Skip to content
/ pypadbuster Public

A Python version of PadBuster.pl by Gotham Digital Security (GDSSecurity on Github)

21 stars 6 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

escbar/pypadbuster

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
.gitignore
.gitignore
 
 
README
README
 
 
USAGE
USAGE
 
 
demo.py
demo.py
 
 
demo_httpbuster.py
demo_httpbuster.py
 
 
pypadbuster.py
pypadbuster.py
 
 

Repository files navigation

A Python implementation of an attack against a CBC-mode decryption function
operating with PKCS7-mode padding and returning errors upon decryption of strings
with incorrect padding (this is referred to as a padding oracle).

PKCS7 works by allowing block_size-1 bytes of plaintext per block and padding
all blocks using the following algorithm:
padding_length = block_size - length(plaintext)
padded_block = plaintext || chr(padding_length) * (padding_length)

Examples (for an 8 byte (64-bit) block size):
A   B   C \x5 \x5 \x5 \x5 \x5  |
A   B   C   D \x4 \x4 \x4 \x4  | 
A   B   C   D   E   F   G \x1  |  H \x7 \x7 \x7 \x7 \x7 \x7 \x7  

CBC-mode decryption works like this:
plaintext = previous_ciphertext_block  XOR  decrypt(current_ciphertext_block)
For the first round, an arbitrary string, the Initialization Vector (IV) is used
instead in lack of a previous_ciphertext_block.

So when it can be established that the last byte of a string is 0x01 (which our
padding oracle discloses to us by not complaining about our padding being incorrect),
we can make it decrypt to an arbitrary value by calculating the xor "key" - I use
"key" in lack of a better word - for the corresponding byte in previous_ciphertext_block:

last_byte  XOR  0x01

Since modifying even a single bit in a ciphertext block in most modern block ciphers
causes the decrypted value to be completely different from the unaltered version,
we modify the IV instead.

Once we know the first byte of the xor key, we calculate the last byte of the IV:

xorkey[-1]  XOR  0x02

And bruteforce the next byte until we have an IV that results in the last two
bytes being decrypted as 0x02 0x02.

The padding oracle enables us to calculate the complete xor key for any given
ciphertext block with roughly 256 * block_size * 0.5 queries (average).


If a decrypted block is leaked, we can calculate the xor key for the block by
XOR'ing the leaked plaintext with the IV that caused the leak.


Credits go to Serge Vaudenay for publishing this attack in his EUROCRYPT paper
"Security Flaws Induced By CBC Padding Applications to SSL, IPSEC, WLTS.." (2002)

Inspired by PadBuster by Gotham Digital Security:
http://blog.gdssecurity.com/labs/2010/9/14/automated-padding-oracle-attacks-with-padbuster.html

Note: Though this script attacks oracles using the PKCS7 padding scheme, other
padding schemes with variable-length padding length specifiers should be exploitable too:
- ISO/IEC 9797-1 Padding Method 2 (Bit padding)
- ANSI X.923
- PKCS5 (PKCS7 is backwards compatible with PKCS5; this script works against it)
- "Zero padding" in some cases

About

A Python version of PadBuster.pl by Gotham Digital Security (GDSSecurity on Github)

Resources

Readme
Activity

Stars

21 stars

Watchers

4 watching

Forks

6 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages