Initial release

rsa_cm/message1.b64

@@ -0,0 +1,6 @@
+SdDNt6n9EEF+utJNMcTMIEYy9soQylbI9ZMgOPQPW8O32kv/YalsXJZZBTr8peZW
+cS6JWnWy6O28PGHsFy0WqixmCZxTkAtufYZy4Evo+okzDhQ21gfkWfSdfhfmzgqo
+MEB7He0uDwhzTcIJlFICOOf1IbvwjEo2yyMqbu1hDTsSrZ23wbokMoMDo2Om41y2
+TxsSBbNo+P9jRgXKF3vHwtWKXqUCXwB8ouUYnj7R+aF08+ygHGTEinmYFBRPZjU0
+Z/pzyV92kY831wvycx42S19RGRKiTYISAgellpqZ/dH2iA3BBBwkHdU8T5y8HKC/
+seNkJLz57NVaB6UQbMAHfQ==

rsa_cm/message2.b64

@@ -0,0 +1,6 @@
+TTLtgZobIHxmP3Ywki0wogMRSv1/4E/8ts4ywkfZPr9HDu7BKhrAoIB29zj6qF4/
+ymS4rSi/K4/dSwO/nU/TgoNEvyHVploxTOjhA/N6zsutqVGrVnysR2AHZjrQ4fco
+AxfkTg4HfMnX1Y10RyhdhRPt88RDai54Z15g1X8Yh21qkaoB9LD4pY+Mf8spBnoB
+awUqKjsfcxIDqsMm1kKDlcjGZHd/javRQ9Y5fBfezT4TxAgKs5KM65ZD9FABAKc4
+dqSTg4l0nO7iWoOoiFMjm1dR9+SRuXIb9wqMtUxoM+9qea8IWg/IVqRJlQ+z+BZr
+//JhPZQfu2l52GwFnNtmxA==

rsa_cm/out.txt

@@ -0,0 +1,8 @@
+Protocole d'accès à la plate-forme d'aterrissage de Scarif.
+À l'approche du bouclier défensif, une fois votre vaisseau
+identifié, fournissez le code de déverrouillage.
+Identifiant : SW 0608
+Code déverrouillage : AZD567hju340Od
+.
+.
+<EFBFBD>|\<5C><><EFBFBD>퓛N<ED939B><4E><EFBFBD>T<EFBFBD>;<3B>{

rsa_cm/pk1.pem

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzPtKIAxSBQXAyDp+uH3p
+wroOSTVSPr/K1I7MQYqXhd2bZ1Y1ZosYsRaKyKIRScoez4yoI0+9Li4yMh692tHV
+phInz0+FmocAqsQlUeozsdRt0mUJi20ujjwkRozesZY5J5RB+54oxX5uk9XRAFmf
+HdNqZO3lNvM5QZC9CjowDJu/Cs7khHoUPDX1SeKKYd7iv70DYwDG/NYtBf+gaxY6
+gaFdTmduFMN3wOnxnaRrl5f8tyNTHMHpRWPti1Q/N+CNIbM7NySb3IJMMKj+hj/N
+xhk+lGizdIG469OZqICuDkSLBwxxaj9gb26uVv4/W7HLv9oXR1wwAB210rKSoQBz
+5wIDAQAB
+-----END PUBLIC KEY-----

rsa_cm/pk2.pem

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzPtKIAxSBQXAyDp+uH3p
+wroOSTVSPr/K1I7MQYqXhd2bZ1Y1ZosYsRaKyKIRScoez4yoI0+9Li4yMh692tHV
+phInz0+FmocAqsQlUeozsdRt0mUJi20ujjwkRozesZY5J5RB+54oxX5uk9XRAFmf
+HdNqZO3lNvM5QZC9CjowDJu/Cs7khHoUPDX1SeKKYd7iv70DYwDG/NYtBf+gaxY6
+gaFdTmduFMN3wOnxnaRrl5f8tyNTHMHpRWPti1Q/N+CNIbM7NySb3IJMMKj+hj/N
+xhk+lGizdIG469OZqICuDkSLBwxxaj9gb26uVv4/W7HLv9oXR1wwAB210rKSoQBz
+5wIDAT+Z
+-----END PUBLIC KEY-----

rsa_cm/rsa_cm.py

@@ -0,0 +1,125 @@
+#!/bin/env python3
+# -*- coding: utf-8 -*-
+
+__author__ = "HexPandaa"
+
+
+from Crypto.PublicKey import RSA
+from Crypto.Util.number import (
+  long_to_bytes,
+  bytes_to_long,
+  GCD
+)
+import gmpy2
+from base64 import b64decode
+
+import argparse
+import sys
+
+
+def parse_args():
+    parser = argparse.ArgumentParser(description="A simple script to perform RSA common modulus attacks.",
+                                     epilog="More info at https://github.com/HexPandaa/RSA-Common-Modulus-Attack/")
+    parser.add_argument("-c1", type=argparse.FileType("r"), metavar="ciphertext1", required=True,
+                        help="The first ciphered message")
+    parser.add_argument("-c2", type=argparse.FileType("r"), metavar="ciphertext2", required=True,
+                        help="The second ciphered message")
+    parser.add_argument("-k1", type=argparse.FileType("rb"), metavar="pubkey1", required=True,
+                        help="The first public key")
+    parser.add_argument("-k2", type=argparse.FileType("rb"), metavar="pubkey2", required=True,
+                        help="The second public key")
+    parser.add_argument("-o", type=argparse.FileType("wb"), metavar="outfile", required=False,
+                        help="Output file")
+    args = parser.parse_args()
+    return args
+
+
+# Source: https://crypto.stackexchange.com/a/60404
+def bytes_to_integer(data):
+    output = 0
+    size = len(data)
+    for index in range(size):
+        output |= data[index] << (8 * (size - 1 - index))
+    return output
+
+
+def integer_to_bytes(integer, _bytes):
+    output = bytearray()
+    for byte in range(_bytes):
+        output.append((integer >> (8 * (_bytes - 1 - byte))) & 255)
+    return output
+
+
+# Source: https://github.com/ashutosh1206/Crypton/blob/master/RSA-encryption/Attack-Common-Modulus/exploit.py
+def egcd(a, b):
+    if (a == 0):
+        return (b, 0, 1)
+    else:
+        g, y, x = egcd(b % a, a)
+        return (g, x - (b // a) * y, y)
+
+
+# Calculates a^{b} mod n when b is negative
+def neg_pow(a, b, n):
+    assert b < 0
+    assert GCD(a, n) == 1
+    res = int(gmpy2.invert(a, n))
+    res = pow(res, b*(-1), n)
+    return res
+
+
+# e1 --> Public Key exponent used to encrypt message m and get ciphertext c1
+# e2 --> Public Key exponent used to encrypt message m and get ciphertext c2
+# n --> Modulus
+# The following attack works only when m^{GCD(e1, e2)} < n
+def common_modulus(e1, e2, n, c1, c2):
+    g, a, b = egcd(e1, e2)
+    if a < 0:
+        c1 = neg_pow(c1, a, n)
+    else:
+        c1 = pow(c1, a, n)
+    if b < 0:
+        c2 = neg_pow(c2, b, n)
+    else:
+        c2 = pow(c2, b, n)
+    ct = c1*c2 % n
+    m = int(gmpy2.iroot(ct, g)[0])
+    return m
+
+
+def main(args):
+    pubkey1 = RSA.import_key(args.k1.read())
+    pubkey2 = RSA.import_key(args.k2.read())
+    c1 = b64decode(args.c1.read())
+    c1 = bytes_to_long(c1)
+    c2 = b64decode(args.c2.read())
+    c2 = bytes_to_long(c2)
+
+    # We first check that the modulus N of both public keys are equal
+    if pubkey1.n != pubkey2.n:
+        sys.stderr.write("[ERROR] The modulus of both public keys must be the same\n")
+        sys.exit(1)
+    if GCD(pubkey1.e, pubkey2.e) != 1:
+        sys.stderr.write("[ERROR] The greatest common denominator between the exponent of each keys should be 1\n")
+        sys.exit(2)
+    deciphered_message = common_modulus(
+          pubkey1.e,
+          pubkey2.e,
+          pubkey1.n,
+          c1,
+          c2
+    )
+    deciphered_bytes = long_to_bytes(deciphered_message)
+
+    print("[+] Recovered message:")
+    print(deciphered_message)
+    print("[+] Recovered bytes:")
+    print(deciphered_bytes)
+
+    if args.o:
+        args.o.write(deciphered_bytes)
+
+
+if __name__ == '__main__':
+    args = parse_args()
+    main(args)