Título: Exploit OpenSSL duda
Publicado por: Littl3 en 5 Julio 2010, 19:59 pm
Hola, Tengo muchas dudas sobre el mundillo de los exploits, por lo que he podido leer hasta ahora los exploits suelen venir con un "how to use.." pues bien.. es MENTIRA xD.. yo programo solo en VB, PHP y algo en JS pero a estos niveles me pierdo, se supone que este exploit debo compilarlo en C por ejemplo con Dev c++ y luego ejecutarlo? buala? sitio defaced? no lo entiendo muy bien... un saludo. ============================================================= OpenSSL < 0.9.8l and previous versions Multiple Vulnerability =============================================================
SecurityRisk : High Security Risk High (About) Arrow Remote Exploit : Yes Arrow Local Exploit : No Arrow Victim interaction required : No Arrow Exploit Available : Yes Arrow Credit : Bodo Moeller Arrow Published : 09.03.2010
Arrow Affected Software : openssl:openssl:0.9.8l and previous versions openssl:openssl:0.9.8k openssl:openssl:0.9.8j openssl:openssl:0.9.8i openssl:openssl:0.9.8h openssl:openssl:0.9.8g openssl:openssl:0.9.8f openssl:openssl:0.9.8e openssl:openssl:0.9.8d openssl:openssl:0.9.8c openssl:openssl:0.9.8b openssl:openssl:0.9.8a openssl:openssl:0.9.8
OpenSSL CVS Repository http://cvs.openssl.org/
___________________________________________________________________________ _
Server: cvs.openssl.org Name: Bodo Moeller Root: /v/openssl/cvs Email: bodo@openssl.org Module: openssl Date: 23-Feb-2010 11:36:41 Branch: OpenSSL_0_9_8-stable Handle: 2010022310363902
Modified files: (Branch: OpenSSL_0_9_8-stable) openssl CHANGES openssl/crypto/bn bn_div.c bn_gf2m.c openssl/crypto/ec ec2_smpl.c openssl/engines e_ubsec.c
Log: Always check bn_wexpend() return values for failure (CVE-2009-3245).
(The CHANGES entry covers the change from PR #2111 as well, submitted by Martin Olsson.)
Submitted by: Neel Mehta
Summary: Revision Changes Path 1.1238.2.189+3 -0 openssl/CHANGES 1.37.2.9 +1 -1 openssl/crypto/bn/bn_div.c 1.18.2.3 +2 -1 openssl/crypto/bn/bn_gf2m.c 1.14.2.2 +6 -4 openssl/crypto/ec/ec2_smpl.c 1.13.2.4 +2 -2 openssl/engines/e_ubsec.c
___________________________________________________________________________ _
patch -p0 <<'@@ .' Index: openssl/CHANGES
=========================================================================== = $ cvs diff -u -r1.1238.2.188 -r1.1238.2.189 CHANGES --- openssl/CHANGES 19 Feb 2010 18:25:37 -0000 1.1238.2.188 +++ openssl/CHANGES 23 Feb 2010 10:36:39 -0000 1.1238.2.189 @@ -4,6 +4,9 @@
Changes between 0.9.8l and 0.9.8m [xx XXX xxxx]
+ *) Always check bn_wexpend() return values for failure. (CVE-2009-3245) + [Martin Olsson, Neel Mehta] + *) Fix X509_STORE locking: Every 'objs' access requires a lock (to accommodate for stack sorting, always a write lock!). [Bodo Moeller] @@ . patch -p0 <<'@@ .' Index: openssl/crypto/bn/bn_div.c
=========================================================================== = $ cvs diff -u -r1.37.2.8 -r1.37.2.9 bn_div.c --- openssl/crypto/bn/bn_div.c 17 Jun 2009 11:26:39 -0000 1.37.2.8 +++ openssl/crypto/bn/bn_div.c 23 Feb 2010 10:36:41 -0000 1.37.2.9 @@ -102,7 +102,7 @@ /* The next 2 are needed so we can do a dv->d<A NAME="-0"></A>[0]|=1 later * since BN_lshift1 will only work once there is a value :-) */ BN_zero(dv); - bn_wexpand(dv,1); + if(bn_wexpand(dv,1) == NULL) goto end; dv->top=1;
if (!BN_lshift(D,D,nm-nd)) goto end; @@ . patch -p0 <<'@@ .' Index: openssl/crypto/bn/bn_gf2m.c
=========================================================================== = $ cvs diff -u -r1.18.2.2 -r1.18.2.3 bn_gf2m.c --- openssl/crypto/bn/bn_gf2m.c 23 Jun 2008 20:46:28 -0000 1.18.2.2 +++ openssl/crypto/bn/bn_gf2m.c 23 Feb 2010 10:36:41 -0000 1.18.2.3 @@ -294,7 +294,8 @@ if (a->top < b->top) { at = b; bt = a; } else { at = a; bt = b; }
- bn_wexpand(r, at->top); + if(bn_wexpand(r, at->top) == NULL) + return 0;
for (i = 0; i < bt->top; i++) { @@ . patch -p0 <<'@@ .' Index: openssl/crypto/ec/ec2_smpl.c
=========================================================================== = $ cvs diff -u -r1.14.2.1 -r1.14.2.2 ec2_smpl.c --- openssl/crypto/ec/ec2_smpl.c 13 Mar 2006 23:12:07 -0000 1.14.2.1 +++ openssl/crypto/ec/ec2_smpl.c 23 Feb 2010 10:36:41 -0000 1.14.2.2 @@ -174,8 +174,10 @@ dest->poly<A NAME="-2"></A>[2] = src->poly[2]; dest->poly<A NAME="-3"></A>[3] = src->poly[3]; dest->poly<A NAME="-4"></A>[4] = src->poly[4]; - bn_wexpand(&dest->a, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2); - bn_wexpand(&dest->b, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2); + if(bn_wexpand(&dest->a, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL) + return 0; + if(bn_wexpand(&dest->b, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL) + return 0; for (i = dest->a.top; i < dest->a.dmax; i++) dest->a.d[i] = 0; for (i = dest->b.top; i < dest->b.dmax; i++) dest->b.d[i] = 0; return 1; @@ -199,12 +201,12 @@
/* group->a */ if (!BN_GF2m_mod_arr(&group->a, a, group->poly)) goto err; - bn_wexpand(&group->a, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2); + if(bn_wexpand(&group->a, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL) goto err; for (i = group->a.top; i < group->a.dmax; i++) group->a.d[i] = 0;
/* group->b */ if (!BN_GF2m_mod_arr(&group->b, b, group->poly)) goto err; - bn_wexpand(&group->b, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2); + if(bn_wexpand(&group->b, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL) goto err; for (i = group->b.top; i < group->b.dmax; i++) group->b.d[i] = 0;
ret = 1; @@ . patch -p0 <<'@@ .' Index: openssl/engines/e_ubsec.c
=========================================================================== = $ cvs diff -u -r1.13.2.3 -r1.13.2.4 e_ubsec.c --- openssl/engines/e_ubsec.c 6 Sep 2007 12:43:53 -0000 1.13.2.3 +++ openssl/engines/e_ubsec.c 23 Feb 2010 10:36:41 -0000 1.13.2.4 @@ -934,7 +934,7 @@ priv_key = BN_new(); if (priv_key == NULL) goto err; priv_key_len = BN_num_bits(dh->p); - bn_wexpand(priv_key, dh->p->top); + if(bn_wexpand(priv_key, dh->p->top) == NULL) goto err; do if (!BN_rand_range(priv_key, dh->p)) goto err; while (BN_is_zero(priv_key)); @@ -949,7 +949,7 @@ { pub_key = BN_new(); pub_key_len = BN_num_bits(dh->p); - bn_wexpand(pub_key, dh->p->top); + if(bn_wexpand(pub_key, dh->p->top) == NULL) goto err; if(pub_key == NULL) goto err; } else @@ .
Título: Re: Exploit OpenSSL duda
Publicado por: n3w en 10 Julio 2010, 12:58 pm
Bueno , en teoría eso es asi , un exploit es un código que una vez ejecutado explota una vulnerabilidad en un programa y servicio concreto , de modo que al compilar y ejecutar el exploit no estarias haciendo otra cosa que interactuar con ese programa desde otro programa(el propio exploit) hasta conseguir que haga algo que no estaba dentro de sus características. No entiendo cual es tu duda , pero te remito a un tutorial que aun estando en inglés a mi me dejo realmente las cosas muy muy claras sobre el desarrollo de exploits. Bueno , una serie de 10 tutos.
http://www.corelan.be:8800/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
|