-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathexploit.py
79 lines (70 loc) · 3.88 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
import ecdh
import tonelli_shanks
import hmac
from pwn import *
from Crypto.Util.number import *
def crt(list_a, list_m):
try:
assert len(list_a) == len(list_m)
except:
print "[+] Length of list_a should be equal to length of list_m"
return -1
for i in range(len(list_m)):
for j in range(len(list_m)):
if GCD(list_m[i], list_m[j])!= 1 and i!=j:
print "[+] Moduli should be pairwise co-prime"
return -1
M = 1
for i in list_m:
M *= i
list_b = [M/i for i in list_m]
assert len(list_b) == len(list_m)
try:
assert [GCD(list_b[i], list_m[i]) == 1 for i in range(len(list_m))]
list_b_inv = [int(inverse(list_b[i], list_m[i])) for i in range(len(list_m))]
except:
print "[+] Encountered an unusual error while calculating inverse using gmpy2.invert()"
return -1
x = 0
for i in range(len(list_m)):
x += list_a[i]*list_b[i]*list_b_inv[i]
return x % M
p = 233970423115425145524320034830162017933
a = -95051 % p
b = [210, 504, 727]
E = ecdh.CurveFp(p, a, 11279326)
E1 = ecdh.CurveFp(p, a, 210)
E2 = ecdh.CurveFp(p, a, 504)
E3 = ecdh.CurveFp(p, a, 727)
factor_b = [3, 11, 23, 31, 89, 4999, 28411, 45361, 5, 61, 12157, 34693, 7, 37, 67, 607, 1979, 13327, 13799]
# P_list from exploit2.py
P_list = [(105895660736863454274321881122632654157L, 342531483552213517225306629834659424L), (25009026403236908039362171471063068818L, 59231725513888351032489570238411587158L), (70150780357007297518680616992721897742L, 18202599217028100699184036782555709713L), (49492023958156760758523378171426315175L, 9208024904136813500187089392699334221L), (11219099304956698015468589612844233090L, 199721134676338249818087241328268607044L), (156240951341212926876962819609972413506L, 40459464131720345311628266083894465957L), (166556958131227622634854153971124571864L, 207375653248730789924625824072222860960L), (195142734246143407301815845026225486446L, 94410925486977068215994385133075970405L), (77768428778046577260943334060979512014L, 27316509752091585813922578326436655295L), (218149793237074970812352393172005624993L, 78647625600574672678337931984786026458L), (127676146527582325256357796599100534436L, 222122272665797356236101254885803093984L), (212941941097791550784138943929213735398L, 206076144621874037512804855617219288843L), (207666188440911342555510229622020506110L, 232682873870850647305209515631886061877L), (44930102450683593614192237706090336832L, 22963326229637852757671078785687604769L), (192708543378109762131792840753247172288L, 191595340215391335707129662217495541792L), (32768587669721887874813164879150413222L, 218383204076816153320369166791236457041L), (95027446422794910924721735151894972969L, 6063018232051080130212363586992609093L), (94906484471612213883010611856982885645L, 205534393524200978841486482211704632882L), (205709069038391434070479438568936502527L, 42240112941241700726569585810056586739L)]
P = ecdh.Point(E, 182, 85518893674295321206118380980485522083, 29246302889428143187362802287225875743)
assert len(P_list) == len(factor_b)
b_list = []
for k in range(len(P_list)):
if factor_b[k] == 2:
print P_list[k]
r = process("./run.sh")
r.recvline().strip()
r.recvline().strip()
r.recvuntil("x-coordinate of your public key: ")
r.sendline(str(P_list[k][0]))
r.recvuntil("y-coordinate of your public key: ")
r.sendline(str(P_list[k][1]))
r.recvline()
# print r.recvline().strip()
_recv = r.recvline()
_hmac = _recv[33:].strip()
if _hmac == "":
b_list.append(0)
else:
print "factor_b[k]: ", factor_b[k]
for i in range(1, factor_b[k]):
Q = ecdh.Point(E, P_list[k][0], P_list[k][1])
if hmac.new(long_to_bytes((i*Q).x()), "test").hexdigest() == _hmac:
b_list.append(pow(i, 2, factor_b[k]))
break
r.close()
print b_list
print crt(b_list, factor_b)