commit a855bb79bd062ab5f0a79230e397ddaf9828db12
parent 9fa8aaf36b97dd89bc739755278581048f2f1ed7
Author: mpizzzle <michael.770211@gmail.com>
Date: Sat, 28 Oct 2017 17:21:43 +0100
set 2 challenge 16 complete
Diffstat:
1 file changed, 27 insertions(+), 0 deletions(-)
diff --git a/set2/cbc_bitflipping_attacks.py b/set2/cbc_bitflipping_attacks.py
@@ -0,0 +1,27 @@
+import re
+from Crypto.Cipher import AES
+from Crypto import Random
+
+def random_key():
+ return Random.new().read(AES.block_size)
+
+key = random_key()
+iv = random_key()
+
+def encrypt(msg):
+ pad_len = AES.block_size - (len(msg) % AES.block_size)
+ return AES.new(key, AES.MODE_CBC, iv).encrypt(msg + ''.join([chr(pad_len) for x in range(pad_len)]))
+
+def decrypt_and_parse(cipher):
+ return ";admin=true;" in AES.new(key, AES.MODE_CBC, iv).decrypt(cipher)
+
+def encryption_oracle(m):
+ return encrypt("comment1=cooking%20MCs;userdata=" + re.sub("[;|=]", '', m) + ";comment2=%20like%20a%20pound%20of%20bacon")
+
+plaintext = "hello-admin-truehello-admin-true"
+ciphertext = list(encryption_oracle(plaintext))
+
+ciphertext[(2 * AES.block_size) + 5] = chr(ord('-') ^ ord(';') ^ ord(ciphertext[(2 * AES.block_size) + 5]))
+ciphertext[(2 * AES.block_size) + 11] = chr(ord('-') ^ ord('=') ^ ord(ciphertext[(2 * AES.block_size) + 11]))
+
+print decrypt_and_parse(''.join(ciphertext))
