run method test.py iv value

[ermerica]

Did you mean to not set the value of iv when calling call_oracle on line 146? When I run test.py, the oracle appears to work but when I run test.py using data that I encrypted with a different program, your oracle does not work.

When I started tracing your app, the call of

error = call_oracle(up_cipher, iv)

on line 146 of the run method, iv is never set within the run method. Therefore, at least in my instance, it was using the value of iv returned on line 251 in test.py

cipher, iv = encrypt(bytearray(args.message, "UTF-8"), b"1234567812345678")

Given that the encrypt and decrypt commands use the same key that is hardcoded, if you pass the same iv that was used to encrypt in the first place since it was never defined, the resulting call to decrypt from call_oracle ends up just passing the original iv and key which should always result in a correct decryption right?

[mpgn]

Hello, the value of the IV is set to 1234567812345678 you can print the code and you will see the value of the iv :)

[ermerica]

So, if you encrypt a string with another application and run it through your oracle, it works? The only way I can make your oracle work if I encrypt the string in your application before I pass it to the oracle. It doesn't seem much of an oracle if I can only encrypt within the application.

If I pass an already encrypted string, the application will not decrypt it.

Through several modifications, I have your application working with a string encrypted from another application.

[mpgn]

This is a test file, what you want to use is the exploit file

[ermerica]

I don't follow. What good is the exploit file? All that does is add in an http request/response that I have no use for. In any case, good luck to you.