SHA256_length_padding_attack

1. ## nc challenge01.root-me.org 51022
2. import struct
3.  
4. class SHA256:
5.  
6.   def __init__(self, debug=False):
7.     self.debug=debug
8.     self.h = [
9.         0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c,
10.         0x1f83d9ab, 0x5be0cd19
11.     ]
12.  
13.     self.k = [
14.         0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1,
15.         0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
16.         0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786,
17.         0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
18.         0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,
19.         0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
20.         0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b,
21.         0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
22.         0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a,
23.         0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
24.         0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
25.     ]
26.  
27.   def set_state(self,h):
28.     self.h=h
29.  
30.   def rotate_right(self, v, n):
31.     w = (v >> n) | (v << (32 - n))
32.     return w & 0xffffffff
33.  
34.  
35. ## only d & h change value other change location
36. ## Now, we need to figure out what d and h are, from tmp2 and tmp3.
37.   def compression_step(self, state, k_i, w_i):
38.     a, b, c, d, e, f, g, h = state
39.     s1 = self.rotate_right(e, 6) ^ self.rotate_right(e, 11) ^ self.rotate_right(e, 25)
40.     ch = (e & f) ^ (~e & g)
41.     tmp1 = (h + s1 + ch + k_i + w_i) & 0xffffffff
42.     s0 = self.rotate_right(a, 2) ^ self.rotate_right(a, 13) ^ self.rotate_right(a, 22)
43.     maj = (a & b) ^ (a & c) ^ (b & c)
44.     tmp2 = (tmp1 + s0 + maj) & 0xffffffff
45.     tmp3 = (d + tmp1) & 0xffffffff
46.     return (tmp2, a, b, c, tmp3, e, f, g)
47.  
48.  
49.   def compression(self, state, w, round_keys = None): ## ?? same round key for
50.     if round_keys is None:
51.       round_keys = self.k
52.     for i in range(64):## compress 64 time?? only 8 key
53.       state = self.compression_step(state, round_keys[i], w[i])
54.       if self.debug: print(f"Round {i}:",state)
55.     return state
56.  
57.   def compute_w(self, m):
58.     w = list(struct.unpack('>16L', m))
59.     for _ in range(16, 64):
60.       a, b = w[-15], w[-2]
61.       s0 = self.rotate_right(a, 7) ^ self.rotate_right(a, 18) ^ (a >> 3)
62.       s1 = self.rotate_right(b, 17) ^ self.rotate_right(b, 19) ^ (b >> 10)
63.       s = (w[-16] + w[-7] + s0 + s1) & 0xffffffff
64.       w.append(s)
65.     return w
66.  
67.   def padding(self, m, lm_=None):
68.     lm = lm_ if lm_ else len(m)
69.     lpad = struct.pack('>Q', 8 * lm)
70.     lenz = -(lm + 9) % 64
71.     return m + bytes([0x80]) + bytes(lenz) + lpad
72.  
73.   def sha256_raw(self, m, round_keys = None):
74.     if len(m) % 64 != 0:
75.       raise ValueError('m must be a multiple of 64 bytes')
76.     state = self.h
77.     if self.debug: print(f"Init state:\n{state}")
78.     for i in range(0, len(m), 64):
79.       block = m[i:i + 64]
80.       w = self.compute_w(block)
81.       s = self.compression(state, w, round_keys)
82.       state = [(x + y) & 0xffffffff for x, y in zip(state, s)]
83.       if self.debug:print(f"New state:\n{state}")
84.     return state # 8 * 4_bytes
85.  
86.   def sha256(self, m, round_keys = None, lm_=None):
87.     m_padded = self.padding(m,lm_) # first get padding mess
88.     state = self.sha256_raw(m_padded, round_keys)
89.     return struct.pack('>8L', *state)
90.  
91. import base64
92. from telnetlib import Telnet
93. ip,port = 'challenge01.root-me.org',51022
94.  
95. ## privilled padding last; ????:[role]
96. def get_hash(name,role):
97.     t = Telnet(ip,port)
98.     resp = t.read_until(b'n\n');print(resp)
99.     t.write(b'0\n')
100.     resp = t.read_until(b': ');print(resp)
101.     t.write(name+b'\n')
102.     resp = t.read_until(b': ');print(resp)
103.     t.write(role+b'\n')
104.     resp = t.read_until(b'connect with ');print(resp)
105.     resp = t.read_until(b'\n');print(resp)
106.     data,sig = resp[:-1].split(b':')
107.     return base64.b64decode(data),base64.b64decode(sig)
108.    
109. def auth(token):
110.     t = Telnet(ip,port)
111.     resp = t.read_until(b'n\n');print(resp)
112.     t.write(b'1\n')
113.     t.write(token+b'\n')
114.     resp = t.read_until(b'\n');print(resp)
115.     if b'Bad token !' in resp:return False
116.     t.interact()
117.  
118. def brute_force_len_padding(message,message_padding):
119.     sha256 = SHA256()
120.     for len_prepadding in range(1<<16):
121.         dump = sha256.padding(b'A'*len_prepadding+message)
122.         yield dump[len_prepadding:]
123.        
124.        
125. if __name__=='__main__':
126.     message,sig = get_hash(bytes(16),b'BBBBB')
127.     state = list(struct.unpack('>8L', bytes.fromhex(sig.decode())))
128.     sha256 = SHA256()
129.     sha256.set_state(state)
130.     message_padding = b':admin'
131.     lm_ = len(sha256.padding(message_padding))
132.     new_sig = base64.b64encode(sha256.sha256(message_padding,lm_=lm_+len(message_padding)).hex().encode())
133.     print("[+] Sig:",new_sig)
134.     for mess in brute_force_len_padding(message,message_padding):
135.         print("[+] Mess:",mess)
136.         data = base64.b64encode(mess+message_padding)
137.         if auth(data+b':'+new_sig):break
138.     ## Welcome back! Flag to validate is u$3_HMAC_l4m3rZ!
139.