Block Cipher Mode note

, , , , ,

Before all

A quick Block Cipher Mode review for myself.
All the exploits down below are for Labs made by Oalieno

Recommended Course

Block Cipher Mode

Cut and Paste Attack

EBC MODE vulnerability
Because in ECB mode, size of an block is always 16 bytes, so even though we can’t crack it, it’s still feasible to construct datas with specific size and rearrange the encrypted blocks which bring spoofing
Exploit 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
from pwn import *
r=remote('127.0.0.1', 20001)
s=r.recvuntil(b' = ')
print(s.decode())
#user:AAAAAAAAAAA 999999999999999 BBBBBBBBB;money: 10;
payload='A'*11+'9'*16+'B'*9
r.sendline(payload.encode())
s=r.recvuntil(b'\n')
print(s.decode)
s=bytes.fromhex(s.decode().split(' ')[2])
payload=s[:16]+s[32:48]+s[16:32]+s[48:]
payload=payload.hex()
s=r.recvuntil(b' = ')
r.sendline(payload.encode())
r.interactive()

Prepend Oracle

EBC MODE vulnerability
This method can be used when your input would be encrypted with message you want to encrpt
The main idea is to enumerate through characters until it’s same with encrypted blocks generated from only padding input.
Exploit 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
from pwn import *
r=remote('127.0.0.1', 20005)
flag=b''
def oracle(data):
    data=data.hex().encode()
    s=r.recvuntil(b' = ')
#    print(s)
    r.sendline(data)
    s=r.recvuntil(b'\n').decode()
    return s.split(' = ')[1]
for i in range(32):
    padding=b'A'*(32-1-i)
    test=oracle(padding)
    for c in string.printable:
        if oracle(padding+flag+c.encode())[:64]==test[:64]:
#            print(test)
#            print(oracle(padding+flag+c.encode()))
            flag=flag+c.encode()
            print(flag, i)
            break

Padding Oracle

CBC MODE vulnerability
This method can be used when it’s possible to get the IV(Initialized Iector) value and the padding method is knowned. Also, it’s necessary that there exist some clues to check whether the input is unpaded successfuly or not
The main idea is to enumerate through characters until the message have been unpad successfuly, and remember to adjust the iv value sended cautiously!

How to cauculate the correct value after unpad successfuly?
that byte of data = Now_Trying ^ IV Value at that position ^ padding
cur=xor(k, iv[now], (16-now))+cur
cur = the decrypted block,
k = the value be tried now,
16-now = padding.
Exploit 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
from pwn import *
from Crypto.Util.number import *
from tqdm import *
r=remote('127.0.0.1', 3140)

def oracle(iv, mess):
    r.sendlineafter(b' = ', (iv+mess).hex().encode())
#    info(len((iv+mess).hex().encode()))
    return b'PADDING CORRECT!!!' in r.recvline()

flag=long_to_bytes(int(r.recvline()[:-1].decode().split(' = ')[1], 16))
#print(flag, len(flag))
ans=b''
cur=b''
for i in tqdm(range(0, len(flag)-16, 16)):
    iv, mess=flag[i:i+16], flag[i+16:i+32]
    for j in range(16):
        now=15-j
#        info(now)
        for k in range(256):
#            info(len(bytes([k]))==1)
            if oracle(iv[:now]+bytes([k])+xor(cur, iv[now+1:], chr(16-now).encode()*(15-now)), mess):
                if now==15:
                    if k!=iv[15]:
                        cur=xor(k, iv[15], 1)+cur
                        break
                else:
                    cur=xor(k, iv[now], (16-now))+cur
                    break
    ans+=cur
    cur=b''

print(ans)