mod_ssl Remote Buffer Overflow
- by Vince
-
in Blog
-
Hits: 1938
This will sound like a walk-through for Kioptrix1 but it didn't start off that way. While scanning a server, I saw the following:
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell.
When you search for: mod_ssl exploit
The first result is 764.c on Exploit-DB. Out of the box, when you compile it, it throws a bunch of errors which sometimes means nothing but in this case, it didn't result in an exploitation. I assumed this was due to the age of this exploit and when I went searching, I found a few articles on how to repair this exploit to make it work in the modern day.
The articles with fixes mentioned or hinted to one of the Kioptrix servers which then seemed like a good testing bed for this exploit.
These fixes are NOT original work. I found a couple of different articles but THIS ARTICLE is the one that is solid as of today. A couple of the others were incomplete and didn't produce a workable exploit. The article is clear but I thought some pictures with the original code commented out might help. Each of the articles reference Line # this, Line # that but the line numbers didn't match. Hopefully this clears it up.
We're adding some includes:
We're swapping the commented line for the line below it:
We're swapping the commented line for the line below it:
We're swapping the commented line for the line below it:
We're swapping the commented line for the line below it:
Now when we compile it, we get a clean build.
Using Kioptrix as my test, when I scanned it, I got the following from Nikto:
+ Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
The exploit wants the version of Redhat but what I have is the Apache version.
Reading through the list, I can narrow down my choices to these two targets.
Compiling the exploit and attempting to pop the second of the two Redhat targets:
#root
It also worked quite well for what I was working on.