This repository has been archived by the owner on Nov 15, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
strcmppwn.py
75 lines (66 loc) · 1.47 KB
/
strcmppwn.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#!/usr/bin/env python
# Author Dario Clavijo 2018
# GPLv3
# POC: strcmp timing attack
# -*- coding: utf-8 -*-
target = "My super secret passphrase..."
print ("Size: %d" % len(target))
print ("Target: %s" % target)
def strcmp(a,b):
if len(a) != len(b):
return 1
for i in range(0,len(a)):
if a[i] != b[i]:
return 1
return 0
# it seems that the native python string comparison is safe
def strcmp2(a,b):
return a == b
import time
def gettime():
return time.time()
def measure(function,target,candidate):
res = 10000
#res = 10000
t0 = gettime()
for k in range(0,res):
function(target,candidate)
t1 = gettime()
return (t1-t0)
def guess_len():
best = 0.000000000000000000000
for i in range(1,30):
t = measure(strcmp,target,"A" * i)
print ("%d,%2.10f" % (i,t))
if t >= best:
best = t
best_i = i
#print ("best: %d,%2.10f" % (best_i,best))
return best_i
def chargen(alpha=False):
if alpha:
for c in "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ. ":
yield c
else:
for i in range(0,255):
yield chr(i)
def pwnOracle():
l = guess_len()
print ("guess_len: %d" % l)
candidate = list(" " * l)
tmp = ""
for i in range(0,l):
print("pos: %d" % (i+1))
best = 0.00000000000000000
best_c = ""
for c in chargen(True):
candidate[i] = c
d = measure(strcmp,target,"".join(candidate))
if d > best:
best = d
best_c = c
print ("%s %2.10f" % (candidate,d))
candidate[i] = best_c
tmp += best_c
print ("Best: %s" % tmp)
pwnOracle()