Fix payload padding to avoid loop #6
Conversation
|
actually the current exploit is better , so people could understand the code easy about the base64 can't contain = |
|
I definitely see the value in that, so maybe a comment could be added? :-) |
|
Hi, thanks for the pull request. This is just a Proof-of-Concept, so it's fine if there is no obvious mistake! |
|
Hi! Alright, no worries :) To explain a bit further why I felt the need to make that contribution, my friend was having trouble running the PoC with his own payload, which happened because his payload was 30 characters, and was therefore stuck in an infinite loop as the line Should I just close the PR? |
Hey,
Thanks for the awesome challenge (and the solving script)! I would like to make a friendly contribution :)
In order to avoid padding for a single base64 encoding, we need the length l of our initial message to be a multiple of 3, as three 8-bit characters are encoded as exactly four 6-bit/base64 characters.
The length of the resulting message will be l × 4 / 3, since three characters are encoded into four.
len(x) = l × 4 / 3
len(xx) = l × 4 / 3 × 4 / 3
len(xxx) = l × 4 / 3 × 4 / 3 × 4 / 3
For xxx to not contain padding, we need len(xx) to be a multiple of 3; same reasoning for len(xx), for which you need len(x) to be a multiple of 3, and len(x) for which you need l to be a multiple of 3.
Since 3 and 4 are coprime, we can sort of remove the 4 from the equations for our reasoning.
Hence, we need:
l % 3 == 0 && len(x) % 3 == 0 && len(xx) % 3 == 0
<=> l % 3 == 0 && l / 3 % 3 == 0 && l / 3 / 3 % 3 == 0
<=> l % 3^3 == 0
<=> l % 27 == 0
Sorry for the long-winded (possibly unneeded?) explanation!