Shouldn't test.py add the IV to the ciphertext?
deargle opened this issue · 0 comments
deargle commented
Hi, the readme suggests running python test.py -m mysecretmessage
to test the package, but this doesn't work because the cipher given to run
does not include the IV:
Lines 251 to 255 in 94526ce
I think an oracle usually assumes that the ciphertext includes the IV as the first block? This is just a nuance of the test file, which allows the user to pass a plaintext message, which test.py
encrypts with a fixed IV, before passing it to run
.
Prepending the IV to the cipher passed to run
resolves this:
run(iv.hex() + cipher.hex(), 16)
and recovers the entire plaintext:
$ python test.py -m mysecretmessage
[+] Encrypt mysecretmessage
[+] mysecretmessage ---> fc6df3bb5a6995d6ffa35c8df315a4c6
[+] Search value block : 1
[+] Found 2 bytes : 6501
[+] Found 3 bytes : 676501
[+] Found 4 bytes : 61676501
[+] Found 5 bytes : 7361676501
[+] Found 6 bytes : 737361676501
[+] Found 7 bytes : 65737361676501
[+] Found 8 bytes : 6d65737361676501
[+] Found 9 bytes : 746d65737361676501
[+] Found 10 bytes : 65746d65737361676501
[+] Found 11 bytes : 7265746d65737361676501
[+] Found 12 bytes : 637265746d65737361676501
[+] Found 13 bytes : 65637265746d65737361676501
[+] Found 14 bytes : 7365637265746d65737361676501
[+] Found 15 bytes : 797365637265746d65737361676501
[+] Found 16 bytes : 6d797365637265746d65737361676501
[+] Decrypted value (HEX): 6D797365637265746D65737361676501
[+] Decrypted value (ASCII): mysecretmessage
Although perhaps it would be better to show in the printed message that the IV is being prepended:
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="Exploit of Padding Oracle Attack")
parser.add_argument("-m", "--message", required=True, help="message to pown")
parser.add_argument(
"-v",
"--verbose",
help="debug mode, you need a large screen",
action="store_true",
)
args = parser.parse_args()
iv = b"1234567812345678"
print("[+] Encrypt", args.message, "with IV", iv)
cipher, iv = encrypt(bytearray(args.message, "UTF-8"), iv)
print("[+] Ciphertext ---> %s" % (iv.hex() + cipher.hex()))
plaintext = decrypt(cipher, iv)
run(iv.hex() + cipher.hex(), 16)
$ python test.py -m mysecretmessage
[+] Encrypt mysecretmessage with IV b'1234567812345678'
[+] Ciphertext ---> 31323334353637383132333435363738fc6df3bb5a6995d6ffa35c8df315a4c6
[+] Search value block : 1
[+] Found 2 bytes : 6501
[+] Found 3 bytes : 676501
[+] Found 4 bytes : 61676501
[+] Found 5 bytes : 7361676501
[+] Found 6 bytes : 737361676501
[+] Found 7 bytes : 65737361676501
[+] Found 8 bytes : 6d65737361676501
[+] Found 9 bytes : 746d65737361676501
[+] Found 10 bytes : 65746d65737361676501
[+] Found 11 bytes : 7265746d65737361676501
[+] Found 12 bytes : 637265746d65737361676501
[+] Found 13 bytes : 65637265746d65737361676501
[+] Found 14 bytes : 7365637265746d65737361676501
[+] Found 15 bytes : 797365637265746d65737361676501
[+] Found 16 bytes : 6d797365637265746d65737361676501
[+] Decrypted value (HEX): 6D797365637265746D65737361676501
[+] Decrypted value (ASCII): mysecretmessage