def main(): key = ch11.rand_bytes(16) plaintext = ('x' * 16) + '!admin.true!' enc = bytearray(enc_userdata(plaintext)) enc[32] ^= 26 # '!' ^ 26 = ';' enc[38] ^= 19 # '.' ^ 19 = '=' enc[43] ^= 26 # '!' ^ 26 = ';' dec = dec_userdata(bytes(enc)) print(dec) print( is_admin(dec) )
def enc_oracle(plaintext): global key if key is None: key = ch11.rand_bytes(16) cipher = AES.new(key, AES.MODE_ECB) plaintext += binascii.a2b_base64(postfix) #plaintext = ch11.rand_padding(plaintext) plaintext = ch9.pad_PCKS7(plaintext, 16) return cipher.encrypt(plaintext)
def main(): key = ch11.rand_bytes(16) email1 = '*****@*****.**' # Want this to be 13 characters email2 = 'adminadminadmindf' + ('\x0b' * 11) # Want admin string to start after 10 characters profile1 = profile_for(email1) profile2 = profile_for(email2) enc1 = profile_encrypt(profile1, key) enc2 = profile_encrypt(profile2, key) dec1 = profile_decrypt(enc1, key) dec2 = profile_decrypt(enc2, key) print( dec1[0:32] + dec2[16:32] ) print( profile_decrypt(enc1[0:32] + enc2[16:32], key) )
from Crypto.Cipher import AES import ch9 import ch10 import ch11 key = ch11.rand_bytes(16) IV = ch11.rand_bytes(16) def enc_userdata(s): global key global IV prefix = "comment1=cooking%20MCs;userdata=" suffix = ";comment2=%20like%20a%20pound%20of%20bacon" cipher = ch10.CBC(AES.new(key, AES.MODE_ECB), IV) s = s.replace(';', '%3B').replace('=', '%3D') s = (prefix + s + suffix).encode('utf-8') s = ch9.pad_PCKS7(s, 16) return cipher.encrypt(s) def dec_userdata(ciphertext): cipher = ch10.CBC(AES.new(key, AES.MODE_ECB), IV) plaintext = cipher.decrypt(ciphertext) return plaintext def is_admin(userdata): if userdata.find(b';admin=true;') != -1:
def gen_prefix(num): print("GENERATING PREFIX OF LENGTH {}".format(num)) return ch11.rand_bytes(num)
def gen_key(blk_sz): print("GENERATING KEY") return ch11.rand_bytes(blk_sz)
import ch15 strings = [ b'MDAwMDAwTm93IHRoYXQgdGhlIHBhcnR5IGlzIGp1bXBpbmc=', b'MDAwMDAxV2l0aCB0aGUgYmFzcyBraWNrZWQgaW4gYW5kIHRoZSBWZWdhJ3MgYXJlIHB1bXBpbic=', b'MDAwMDAyUXVpY2sgdG8gdGhlIHBvaW50LCB0byB0aGUgcG9pbnQsIG5vIGZha2luZw==', b'MDAwMDAzQ29va2luZyBNQydzIGxpa2UgYSBwb3VuZCBvZiBiYWNvbg==', b'MDAwMDA0QnVybmluZyAnZW0sIGlmIHlvdSBhaW4ndCBxdWljayBhbmQgbmltYmxl', b'MDAwMDA1SSBnbyBjcmF6eSB3aGVuIEkgaGVhciBhIGN5bWJhbA==', b'MDAwMDA2QW5kIGEgaGlnaCBoYXQgd2l0aCBhIHNvdXBlZCB1cCB0ZW1wbw==', b'MDAwMDA3SSdtIG9uIGEgcm9sbCwgaXQncyB0aW1lIHRvIGdvIHNvbG8=', b'MDAwMDA4b2xsaW4nIGluIG15IGZpdmUgcG9pbnQgb2g=', b'MDAwMDA5aXRoIG15IHJhZy10b3AgZG93biBzbyBteSBoYWlyIGNhbiBibG93' ] key = ch11.rand_bytes(16) iv = ch11.rand_bytes(16) def enc_oracle(): global key global iv cipher = ch10.CBC(AES.new(key, AES.MODE_ECB), iv) plaintext = binascii.a2b_base64( random.choice(strings) ) padded = ch9.pad_PCKS7(plaintext, 16) return cipher.encrypt(padded) def decrypt_check_pad(ciphertext): global key