap to run an ARP spoofing attack
$> bettercap -iface vmnet1
net.show
set arp.spoof.internal true
arp.spoof on
  1. Run the proxy
> ~/T/poodle-Poc on master ⨯ python3 poodle-exploit.py -h              13:10:24
usage: poodle-exploit.py [-h] [--start-block START_BLOCK]
                         [--stop-block STOP_BLOCK] [--simpleProxy SIMPLEPROXY]
                         proxy port server rport

Poodle Exploit by @mpgn_x64

positional arguments:
  proxy                 ip of the proxy
  port                  port of the proxy
  server                ip of the remote server
  rport                 port of the remote server

optional arguments:
  -h, --help            show this help message and exit
  --start-block START_BLOCK
                        start the attack at this block
  --stop-block STOP_BLOCK
                        stop the attack at this block
  --simpleProxy SIMPLEPROXY
                        Direct proxy, no ARP spoofing attack

$> python3 poodle-exploit.py 192.168.13.1 4443 192.168.13.133 443 --start-block 46 --stop-block 50

Choosing a block: if you don't specify the block option, all the block will be decrypted but this can take a long time. I strongly advise you 'know' how the request will be formated and use the script request-splitter.py to know the block you want to decrypt (idealy the cookie block ! :)

Then insert the javascript malicious code (poodle.js) into the vulnerable website using an XSS for example. Launch the python script and type help, then search, and finaly active. During that time, only two interactions with the javascript will be needed (search and active command).

Update 01/04/2018: downgrade option has been added to the exploit. When the exploit detect the TLS protocol, enter the command downgrade to downgrade to SSLv3.0.

How it works ? during the handshake (after the hello client), the exploit send a handshake_failure 15030000020228 then the browser should resend a hello client with SSLv3.0 as default protocol. Tested on chrome version 15 but it's not working on Firefox (I think he doesn't support protocol renegociation), check #4

Full video of the exploitation:

ezgif-3-90a926f34356

Asciinema:

asciicast

Contributor

mpgn

Licence

licence MIT

References

More Repositories

1

BackupOperatorToDA

From an account member of the group Backup Operators to Domain Admin without RDP or WinRM on the Domain Controller
C++
389
star
2

Padding-oracle-attack

🔓 Padding oracle attack against PKCS7 🔓
Python
319
star
3

Spring-Boot-Actuator-Exploit

Spring Boot Actuator (jolokia) XXE/RCE
Java
318
star
4

CVE-2019-0192

RCE on Apache Solr using deserialization of untrusted data via jmx.serviceUrl
Python
209
star
5

ByP-SOP

🏴‍☠️ Bypass Same Origin Policy with DNS-rebinding to retrieve local server files 🏴‍☠️
HTML
195
star
6

CVE-2019-5418

CVE-2019-5418 - File Content Disclosure on Ruby on Rails
192
star
7

CVE-2019-19781

CVE-2019-19781 - Remote Code Execution on Citrix ADC Netscaler exploit
Python
155
star
8

CVE-2019-7238

🐱‍💻 Poc of CVE-2019-7238 - Nexus Repository Manager 3 Remote Code Execution 🐱‍💻
Python
149
star
9

Rails-doubletap-RCE

RCE on Rails 5.2.2 using a path traversal (CVE-2019-5418) and a deserialization of Ruby objects (CVE-2019-5420)
Ruby
133
star
10

discord-e2e-encryption

🔑 Tampermonkey script that encrypt and decrypt your messages on Discord 🔑
JavaScript
87
star
11

heartbleed-PoC

💔 Hearbleed exploit to retrieve sensitive information CVE-2014-0160 💔
Python
78
star
12

BEAST-PoC

💪 Proof Of Concept of the BEAST attack against SSL/TLS CVE-2011-3389 💪
Python
67
star
13

CVE-2018-17246

CVE-2018-17246 - Kibana LFI < 6.4.3 & 5.6.13
58
star
14

CVE-2019-7609

RCE on Kibana versions before 5.6.15 and 6.6.0 in the Timelion visualizer
52
star
15

CVE-2019-9580

CVE-2019-9580 - StackStorm: exploiting CORS misconfiguration (null origin) to gain RCE
HTML
32
star
16

CVE-2019-3799

CVE-2019-3799 - Spring Cloud Config Server: Directory Traversal < 2.1.2, 2.0.4, 1.4.6
31
star
17

CRIME-poc

🔪 CRIME attack PoC : a compression oracle attacks CVE-2012-4929 🔪
Python
27
star
18

astudiaeth

Master CSI
TeX
26
star
19

CVE-2018-16341

CVE-2018-16341 - Nuxeo Remote Code Execution without authentication using Server Side Template Injection
Python
24
star
20

ntlmrelayx-prettyloot

Convert the loot directory of ntlmrelayx into an enum4linux like output
Python
21
star
21

CVE-2018-19276

CVE-2018-19276 - OpenMRS Insecure Object Deserialization RCE
Python
16
star
22

HallOfFame-Root-me.org

💀 Root-me Hall Of Fame dashboard 💀
Python
14
star
23

DllInjectExec

💉 Dll injection for executable file 💉
C++
13
star
24

Slanger-RCE

RCE in Slanger using deserialization of Ruby objects
Python
11
star
25

CVE-2018-3760

Rails Asset Pipeline Directory Traversal Vulnerability
8
star
26

ropycat

Scripts that allow you to copy/past text into another Windows process to bypass Citrix copy/paste limitation
C#
8
star
27

CVE-2019-9978

CVE-2019-9978 - RCE on a Wordpress plugin: Social Warfare < 3.5.3
8
star
28

discourse-cookie-token-domain

🍪 Allow to setup cookie token to authenticate user 🍪
Ruby
7
star
29

CVE-2018-11686

CVE-2018-11686 - FlexPaper PHP Publish Service RCE <= 2.3.6
Python
6
star
30

ShareP0wn

ShareP0wn
Python
6
star
31

copper-jekyll-theme

Copper Jekyll theme - simple and useful
CSS
5
star
32

YTC-ID

📌 Get the YouTube channel ID ! 📌
HTML
4
star
33

DllInjectService

💉 Dll ready to be injected into a service 💉
C++
4
star
34

docker_dashboard

Python
4
star
35

impacket-cme

Python
2
star
36

AChat-Reverse-TCP-Exploit

Tested on AChat 0.150 Beta 7 Windows 7/8/10 x86/x64
Python
2
star
37

Ipsum

Small app for YouTube Network. Get a free submit form for YouTube Channel who want join your network. With AngularJS
JavaScript
1
star
38

Pyrox

For Youtube Network with YouTube API V3 Public
PHP
1
star
39

swindle

Swindle is a project for YouTube Network
PHP
1
star