Skip to content

Conversation

bchetioui
Copy link

Hey,

Thanks for the awesome challenge (and the solving script)! I would like to make a friendly contribution :)

In order to avoid padding for a single base64 encoding, we need the length l of our initial message to be a multiple of 3, as three 8-bit characters are encoded as exactly four 6-bit/base64 characters.

The length of the resulting message will be l × 4 / 3, since three characters are encoded into four.
len(x) = l × 4 / 3
len(xx) = l × 4 / 3 × 4 / 3
len(xxx) = l × 4 / 3 × 4 / 3 × 4 / 3

For xxx to not contain padding, we need len(xx) to be a multiple of 3; same reasoning for len(xx), for which you need len(x) to be a multiple of 3, and len(x) for which you need l to be a multiple of 3.

Since 3 and 4 are coprime, we can sort of remove the 4 from the equations for our reasoning.
Hence, we need:
l % 3 == 0 && len(x) % 3 == 0 && len(xx) % 3 == 0
<=> l % 3 == 0 && l / 3 % 3 == 0 && l / 3 / 3 % 3 == 0
<=> l % 3^3 == 0
<=> l % 27 == 0

Sorry for the long-winded (possibly unneeded?) explanation!

@abdilahrf
Copy link

actually the current exploit is better , so people could understand the code easy about the base64 can't contain =

@bchetioui
Copy link
Author

I definitely see the value in that, so maybe a comment could be added? :-)
Either way, I don't believe adding a loop and a random sample of characters is the way to go, but I'll leave that to the appreciation of @orangetw :)

@orangetw
Copy link
Owner

Hi, thanks for the pull request. This is just a Proof-of-Concept, so it's fine if there is no obvious mistake!
But still thank you for the improvement :)

@bchetioui
Copy link
Author

Hi! Alright, no worries :)

To explain a bit further why I felt the need to make that contribution, my friend was having trouble running the PoC with his own payload, which happened because his payload was 30 characters, and was therefore stuck in an infinite loop as the line junk = ''.join(sample(string.ascii_letters, randint(8, 16))) did not add a sufficient number of characters to make a valid payload.

Should I just close the PR?

@bchetioui bchetioui closed this Jul 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants