Add support for two different paddings: PKCS7 and ANSIX923

Author: hckr

PaddingOracleDecryptor.cs

@@ -0,0 +1,61 @@
+using System;
+using System.Text;
+using System.Reflection;
+using System.Security.Cryptography;
+
+namespace Padding_Oracle_Attack
+{
+    class PaddingOracleDecryptor
+    {
+        private RemoteServerMock oracle;
+        private PaddingValueProvider paddingValueProvider;
+
+        public PaddingOracleDecryptor(RemoteServerMock oracle)
+        {
+            this.oracle = oracle;
+
+            PaddingMode paddingMode = oracle.Padding;
+            // TODO: ugly, but works!
+            paddingValueProvider = (int pos, int paddingLength, int blockLength) => (byte)(typeof(PaddingValueProviders).GetMethod(Enum.GetName(typeof(PaddingMode), paddingMode)).Invoke(null, new object[] { pos, paddingLength, blockLength }));
+        }
+
+
+        public string DecryptBlock(byte[] block, byte[] previousBlock)
+        {
+            byte[] decrypted = new byte[block.Length];
+            byte[] manipulatedPrevious = new byte[16];
+
+            for (int currentPosition = block.Length - 1; currentPosition >= 0; --currentPosition)
+            {
+                var paddingLength = block.Length - currentPosition;
+
+                for (int pos = block.Length - 1; pos > currentPosition; --pos)
+                {
+                    manipulatedPrevious[pos] ^= (byte)(paddingValueProvider(pos, paddingLength - 1, block.Length) ^ paddingValueProvider(pos, paddingLength, block.Length));
+                }
+
+                var found = false;
+
+                for (byte v = byte.MinValue; v <= byte.MaxValue; ++v)
+                {
+                    manipulatedPrevious[currentPosition] = v;
+
+                    if (oracle.IsPaddingCorrect(ByteUtils.Concatenate(manipulatedPrevious, block)))
+                    {
+                        found = true;
+                        decrypted[currentPosition] = (byte)(previousBlock[currentPosition] ^ paddingValueProvider(currentPosition, paddingLength, block.Length) ^ v);
+                        break;
+                    }
+                }
+
+                if (!found)
+                {
+                    throw new Exception("Decryption not possible");
+                }
+            }
+
+            return Encoding.UTF8.GetString(decrypted, 0, decrypted.Length);
+        }
+
+    }
+}

PaddingValueProviders.cs

@@ -0,0 +1,17 @@
+namespace Padding_Oracle_Attack
+{
+    public delegate byte PaddingValueProvider(int pos, int paddingLength, int blockLength);
+
+    class PaddingValueProviders
+    {
+        public static byte PKCS7(int pos, int paddingLength, int blockLength)
+        {
+            return (byte)paddingLength;
+        }
+
+        public static byte ANSIX923(int pos, int paddingLength, int blockLength)
+        {
+            return (byte)((pos == blockLength - 1) ? paddingLength : 0);
+        }
+    }
+}

Program.cs

@@ -1,4 +1,5 @@
-using System.Net.Mime;
+using System.Security.Cryptography;
+using System.Net.Mime;
 using System.Linq;
 using System.Diagnostics;
 using System;
@@ -9,7 +10,8 @@ namespace Padding_Oracle_Attack
 {
     class PaddingOracleAttack
     {
-        private static RemoteServerMock server = new RemoteServerMock();
+        private static RemoteServerMock server = new RemoteServerMock(PaddingMode.PKCS7);
+        private static PaddingOracleDecryptor decryptor = new PaddingOracleDecryptor(server);
 
         public static void Main(String[] args)
         {
@@ -36,7 +38,7 @@ public static void Main(String[] args)
             {
                 stopwatch.Start();
 
-                string decryptedPlaintext = DecryptBlock(blocks[blockIndex], blocks[blockIndex - 1]);
+                string decryptedPlaintext = decryptor.DecryptBlock(blocks[blockIndex], blocks[blockIndex - 1]);
 
                 stopwatch.Stop();
 
@@ -57,15 +59,17 @@ private static void HandleConfigurationArguments(String[] args)
         {
             OptionSet arguments = new OptionSet();
             arguments.Add("d|delay=", "oracle delay in milliseconds for each padding request", (uint d) => server.OracleDelayMilliseconds = d);
-            arguments.Add("h|help", "displays this message", _ => {
+            arguments.Add("h|help", "displays this message", _ =>
+            {
                 arguments.WriteOptionDescriptions(Console.Out);
                 Environment.Exit(0);
             });
 
             try
             {
                 var rest = arguments.Parse(args);
-                if (rest.Count == 0) {
+                if (rest.Count == 0)
+                {
                     return;
                 }
                 Console.WriteLine("Unrecognized arguments: {0}", String.Join(",", rest));
@@ -78,38 +82,5 @@ private static void HandleConfigurationArguments(String[] args)
             arguments.WriteOptionDescriptions(Console.Out);
             Environment.Exit(1);
         }
-
-        private static string DecryptBlock(byte[] block, byte[] previousBlock)
-        {
-            byte[] decrypted = new byte[block.Length];
-            byte[] manipulatedPrevious = new byte[16];
-
-            // in case of PKCS7 padding value is same as padding length
-            for (int paddingLength = 1; paddingLength <= block.Length; ++paddingLength)
-            {
-                for (int pos = block.Length - 1; pos >= block.Length - paddingLength; --pos)
-                {
-                    int previousPaddingLength = paddingLength - 1;
-                    manipulatedPrevious[pos] ^= (byte)(previousPaddingLength ^ paddingLength);
-                }
-                var found = false;
-                for (byte v = byte.MinValue; v <= byte.MaxValue; ++v)
-                {
-                    manipulatedPrevious[block.Length - paddingLength] = v;
-                    if (server.IsPaddingCorrect(ByteUtils.Concatenate(manipulatedPrevious, block)))
-                    {
-                        found = true;
-                        decrypted[block.Length - paddingLength] = (byte)(previousBlock[block.Length - paddingLength] ^ paddingLength ^ v);
-                        break;
-                    }
-                }
-                if (!found)
-                {
-                    throw new Exception("Decryption not possible. This function supports only AES/CBC/PKCS7");
-                }
-            }
-
-            return Encoding.UTF8.GetString(decrypted, 0, decrypted.Length);
-        }
     }
 }

RemoteServerMock.cs

@@ -9,11 +9,17 @@ class RemoteServerMock
         private Aes aesAlg = Aes.Create();
         public uint OracleDelayMilliseconds { get; set; } = 0;
 
-        public RemoteServerMock()
+        public PaddingMode Padding {
+            get {
+                return aesAlg.Padding;
+            }
+        }
+
+        public RemoteServerMock(PaddingMode paddingMode = PaddingMode.PKCS7)
         {
             aesAlg.BlockSize = 128;
             aesAlg.Mode = CipherMode.CBC;
-            aesAlg.Padding = PaddingMode.PKCS7;
+            aesAlg.Padding = paddingMode;
         }
 
         public byte[] Encrypt(string plaintext)