From 2be59bb3ddd249bcfa39d7f3014933cfa63b9d2e Mon Sep 17 00:00:00 2001 From: gogo Date: Sat, 24 Aug 2024 17:41:14 +0200 Subject: [PATCH 1/3] add custom entry in step2.py --- step2.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/step2.py b/step2.py index 7aa3566..9ec4e8b 100755 --- a/step2.py +++ b/step2.py @@ -64,6 +64,23 @@ def no_structure(self): return self.encrypt_plaintext(plaintext) types["no_header_with_payload"] = 1 + + def no_structure_with_chosen_plaintext(self, chosen_plaintext): + """ + Create a plaintext that can't be mistaken for PKCS#1 v1.5 padding. + Has incorrect header and no separator between PS and M. + + Makes sure to also not suggest a PKCS#1 v1.5 signature padding. + + arguments: + - chosen_plaintext: a int array of bytes for both the start of the file and his content. Bytes must be of number between 0 and 255 + """ + plaintext = chosen_plaintext + \ + random.choices(range(1, 256), k=self.key_size-2) + + return self.encrypt_plaintext(plaintext) + + types["no_header_with_payload"] = 1 def no_header_with_payload(self, m_length): """ From 22a414783328ba0c798697add4426a1c28c24ca0 Mon Sep 17 00:00:00 2001 From: gogo Date: Sat, 24 Aug 2024 19:12:12 +0200 Subject: [PATCH 2/3] run custom payload --- step2.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/step2.sh b/step2.sh index a93d52e..d496088 100755 --- a/step2.sh +++ b/step2.sh @@ -3,6 +3,7 @@ PYTHONPATH=tlsfuzzer ./marvin-venv/bin/python ./step2.py \ -c rsa1024/cert.pem -o rsa1024_ciphertexts \ no_structure no_padding=48 signature_padding=8 \ +no_structure_with_chosen_plaintext="1 2 3" \ valid_repeated_byte_payload="118 0xff" valid=48 header_only \ no_header_with_payload=48 zero_byte_in_padding="48 4" \ valid=0 valid=118 @@ -10,6 +11,7 @@ valid=0 valid=118 PYTHONPATH=tlsfuzzer ./marvin-venv/bin/python ./step2.py \ -c rsa2048/cert.pem -o rsa2048_ciphertexts \ no_structure no_padding=48 signature_padding=8 \ +no_structure_with_chosen_plaintext="1 2 3" \ valid_repeated_byte_payload="246 0xff" valid=48 header_only \ no_header_with_payload=48 zero_byte_in_padding="48 4" \ valid=0 valid=192 valid=246 @@ -17,6 +19,7 @@ valid=0 valid=192 valid=246 PYTHONPATH=tlsfuzzer ./marvin-venv/bin/python ./step2.py \ -c rsa4096/cert.pem -o rsa4096_ciphertexts \ no_structure no_padding=48 signature_padding=8 \ +no_structure_with_chosen_plaintext="1 2 3" \ valid_repeated_byte_payload="502 0xff" valid=48 header_only \ no_header_with_payload=48 zero_byte_in_padding="48 4" \ valid=0 valid=192 valid=502 From 271d2e01bdc64bac84c05b9d350deda645db65b3 Mon Sep 17 00:00:00 2001 From: gogo Date: Sun, 25 Aug 2024 02:13:48 +0200 Subject: [PATCH 3/3] stucks since dozen of hours --- step2.py | 12 ++++++++++-- step2.sh | 6 +++--- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/step2.py b/step2.py index 9ec4e8b..42db3b2 100755 --- a/step2.py +++ b/step2.py @@ -63,7 +63,7 @@ def no_structure(self): random.choices(range(1, 256), k=self.key_size-2) return self.encrypt_plaintext(plaintext) - types["no_header_with_payload"] = 1 + types["no_structure_with_chosen_plaintext"] = 1 def no_structure_with_chosen_plaintext(self, chosen_plaintext): """ @@ -75,7 +75,8 @@ def no_structure_with_chosen_plaintext(self, chosen_plaintext): arguments: - chosen_plaintext: a int array of bytes for both the start of the file and his content. Bytes must be of number between 0 and 255 """ - plaintext = chosen_plaintext + \ + + plaintext = chosen_plaintext + \ random.choices(range(1, 256), k=self.key_size-2) return self.encrypt_plaintext(plaintext) @@ -353,12 +354,16 @@ def single_shot(out_dir, pub, args): for arg in args: ret = arg.split('=') + + print(arg) + print(ret) if len(ret) == 1: name = ret[0] params = [] elif len(ret) == 2: name, params = ret ret = params.split(' ') + params = [int(i, 16) if i[:2] == '0x' else int(i) for i in ret] else: print("ERROR: Incorrect formatting of option: {0}".format(arg)) @@ -370,6 +375,9 @@ def single_shot(out_dir, pub, args): file=sys.stderr) sys.exit(1) + + print(name) + print(params) ciphertext = getattr(generator, name)(*params) file_name = "_".join([name] + [str(i) for i in params]) diff --git a/step2.sh b/step2.sh index d496088..7108edb 100755 --- a/step2.sh +++ b/step2.sh @@ -3,7 +3,7 @@ PYTHONPATH=tlsfuzzer ./marvin-venv/bin/python ./step2.py \ -c rsa1024/cert.pem -o rsa1024_ciphertexts \ no_structure no_padding=48 signature_padding=8 \ -no_structure_with_chosen_plaintext="1 2 3" \ +no_structure_with_chosen_plaintext="0x01 0x02 0x03 0x4 0x5 0x6" \ valid_repeated_byte_payload="118 0xff" valid=48 header_only \ no_header_with_payload=48 zero_byte_in_padding="48 4" \ valid=0 valid=118 @@ -11,7 +11,7 @@ valid=0 valid=118 PYTHONPATH=tlsfuzzer ./marvin-venv/bin/python ./step2.py \ -c rsa2048/cert.pem -o rsa2048_ciphertexts \ no_structure no_padding=48 signature_padding=8 \ -no_structure_with_chosen_plaintext="1 2 3" \ +no_structure_with_chosen_plaintext="0x01" \ valid_repeated_byte_payload="246 0xff" valid=48 header_only \ no_header_with_payload=48 zero_byte_in_padding="48 4" \ valid=0 valid=192 valid=246 @@ -19,7 +19,7 @@ valid=0 valid=192 valid=246 PYTHONPATH=tlsfuzzer ./marvin-venv/bin/python ./step2.py \ -c rsa4096/cert.pem -o rsa4096_ciphertexts \ no_structure no_padding=48 signature_padding=8 \ -no_structure_with_chosen_plaintext="1 2 3" \ +no_structure_with_chosen_plaintext="0x01" \ valid_repeated_byte_payload="502 0xff" valid=48 header_only \ no_header_with_payload=48 zero_byte_in_padding="48 4" \ valid=0 valid=192 valid=502