How can I download the Web.config?
Since Microsoft patches are already out now I will disclose how to download the files remotely. Padbuster v0.2 and Pudbusterdotnet cannot alone download the Web.config. For achieving this result I have made a Poc that you can find here.
Update 04/10/10: A couple of days after the release of our initial exploit Brian Holyfield added these (and more features) in Padbuster v0.3. Now Padbuster is a swiss army knife to fully exploit .NET Ajax handlers.
The most common way to download files remotely from unpatched framework 3.5 Sp1 and 4.0 is to obtain after decryption a string similar to the one below:
r#garbage|||~/Web.configNote: first bytes magic values are "r#","R#","q#","Q#".
Therefore you should use Padbusterdotnet to encrypt the string "|||~/Web.config" and bruteforce the values of a test block that will be added at the beginning of the encrypted data . Since the S-Box of Triple Des and AES give a total different block for each byte that changes on the first block, we can simply substitute random bytes in the first block.
This is quite reliable, but it takes some thousand requests to be successful.
See the exploit code in action, with full details:
http://www.youtube.com/watch?v=tlCRivo8Sis
Do I really need a Padding Oracle for breaking .NET encryption?
The answer here is NO. In unpatched framework 3.5 Sp1 (and maybe above) "ScriptResource.axd" is flawed. If you send the "T" magic value as the first letter of the first block after decryption, it will decrypt the whole "d" parameter. You do not need Padding Oracle at all.
In addition since it's a pure fast bruteforce attack, you do not need to check for 404 vs 500 errors: you just need to check for 200 status codes.
This feature exists because of the following code in "ScriptResource.axd" handler:
"case ‘T’
OutputEmptyPage(response,strSubstring(1))"- where strSubstring(1) is the “d” parameter decrypted
As you can see to decrypt any string encoded with the MachineKey you just need to bruteforce the first block (this is very fast because you need to guess only 1 letter). If you prepend this block, you can instantly decrypt any string, so you don't need Padding Oracle Anymore.
P.s. since you also see the plaintext from your encrypted block, you could be able to encrypt arbitrary values.
The following is the output you get from the handler:
Example:Exploit code is very similar to Web.config_bruter for decrypting. For encrypting is a bit more difficult... for now :D
n0def@tremors:~/n0def$ ./Tblock_exploiter.pl
”
parent.Sys.Application._onIFrameLoad(); &X; :�ס�{ ts~{��ס�{ ts~{�{ t{ r|~/mydocument.jsts~{
“
