Friday, April 26, 2013

Padding Oracle Attack PoC in C

I'm a newbie on crypto field. *Unfortunately*, I need to deal with some
open source security stuff( openssl and gnutls) in my day job. Yes,
don't be so sad for me;-) I can handle it so far. I need to know more
knowledge about crypto. The best way to do it is writing xxx-attack
PoC. Then I've heard of Lucky-13 is something. Backport these patches
from upstream drives me crazy. Dude, you known~ 13 openssl upstream
commits( more than 1,700 loc modifies) were only for fix one security
issue what called Lucky-13 Thirteen which was disclosured in Feb 2013. It
was my honor to do this shitload work with very very low salary;-)
After I finished it, a very serious question came out of my mind: What
if another tens of shitload work pop up in the future but with no help
from the upstream community? Well...I have to eat the rocket by my own
hands. F0r preparing to handle such situation, I need to know the
detail of the attack. That's why I wrote the padding oracle attack
PoC( Download here).

I googled "padding oracle attack". I found 3 guys wrote their own
padding oracle attack PoC/tools in 3 differnt languages: perl, ruby
and python. I looked their code and articles. They guys are awesome!

Brian Holyfield( Perl guy) wrote this very good article and more
importantly it's easy to understand:

Daoge( python one) is a CHiense hacker who are good at web

Ron Bowes( Ruby guy) gave us a great presentation at Shmoocon 2013. I
really thank his practical advice. He wrote two articles about padding
oracle attack. The 1st one introduce the principle and the 2nd is
giving an great example.

Well, I'm a kind of old school guy. I decided write it in
C( not old enough as asm). This example is simple:

shawn@shawn-fortress /arsenal-4-sec-testing/libcrypto/lucky-what $ make
gcc -g -o padding_oracle_attack_poc padding_oracle_attack_poc.c -lcrypto
shawn@shawn-fortress /arsenal-4-sec-testing/libcrypto/lucky-what $ ./padding_oracle_attack_poc 
Ciphertext is 16 bytes: 83e10d51e6d122ca3faf089c7a924a7b
Decrypting now
205 is done: 00000000000000ce3faf089c7a924a7b
36 is done: 00000000000025cd3faf089c7a924a7b
214 is done: 0000000000d724cc3faf089c7a924a7b
230 is done: 00000000e7d023cb3faf089c7a924a7b
80 is done: 00000051e6d122ca3faf089c7a924a7b
110 is done: 00006f52e5d221c93faf089c7a924a7b
137 is done: 008a6e53e4d320c83faf089c7a924a7b
248 is done: f985615cebdc2fc73faf089c7a924a7b
The original plaintext is: "Hello World"
The one last block of plaintext: 726c6405050505050000000000000000
----> rld
btw: Thanks to Thomas Biege again..who is guiding me in not only one sec field... 

No comments: