Hamza Kharbouch

ENEE459C

HOMEWORK#1
PROBLEM 1:
Using the simple replication, the minimum number of blocks that can be
deleted in order to make some bI irretrievable is 2; since this method is a one
to one replication then the deletion of the two copies makes it impossible for
the hacker to retrieve data using the other blocks. In the second technique,
deleting any n block out of the 2n blocks still allows data retrieval simply by
using the polynomial interpolation technique. If we consider the polynomial
of the form P(x)=(x-b1)(x-b2).(x-bn) where we store b1 to bn and P(R1) to
P(Rn) for random Rs; since there would be n equations and n unknowns then
adversary would need to delete n+1 blocks to make data irretrievable for a
certain bi.

PROBLEM 2:
1. The multiple cipher texts can be XORd together in order to get rid of
the key and get both plaintexts XORd together. The common or
expected words can then be XORd with the previous step until legible
words or phrases appear. This might not decipher the entire text but
will reveal the position of the word used. For example, if one plain text
says CLOSE THE DOOR and the other says IN THE KITCHEN and the
adversary XORs the cipher texts and another XOR with a common word
like THE then they would find KITC and SE TH. If they had more
known words available, they would easily be able to use this technique
to get the majority of the plaintext. Once the plaintexts are found, they
can simply XOR one of them with its cipher in order to reveal the key
used to encode them.
2. If the adversary knows SOLDIERS and WITHDRAW occur in the
plaintext, they can XOR the two cipher texts together to get rid of the
key (A XOR K XOR B XOR K = A XOR B) and then they can XOR
00000000SOLDIERS and 00000000WITHDRAW with A XOR B and
keep moving until they find legible text. In this case --------

TOMORROW and LOSS: 50-------. Now the whole plaintext is

deciphered because the words provided fill the blanks that are missing.
3. Cipher Text of Message 1:
737f68797e691a10020c1d6e75100c7009651d1d6561060c6d0b
6f046116650c031e1c001c09130a001b0163016569637a626f72
Cipher Text of Message 2:
6e6f7c6f78001d0018017270140016770e720b1d656f06690e17
7900150b671f0e020d6917680a0b791c6e0a0b006f676b636673
Cipher Text of Message 3:
6378737a7e6f091717151a6916731165026801071475111a6d17
651c18646f036f1f04741c0d0c0f74060d10656d65797e66730e
Known words: CRYPTOGRAPHIC PASSWORDS DECIPHER MATHEMATICS
We start by converting the known words into hexadecimal form in correlation
with the ASCII then we XOR Message 1 with Message 2, Message 1 with
Message 3, and Message 2 with Message 3: this is to get rid of the key used
to encode the plain texts and just keep the cipher texts XORd with each
other. Then we repeat the process described earlier for each of the known
words with each of the resultants of XOR the two cipher texts and then we
look for the legible words, their position and in which two texts. Here is the
code that performs all the XORing necessary in order to obtain an output that
checks all the possible characters.

So the output comes out of this code give us the following (this is not the full
output as it is too long to put in a word document):
XORing CRYPTOGRAPHIC with AB:
^BMFR&@B[]'W"/ruDls9
SFOV=HWHL?V(S/ruDls9
WD_9S_]_.N)YY/ruDls9
UT0WDUJ=_1XSD/ruDls9
E;^@NB(L @RND/ruDls9
*UIJY Y3QJONT/ruDls9
DBC];Q&B[WO^U/ruDls9
SHT?J.WHFW__C/ruDls9
Y_6N5_]UFG^IC/ruDls9
N=G1DU@UVFHIM/ruDls9
,L8@NH@EWPHGC/ruDls9
]3IJSHPDAPFI&/ruDls9
"BCWSXQRA^H, /ruDls9
SH^WCYGROP-*_/ruDls9

YU^GBOG\A5+UU/ruDls9
DUNFTOIR$3T_G/ruDls9
DEOPTAG7"L^M7/ruDls9
TDYPZO"1]FL=^/ruDls9
URY^T*$NWT<TA/ruDls9
CRWP1,[DE$UKP/ruDls9
C\Y57SQV5MJZN/ruDls9
MR<3HYC&\R[D_/ruDls9
C7:LBK3OCCEUR/ruDls9
&1EFP;ZPR]TX*/ruDls9
NOT REALLY H/ruDls9
_D]$IMT_]A!B"/ruDls9
UV-MV\JNP9C(Z/ruDls9
G&DRGB[C([)PB/ruDls9
7O[CYSV;J1QH:/ruDls9
^PJ]H^.Y II0D/ruDls9
AATLE&L3XQ1N,/ruDls9
P_EA=D&K@)O&*/ruDls9
NNH9_.^S8W' I/ruDls9
_C0[5VF+F?!C&/ruDls9
R;R1MN>U.9B,E/ruDls9
*Y8IU6@=(Z-OG/ruDls9
H3@Q-H(;K5NMR/ruDls9
"KX)S .X$VLXB/ruDls9
ZS W;&M7GTYHJ/ruDls9
B+^?=E"TEAI@B/ruDls9

XORing PASSWORDS with BC:

]V\FQ FS\EM\>/ruDls9
GNFU8[EKGEM\>/ruDls9
_TU<CX]P;EM\>/ruDls9
EG<G@@F,JEM\>/ruDls9
V.GDX[:]QEM\>/ruDls9
?UD\C'KF EM\>/ruDls9
DV\G?VP7TEM\>/ruDls9

GNG;NM!CAEM\>/ruDls9
_U;JU<UV_EM\>/ruDls9
D)JQ$H@HIEM\>/ruDls9
8XQ P]^^YEM\>/ruDls9
IC TECHNIEM\>/ruDls9
R2TA[UX^"EM\>/ruDls9
#FA_MEH5IEM\>/ruDls9
WS_I]U#^DEM\>/ruDls9
BMIYM>HS EM\>/ruDls9
\[YI&UE70EM\>/ruDls9
JKI"MX!'SEM\>/ruDls9
Z["I@<1DOEM\>/ruDls9
J0ID$,RXOEM\>/ruDls9
![D 4ONX^EM\>/ruDls9
JV 0WSNI<EM\>/ruDls9
G20SKS_+[EM\>/ruDls9
#"SOKB=LOEM\>/ruDls9
3AOOZ ZX2EM\>/ruDls9
P]O^8GN%NEM\>/ruDls9
L]^<_S3YZEM\>/ruDls9
LL<[K.OMNEM\>/ruDls9
].[O6R[YXEM\>/ruDls9
?IO2JFOO6EM\>/ruDls9
X]2N^RY!UEM\>/ruDls9
L NZJD7BWEM\>/ruDls9
1\ZN\*T@^EM\>/ruDls9
MHNX2IVIIEM\>/ruDls9
Y\X6QK_^0EM\>/ruDls9
MJ6USBH'IEM\>/ruDls9
[$UWZU1^=EM\>/ruDls9
5GW^M,H*>EM\>/ruDls9
VE^I4U<)YEM\>/ruDls9
TLI0M!?NMEM\>/ruDls9
][0I9"XZFEM\>/ruDls9
J"I=:ELQVEM\>/ruDls9

3[=>]QGAFEM\>/ruDls9
J/>YIZWQ.EM\>/ruDls9

XORing DECIPHER with AB:

YUW_V!BB.EM\>/ruDls9
TQUO9OUH.EM\>/ruDls9
PSE WX__.EM\>/ruDls9
RC*N@RH=.EM\>/ruDls9
B,DYJE*L.EM\>/ruDls9
-BSS]'[3.EM\>/ruDls9
CUYD?V$B.EM\>/ruDls9
T_N&N)UH.EM\>/ruDls9
^H,W1X_U.EM\>/ruDls9
I*](@RBU.EM\>/ruDls9
+["YJOBE.EM\>/ruDls9
Z$SSWORD.EM\>/ruDls9
%UYNW_SR.EM\>/ruDls9
T_DNG^ER.EM\>/ruDls9
^BD^FHE\.EM\>/ruDls9
CBT_PHKR.EM\>/ruDls9
CRUIPFE7.EM\>/ruDls9
SSCI^H 1.EM\>/ruDls9
RECGP-&N.EM\>/ruDls9
DEMI5+YD.EM\>/ruDls9
DKC,3TSV.EM\>/ruDls9
JE&*L^A&.EM\>/ruDls9
D UFL1O.EM\>/ruDls9
!&__T<XP.EM\>/ruDls9
'YUM$UGA.EM\>/ruDls9
XSG=MJV_.EM\>/ruDls9
RA7TR[HN.EM\>/ruDls9
@1^KCEYC.EM\>/ruDls9
0XAZ]TT;.EM\>/ruDls9
YGPDLY,Y.EM\>/ruDls9
FVNUA!N3.EM\>/ruDls9

WH_X9C$K.EM\>/ruDls9
IYR [)\S.EM\>/ruDls9
XT*B1QD+.EM\>/ruDls9
U,H(II<U.EM\>/ruDls9
-N"PQ1B=.EM\>/ruDls9
O$ZH)O*;.EM\>/ruDls9
%\B0W',X.EM\>/ruDls9
]D:N?!O7.EM\>/ruDls9
E<D&9B T.EM\>/ruDls9
=B, Z-CV.EM\>/ruDls9
C**C5NAC.EM\>/ruDls9
+,I,VLTS.EM\>/ruDls9
-O&OTYD[.EM\>/ruDls9
N EMAILS.EM\>/ruDls9
PJ1NA@[7S->\>/ruDls9
F$RLHW"N'.Y\>/ruDls9
(GPE_.[:$IM\>/ruDls9
KEYR&W/9C]F\>/ruDls
XORing MATHEMATICS with AC:
]FOKEKRS\ZT\>/ruDls9
JZWHC^FAPDT\>/ruDls9
VBTNVJTMND0\>/ruDls9
NAR[BXXSN 0\>/ruDls9
MGGOPTFS* N\>/ruDls9
KRS]\JF7*^F\>/ruDls9
^FAQBJ"7TVX\>/ruDls9
JTMOB."I\H^\>/ruDls9
XXSO&.\ABNO\>/ruDls9
TFS+&PT_D_I\>/ruDls9
JF7+XXJYUY"\>/ruDls9
J"7UPFLHS2G\>/ruDls9
."I]N@]N8WD\>/ruDls9
.\ACHQ[%]TE\>/ruDls9
PT_EYW0@^US\>/ruDls9
XJYT_<UC_CO\>/ruDls9

FLHR4YVBI_Y\>/ruDls9
@]N9QZWTUIK\>/ruDls9
Q[%\R[AHC[*\>/ruDls9
W0@_SM]^Q:!\>/ruDls9
<UC^EQKL01Y\>/ruDls9
YVBHYGY-;I\\>/ruDls9
ZWTTOU8&CL?\>/ruDls9
[AHB]43^F/R\>/ruDls9
M]^P<?K[%BK\>/ruDls9
QKL17GN8H['\>/ruDls9
GY-:OB-UQ7S\>/ruDls9
U8&BJ!@L=CW\>/ruDls9
43^G)LY IGL\>/ruDls9
?K[$DU5TM\V\>/ruDls9
GN8I]9APVF'\>/ruDls9
B-UP1MEKL7N\>/ruDls9
!@L<EI^Q=^_\>/ruDls9
LY HARD TO \>/ruDls9

With a simply but tedious scanning of the code, we obtain the following
results:

And after associating every bit of phrase to its right position and text we
obtain the three following plaintext messages:
Message A: SUBSTITUTION CIPHERS ARE NOT REALLY HARD TO DECIPHER
Message B: NEVER SEND PASSWORDS OR CRYPTOGRAPHIC KEYS IN EMAILS
Message C: CRYPTOGRAPHIC TECHNIQUES RELY ON MATHEMATICS MOSTLY.

PROBLEM 3:

The int payload in the heartbeat code is the length of the heartbeat and its
value is from p in line 14 which comes from the sender in lines 2.4. This
means that the sender can give an arbitrary value for the payload. The
memcpy in line 37 will copy over whatever value of the users memory is
specified by pl; if this amount is more than the actual length of payload, then
the other parts of memory will be sent back along with pl. This can allow the
sender to see extra data. We could fix this by checking if the length of the
string the user sends is actually the same as the length of the payload using
the strlen() function.
Check = strlen(p);
If (payload != check) {
Goto Deny_pl();
} else
<the code>
The official fix for HeartBleed was :
/* Read type and payload length first */
if (1 + 2 + 16 > s->s3->rrec.length)
return 0; /* silently discard */
hbtype = *p++;
n2s(p, payload);
if (1 + 2 + payload + 16 > s->s3->rrec.length)
return 0; /* silently discard per RFC 6520 sec. 4 */
pl = p;

This denies the 0 length payload values and payload values that are larger
than the actual length of pl thus denying access to extra data and ending the
program if the lengths dont match.

PROBLEM 4:

In this problem, we executed the Hello World code provided to make sure
that everything was working fine and then we started working on our attack
which will be explained in detail using the following screenshots and their
annotations:

This is the modified version of our myprog.cgi that adds an extra line to go
fetch for information in another directory without permission and return
whatever is supposed to be in test. This is how the Shellshock attack is
launched i.e. acquiring data that is not supposed to be accessible. As you
can see in the screenshot, the files located in the etc directory include the
test file that we created and that we will try to access.

This is the text file we created called test that we will try to extract
indirectly using the previous CGI program. This is information shouldnt be
displayed. Why is hacking so easy? (I know there is a typo, sorry!)

As we can see, when we execute the curl command we get to extract the
extra information that was enclosed in the test file. So the attack was
successful.