recv()
s.send('1\n')
recv()
s.send(message + '\n')
data = recv()
m = re.search(r'Your hash: (\w+)', data)
if not m:
exit()
legit, = m.groups()
print('legit ' + legit)
# initialize hash object with state of a vulnerable hash
fake_md5 = md5py.new('A' * 64)
fake_md5.A, fake_md5.B, fake_md5.C, fake_md5.D = md5py._bytelist2long(
legit.decode('hex'))
# update legit hash with malicious message
fake_md5.update(malicious)
# fake_hash is the hash for md5(secret + message + padding + malicious)
fake_hash = fake_md5.hexdigest()
print('fake ' + fake_hash)
#############################
### STEP 2: Craft payload ###
#############################
# TODO: calculate proper padding based on secret + message
# secret is <redacted> bytes long (48 bits)
# each block in MD5 is 512 bits long
s.connect((host, port))
data = s.recv(1024)
s.send('1\n')
data = s.recv(1024)
s.send(message + '\n')
data = s.recv(1024)
m = re.search('Your hash: ([a-z0-9]*)', data)
legit = m.group(1)
#legit = '7d2a3a8f9b9b6491736c785c68ce02c1' # a legit hash of secret + message goes here, obtained from signing a message
# initialize hash object with state of a vulnerable hash
fake_md5 = md5py.new('A' * 64)
fake_md5.A, fake_md5.B, fake_md5.C, fake_md5.D = md5py._bytelist2long(legit.decode('hex'))
malicious = 'malicious message' # put your malicious message here
# update legit hash with malicious message
fake_md5.update(malicious)
# fake_hash is the hash for md5(secret + message + padding + malicious)
fake_hash = fake_md5.hexdigest()
#print(fake_hash)
#############################
### STEP 2: Craft payload ###
#############################
#send the message
data = s.recv(1024)
s.send(message + '\n')
#get the hash
data = s.recv(1024)
my_hash = data[39:].strip() #grab the hash and strip the string
print(my_hash)
#continue to main 'menu'
data = s.recv(1024)
legit = my_hash
# initialize hash object with state of a vulnerable hash
fake_hash = md5py.new('A' * 64)
fake_hash.A, fake_hash.B, fake_hash.C, fake_hash.D = md5py._bytelist2long(
legit.decode('hex'))
malicious = 'Hack' # put your malicious message here
# update legit hash with malicious message
fake_hash.update(malicious)
# test is the correct hash for md5(secret + message + padding + malicious)
test = fake_hash.hexdigest()
#############################
### STEP 2: Craft payload ###
#############################
# TODO: calculate proper padding based on secret + message
# secret is 6 bytes long (48 bits)
# each block in MD5 is 512 bits long
#!/usr/bin/env python3
# from the git repo
import md5py
import binascii
#####################################
### STEP 1: Calculate forged hash ###
#####################################
message = 'a' # original message here
legit = '0ef56518e0843d8c0611d808a7df0beb' # a legit hash of secret + message goes here, obtained from signing a message
# initialize hash object with state of a vulnerable hash
fake_md5 = md5py.new('A' * 64)
fake_md5.A, fake_md5.B, fake_md5.C, fake_md5.D = md5py._bytelist2long(
binascii.unhexlify(legit))
malicious = '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x38pwned' # put your malicious message here
# update legit hash with malicious message
fake_md5.update(malicious)
# fake_hash is the hash for md5(secret + message + padding + malicious)
fake_hash = fake_md5.hexdigest()
print(fake_hash)
#############################
### STEP 2: Craft payload ###
#############################
# TODO: calculate proper padding based on secret + message
return s
print ("This is the program that perform the hash attack to MD5!!!")
print ("You need to forge the signature and caculate the sum of first MagicNumber(1st)")
val = md5py.new(secret+initialData)
print ("You get the hash(secret + message1):", val.hexdigest())
#the code here:generate the signature
payload = pad(secret+initialData)+append
legit = md5py.new(payload)
print ("The digital signature(hash(secret+message1+message2)) is:", legit.hexdigest())
#the code here:modify MagicNumber to acheive extension attack
not_legit = md5py.new("z"*64)
not_legit.A, not_legit.B, not_legit.C, not_legit.D = md5py._bytelist2long(val.digest())
MagicSum=not_legit.A + not_legit.B + not_legit.C+ not_legit.D
not_legit.update(append)
print ("Your forged signature is:", not_legit.hexdigest())
if legit.hexdigest() == not_legit.hexdigest():
print ("Success forged!")
print ("Your MagicSum is:",MagicSum)
if MagicSum==11891216107:
print ("Correct!!!")
print ("flag{HASH_LENGTH_EXTESION_ATTATCK}")
else:
print ("Wrong MagicSum!!!")
else:
print ("Fail!")
secret = b"secret"
original = b"data"
append = b"append"
def pad(s):
padlen = 64 - ((len(s) + 8) % 64)
bit_len = 8*len(s)
if(padlen < 64):
s += '\x80' + '\000' * (padlen - 1)
return s + struct.pack('<q', bit_len)
val = md5py.new(secret+original)
print "Original payload:", val.hexdigest()
payload = pad(secret+original)+append
hexdump(payload)
legit = md5py.new(payload)
print "Legit digest:", legit.hexdigest()
not_legit = md5py.new("A"*64)
not_legit.A, not_legit.B, not_legit.C, not_legit.D = md5py._bytelist2long(val.digest())
not_legit.update(append)
print "Illicit digest:", not_legit.hexdigest()
if legit.hexdigest() == not_legit.hexdigest():
print "Success!"
else:
print "Fail!"
