recv() s.send('1\n') recv() s.send(message + '\n') data = recv() m = re.search(r'Your hash: (\w+)', data) if not m: exit() legit, = m.groups() print('legit ' + legit) # initialize hash object with state of a vulnerable hash fake_md5 = md5py.new('A' * 64) fake_md5.A, fake_md5.B, fake_md5.C, fake_md5.D = md5py._bytelist2long( legit.decode('hex')) # update legit hash with malicious message fake_md5.update(malicious) # fake_hash is the hash for md5(secret + message + padding + malicious) fake_hash = fake_md5.hexdigest() print('fake ' + fake_hash) ############################# ### STEP 2: Craft payload ### ############################# # TODO: calculate proper padding based on secret + message # secret is <redacted> bytes long (48 bits) # each block in MD5 is 512 bits long
s.connect((host, port)) data = s.recv(1024) s.send('1\n') data = s.recv(1024) s.send(message + '\n') data = s.recv(1024) m = re.search('Your hash: ([a-z0-9]*)', data) legit = m.group(1) #legit = '7d2a3a8f9b9b6491736c785c68ce02c1' # a legit hash of secret + message goes here, obtained from signing a message # initialize hash object with state of a vulnerable hash fake_md5 = md5py.new('A' * 64) fake_md5.A, fake_md5.B, fake_md5.C, fake_md5.D = md5py._bytelist2long(legit.decode('hex')) malicious = 'malicious message' # put your malicious message here # update legit hash with malicious message fake_md5.update(malicious) # fake_hash is the hash for md5(secret + message + padding + malicious) fake_hash = fake_md5.hexdigest() #print(fake_hash) ############################# ### STEP 2: Craft payload ### #############################
#send the message data = s.recv(1024) s.send(message + '\n') #get the hash data = s.recv(1024) my_hash = data[39:].strip() #grab the hash and strip the string print(my_hash) #continue to main 'menu' data = s.recv(1024) legit = my_hash # initialize hash object with state of a vulnerable hash fake_hash = md5py.new('A' * 64) fake_hash.A, fake_hash.B, fake_hash.C, fake_hash.D = md5py._bytelist2long( legit.decode('hex')) malicious = 'Hack' # put your malicious message here # update legit hash with malicious message fake_hash.update(malicious) # test is the correct hash for md5(secret + message + padding + malicious) test = fake_hash.hexdigest() ############################# ### STEP 2: Craft payload ### ############################# # TODO: calculate proper padding based on secret + message # secret is 6 bytes long (48 bits) # each block in MD5 is 512 bits long
#!/usr/bin/env python3 # from the git repo import md5py import binascii ##################################### ### STEP 1: Calculate forged hash ### ##################################### message = 'a' # original message here legit = '0ef56518e0843d8c0611d808a7df0beb' # a legit hash of secret + message goes here, obtained from signing a message # initialize hash object with state of a vulnerable hash fake_md5 = md5py.new('A' * 64) fake_md5.A, fake_md5.B, fake_md5.C, fake_md5.D = md5py._bytelist2long( binascii.unhexlify(legit)) malicious = '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x38pwned' # put your malicious message here # update legit hash with malicious message fake_md5.update(malicious) # fake_hash is the hash for md5(secret + message + padding + malicious) fake_hash = fake_md5.hexdigest() print(fake_hash) ############################# ### STEP 2: Craft payload ### ############################# # TODO: calculate proper padding based on secret + message
return s print ("This is the program that perform the hash attack to MD5!!!") print ("You need to forge the signature and caculate the sum of first MagicNumber(1st)") val = md5py.new(secret+initialData) print ("You get the hash(secret + message1):", val.hexdigest()) #the code here:generate the signature payload = pad(secret+initialData)+append legit = md5py.new(payload) print ("The digital signature(hash(secret+message1+message2)) is:", legit.hexdigest()) #the code here:modify MagicNumber to acheive extension attack not_legit = md5py.new("z"*64) not_legit.A, not_legit.B, not_legit.C, not_legit.D = md5py._bytelist2long(val.digest()) MagicSum=not_legit.A + not_legit.B + not_legit.C+ not_legit.D not_legit.update(append) print ("Your forged signature is:", not_legit.hexdigest()) if legit.hexdigest() == not_legit.hexdigest(): print ("Success forged!") print ("Your MagicSum is:",MagicSum) if MagicSum==11891216107: print ("Correct!!!") print ("flag{HASH_LENGTH_EXTESION_ATTATCK}") else: print ("Wrong MagicSum!!!") else: print ("Fail!")
secret = b"secret" original = b"data" append = b"append" def pad(s): padlen = 64 - ((len(s) + 8) % 64) bit_len = 8*len(s) if(padlen < 64): s += '\x80' + '\000' * (padlen - 1) return s + struct.pack('<q', bit_len) val = md5py.new(secret+original) print "Original payload:", val.hexdigest() payload = pad(secret+original)+append hexdump(payload) legit = md5py.new(payload) print "Legit digest:", legit.hexdigest() not_legit = md5py.new("A"*64) not_legit.A, not_legit.B, not_legit.C, not_legit.D = md5py._bytelist2long(val.digest()) not_legit.update(append) print "Illicit digest:", not_legit.hexdigest() if legit.hexdigest() == not_legit.hexdigest(): print "Success!" else: print "Fail!"