Honestly, if you can find a broken implementation (or just write one; do the RSA "decrypt" of the signature block, and then just use a constant offset to get to the digest bytes), you should be able to knock it out just from the description I provided in like, 30 minutes.
Sorry to disapoint I did not do all the cryptopals :P filippo actually has a good blogpost on that attack IIRC.