What the Flip?!
AES CBC Byte Flipping Attack
Problem
Hackers have locked you out of your account! Fortunately their netcat server has a vulnerability.
nc umbccd.io 3000
This netcat server is username and password protected. The admin login is known but forbidden. Any other login entered gives a cipher.
Author: Clearedge
Solution
We can input the
user and passwd into the below string, which is encrypted. admin&password=goBigDawgs12 is not allowed.1
msg = 'logged_username=' + user +'&password=' + passwd
2
β
3
try:
4
assert('admin&password=goBigDawgs123' not in msg)
5
except AssertionError:
6
send_msg(s, 'You cannot login as an admin from an external IP.\nYour activity has been logged. Goodbye!\n')
7
raise
Copied!
The ciphertext is given to us, and we are prompted to enter another ciphertext.
1
send_msg(s, "Leaked ciphertext: " + encrypt_data(msg)+'\n')
2
send_msg(s,"enter ciphertext: ")
Copied!
Then, in
decrypt_data(), the presense of admin&password=goBigDawgs12 is checked. The goal is to submit a ciphertext such that the corresponding plaintext contains admin&password=goBigDawgs12.1
def decrypt_data(encryptedParams):
2
cipher = AES.new(key, AES.MODE_CBC,iv)
3
paddedParams = cipher.decrypt(unhexlify(encryptedParams))
4
print(paddedParams)
5
if b'admin&password=goBigDawgs123' in unpad(paddedParams,16,style='pkcs7'):
6
return 1
7
else:
8
return 0
Copied!
From
encrypt_data(), we can see that AES CBC encryption is used, with a block size of 16.1
def encrypt_data(data):
2
padded = pad(data.encode(),16,style='pkcs7')
3
cipher = AES.new(key, AES.MODE_CBC,iv)
4
enc = cipher.encrypt(padded)
5
return enc.hex()
Copied!
Since we are given a ciphertext and tasked to find another ciphertext that decodes into a different string, an AES CBC byte flipping attack can be used.
In CBC, each block of plaintext depends on the previous ciphertext.
So if we manage to change the ciphertext in a previous block, we can change the plaintext in the next block.
We can send a payload like
logged_username=admin&parsword=goBigDawgs123 (note the purposeful misspelling of password as parsword). Then, we will edit the previous block of ciphertext such that r becomes s at the misspelt index. We simply have to change the ciphertext at the correct index.For instance, the following code gives us the edited ciphertext.
1
user = ''
2
password = 'goBigDawgs123'
3
msg = 'logged_username=admin&parsword=goBigDawgs123' + user +'&password=' + password
4
print(msg, len(msg))
5
β
6
xor = ord('r') ^ ord('s')
7
cipher = encrypt_data(msg)
8
cipher = cipher[:16] + hex(int(cipher[16:18], 16) ^ xor)[2:] + cipher[18:]
9
print(decrypt_data(cipher))
Copied!
Notice that the second block has been changed to the desired string. Since we modified the first block, it will no longer decode properly (but in this case it doesn't matter since only the desired string is checked).
1
b'X\xd7\xfc;\xb4\x7fUc\x14\xbe\xbfJ\x15\xe8}1admin&password=goBigDawgs123&password=goBigDawgs123\r\r\r\r\r\r\r\r\r\r\r\r\r'
Copied!
Putting it all together:
1
from Crypto.Cipher import AES
2
from Crypto.Util.Padding import pad,unpad
3
from Crypto.Util.number import bytes_to_long
4
from Crypto.Random import get_random_bytes
5
from binascii import unhexlify
6
from pwn import *
7
import re
8
β
9
key = get_random_bytes(16)
10
iv = get_random_bytes(16)
11
β
12
def encrypt_data(data):
13
padded = pad(data.encode(),16,style='pkcs7')
14
cipher = AES.new(key, AES.MODE_CBC,iv)
15
enc = cipher.encrypt(padded)
16
return enc.hex()
17
β
18
def decrypt_data(encryptedParams):
19
cipher = AES.new(key, AES.MODE_CBC,iv)
20
paddedParams = cipher.decrypt( unhexlify(encryptedParams))
21
print(paddedParams)
22
if b'admin&password=goBigDawgs123' in unpad(paddedParams,16,style='pkcs7'):
23
return 1
24
else:
25
return 0
26
β
27
user = ''
28
password = 'goBigDawgs123'
29
msg = 'logged_username=admin&parsword=goBigDawgs123' + user +'&password=' + password
30
print(msg, len(msg))
31
β
32
xor = ord('r') ^ ord('s')
33
cipher = encrypt_data(msg)
34
cipher = cipher[:16] + hex(int(cipher[16:18], 16) ^ xor)[2:] + cipher[18:]
35
print(decrypt_data(cipher))
36
β
37
conn = remote('umbccd.io', 3000)
38
β
39
print(conn.recv())
40
print(conn.recv())
41
conn.send('admin&parsword=goBigDawgs123\r\n')
42
print(conn.recv())
43
conn.send('\r\n')
44
β
45
match = re.match(r'Leaked ciphertext: (.+)\n', conn.recv().decode())
46
print('Ciphertext:', match[1])
47
β
48
cipher = match[1]
49
cipher = cipher[:16] + hex(int(cipher[16:18], 16) ^ xor)[2:] + cipher[18:]
50
print('Modified Ciphertext', cipher)
51
β
52
print()
53
conn.send(cipher + '\r\n')
54
print(conn.recv())
55
β
56
conn.close()
Copied!
Last modified 13d ago