Skip to content

A framework for exploiting padding oracles in network-based applications

Notifications You must be signed in to change notification settings

swarley7/padoracle

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

50 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

padoracle

An extensible framework for exploiting padding oracles in network-based applications.

Background

A padding oracle occurs in a cryptosystem where something (the oracle) reveals information about the legiticamy of padded ciphertext. In cipher block chaining (CBC) mode, the IV is typically the first block of the ciphertext (or might be kept secret for "reasons"). The ciphertext of the preceeding block forms the IV of the current block.

Since block ciphers require equal length ciphertext blocks, the final block of plaintext must be padded out to meet the required blocksize. Typical padding modes include PKCS5 and PKCS7 - both of which are pretty much identical, except PKCS5 is used for 8 byte blocks, whereas PKCS7 can be used for n < 256 byte block sizes. Both modes basically use the last byte of cleartext to denote how many bytes of padding are included within the block.

For example, given the cleartext AAAA\x04\x04\x04\x04, the last byte (\x04) tells the decryption routine that there are 4 bytes of padding which will need to be removed to return the original message. This operation, in conjunction with the fact that the previous block's ciphertext forms the IV for the current block is what the padding oracle attack exploits.

Yes, but there's other padding oracle exploitation tools?

Sure there are. In fact, I've used some of them before!

  • padbuster: works ok, but it's fairly old and dated, and written in Perl (which is a Write-Only language)
  • padding-oracle-attack (https://github.com/mpgn/Padding-oracle-attack: very good python-based solution. Easy to modify to suit specific pad-oracle requirements. A bit inflexible in how it approaches the problem, and (most importantly), it's very slow.

padoracle is fast. On my test system it decrypted 16 blocks of 16 byte ciphertext in under 1.5 mins (using 100 threads). The reason for this speed increase, is that each block is decrypted independently of the others, in parallel. There is nothing in the attack that requires each block to be decrypted sequentially.

Also, I learn/understand things better by doing it so this was a good way to learn the math and maybe apply some lateral thinking to the exploitation process.

Usage

padoracle is super extensible and can be made to suit any requirements. However, it does require some modifications in order to make it work.

First thing's first; clone the repo.

git clone https://github.com/swarley7/padoracle.git && cd padoracle

Next, install the dependencies (hopefully there's no errors):

go build

Next comes the hard part (it's not that hard really). Open ./libpadoracle/modifyme.go in your favourite editor and get modifying!

Examples

"Busting pad oracles" "Finished"

Credits

Donate?

About

A framework for exploiting padding oracles in network-based applications

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages