locked
Self-contained Visual Studio Project for Padding Oracle Exploit RRS feed

  • Question

  • User-1828574268 posted

    I had been holding my blog post regarding details of the padding oracle exploit for weeks.  The original researchers have not disclosed the Python source to their tool, but the exploit can be crafted from following the documents/papers available to the general public.

    I now see that a couple of public blogs have recently provided the details anyway.  Now that the patches are available on Windows Update, my yet another blog post should hopefully make developers understand the channels that were exploited.

    The zipped VS solution provides a sample web site and an exploit program in C#.  I used it against an unpatched .NET 4.0 system, but can easily be adapted to use against an earlier version of .NET (versions earlier than ASP.NET 3.5 would not have the ScriptResource handler though).

    http://peterwong.net/blog/?p=120


    Wednesday, October 13, 2010 4:55 PM

All replies