3DES-HMAC Exploit
| #!/usr/bin/env python | |
| import sys | |
| from pwn import * | |
| from base64 import urlsafe_b64decode, urlsafe_b64encode | |
| from oracle import PaddingOracle | |
| from hashpumpy import hashpump | |
| import requests | |
| base_url = sys.argv[1] | |
| cookie = '' | |
| try: | |
| cookie = read('cookie.tmp') | |
| except IOError: | |
| resp = requests.post(base_url + '/login/', data = {'username':'lol','password':'lol'}, allow_redirects=False) | |
| cookie = urlsafe_b64decode(resp.cookies['auth']) | |
| write('cookie.tmp', cookie) | |
| def query(val): | |
| for _ in range(3): | |
| try: | |
| resp = requests.get(base_url + '/flag/', cookies = { 'auth' : urlsafe_b64encode(val) }) | |
| return True | |
| except requests.exceptions.ConnectionError: | |
| pass | |
| return False | |
| cookie_decrypted = '' | |
| oracle = PaddingOracle(query = query, block_size = 8, nested = 3) | |
| print "Decrypting cookie..." | |
| try: | |
| cookie_decrypted = read('cookie_decrypted.tmp') | |
| except IOError: | |
| cookie_decrypted = oracle.decrypt(cookie) | |
| write('cookie_decrypted.tmp', cookie_decrypted) | |
| print "Decrypted Cookie:" | |
| print hexdump(cookie_decrypted) | |
| mac, pt = cookie_decrypted[:16], cookie_decrypted[16:] | |
| key_size = 16 | |
| print "Extending cookie..." | |
| new_mac, new_data = hashpump(enhex(mac), pt, "&username=almighty_administrator&is_admin=of_course", key_size) | |
| print "New MAC:", new_mac | |
| new_cookie = unhex(new_mac) + new_data | |
| print "New Cookie:" | |
| print hexdump(new_cookie) | |
| print "Encrypting cookie..." | |
| extended_cookie = '' | |
| try: | |
| extended_cookie = read('extended_cookie.tmp') | |
| except IOError: | |
| iv, ct = oracle.encrypt(new_cookie) | |
| extended_cookie = iv + ct | |
| write('extended_cookie.tmp', extended_cookie) | |
| print 'Cookie:', urlsafe_b64encode(extended_cookie) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment