New Version of PadBuster Available for Download
Tuesday, September 28, 2010 at 1:56PM A few weeks ago we released PadBuster, a tool for automating padding oracle exploits. Today we have released version 0.2, which includes some bug fixes and a few enhancements that are summarized below:
- Support for HTTP Basic Authentication and HTTP/S Proxies
- Encoding for .NET UrlTokens (essentially a web-safe Base64 encoding)
- Logic for handling samples that do not include an IV (or use a NULL IV)
The .NET UrlToken encoding and NULL IV options are both especially useful when running PadBuster against sites that are vulnerable to the recent .NET Padding Oracle attack. There are also new options for running the tool in interactive mode (good for troubleshooting) and resuming a previous decryption in the event that the script gets killed in the middle of decrypting a large sample.
As with the previous version, feel free to provide feedback on potential improvements you would like to see. Version 0.3 is already in the works and promises to have more cool features.
PadBuster, Padding Oracle in Application Security, Tools
Reader Comments (40)
That's great! Testing it right now and it is working like a charm. Testing to decrypt the ASP.Net viewstate with enableViewStateMac option on, custom errors set to off.
Thanks a lot.
I've modified 0.1 to work without iv, however get stuck because I thought iv would be anithing but null :)
thanks for sharing, this code allows to clearly see why and how exactly particular application are vulnerable.
How to use this against .NET apps? I always get the usage screen. I tested my website and I get different responses for "http://www.mysite.com/notexistentpage.aspx" vs the response to "http://www.mysite.com/WebResource.axd?d=wrongstring". I also opened the source code of my index.aspx and I found /WebResource.axd?d=PaEzkVsVRvDIevkuA1ssDnArJt8AfFhPdwdlccOscqKa&t=623190896729050001"
Tested it in different ways and I never get it working.
I was trying like this ./padBuster.pl "http://www.mysite.com/WebResource.axd?d=PaEzkVsVRvDIevkuA1ssDnArJt8AfFhPdwdlccOscqKa&t=623190896729050001" 16
In this case what is the [EncryptedSample]? Can you give me a example?
Also, what is the correct way to send a request? I mean, suppose I want to download web.config I should send something like "q|~/web.config", right?
after testing for .net app using -plaintext "q|~/myhiddenfile.txt" the enrcypted result is "=�� � `z��f�x��q|~/myhiddenfile.txt"
which is prevents me from downloading myhiddenfile.txt
I think .net IV is always /x00 and not depending on the previous block.
i mean .Net do not want IV from the request and its always null /x00/.
so the encrypted result must not include the IV value
Thanks for the script.
I've been testing this against an ASP.NET app using 16 byte (AES) encryption and the script always fails to find byte 2. I'm running it with the -noiv and -encoding=3 options and trying to decrypt a WebResource.axd cipher. Any ideas?
@Alfred: The reason you are getting the usage screen is that you are missing a required command line argument (the encrypted sample). The encrypted sample is the encrypted value that must also be present in the Query String, Post Data, or Cookie values. So for the scenario you outlined, your command line should be as follows:
./padBuster.pl “http://www.mysite.com/WebResource.axd?d=PaEzkVsVRvDIevkuA1ssDnArJt8AfFhPdwdlccOscqKa&t=623190896729050001″ PaEzkVsVRvDIevkuA1ssDnArJt8AfFhPdwdlccOscqKa 16
Note that the encrypted string is passed to PadBuster twice (once as part of the query string and once as part of the sample).
@freesrvs: Yes, you are correct. The encrypted payload that PadBuster generates is preceded by another block (the IV), which needs to be XORed against the intermediate value produced by the last block to generate your desired value. Exploiting ScriptResource to download an arbitrary file is not as simple as generating the payload and passing it as the parameter (for the exact reason you mention…the Framework does not use an IV on the first block). There are some workarounds that Rizzo and Duong mention in their original paper for dealing with this scenario.
@Natan: This is a known issue. The problem is that you are likely running against a server that has Custom Errors enabled. What’s happening here is that WebResource.axd normally takes a payload that looks similar to the following:
The above string represents the resource type (s) followed by the resource name (WebForms.js) and delimited with a pipe character (|). When you pass an invalid resource name, the handler throws a 404 response:
404: [HttpException]: Resource not found in assembly
This happens as you work backwards through the block manipulating each byte, which allows PadBuster to determine when the Padding Error (a 500 error) goes away. At least that's what happens until you get to byte #2. Note that this byte is the pipe character, which is a required delimiter. If this delimiter is not present, the handler throws a 500 response:
500: [HttpException]: This is an invalid webresource request
Unfortunately when custom errors are enabled, all 500 errors look identical...so PadBuster is unable to tell the difference between this error and the Padding Exception which occurs on the other 255 requests.
The good news however, is that there is a pretty simple workaround. If you re-run the same command but also use the –prefix option to pass the HEX encoded equivalent of your un-altered encrypted string, PadBuster will always pass this unaltered block as the first block of each request so you’ll be able to decrypt the string with no problem. So for example, the string M48vAB4P7iimjh7inLsvYg2 (NetUrlToken Encoded) should be converted to ASCII HEX Encoding (338F2F001E0FEE28A68E1EE29CBB2F62) and passed as the -prefix option (keep the rest of your command the same). Try this out and it should work.