There is not much significant differences in exploits, just the speed, so you can use the same exploit as in worm sources. BUT...you have to figure out yourself those offsets. It varies from system to system.
Good luck! Mik- P.S.Pay attention to bit with .bugtraq.c - you need to prepare it before you test anything. You can see what you need in sources, and source of bugtraq you can find on packetstorm. On Wed, 25 Sep 2002, Schmehl, Paul L wrote: > Send me the exploit and I'll test it against the server. I've seen Slapper activity >in the logs, but I haven't seen any compromise. As of this writing (I just checked), >Red Hat only has opensssl 0.9.6b-28 available as an RPM on their update site (for Red >Hat 7.2.) > > There are two recent patches for openssl on Red Hat: > http://rhn.redhat.com/errata/RHSA-2002-155.html > http://rhn.redhat.com/errata/RHSA-2002-160.html > > 2002-155 is the one that is supposed to have fixed the problem that Slapper exploits >(a buffer overflow in the client key.) If it isn't fixed, Red Hat definitely needs >to know that ASAP. > > Since Slapper was discovered in the wild (9/18) I have been seeing these types of >entries in the logs: > [Sat Sep 21 04:02:36 2002] [notice] Apache/1.3.22 (Unix) (Red-Hat/Linux) >mod_ssl/2.8.5 OpenSSL/0.9.6b DAV/1.0.2 PHP/4.1.2 mod_perl/1.26 configured -- resuming >normal operations > [Sat Sep 21 05:21:51 2002] [error] mod_ssl: SSL handshake failed (server >www.obfuscated.com:443, client 2xx.2x.1xx.1xx) (OpenSSL library error follows) > > But there's no evidence of any failures, no .bugtraq.c on the server, no port 2002 >opened up for communications. No "complaints" from any of my defense systems. >Nothing to indicate the the worm got in. > > Paul Schmehl ([EMAIL PROTECTED]) > Project Coordinator > University of Texas at Dallas > http://www.utdallas.edu/~pauls/ > AVIEN Founding Member > > > -----Original Message----- > > From: Mikhail Iakovlev [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, September 25, 2002 7:04 PM > > To: Schmehl, Paul L > > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] > > Subject: RE: [Full-Disclosure] The last word on the Linux Slapper worm > > > > > > > > Paul, are you absolutely sure about it? > > I have few systems that had 0.9.6b, and after playing with > > offsets for > > some time I managed to proof vulnerability. Of course it > > depends always on > > kernel versions/patches, and on modules which are included in apache > > server. Because of that addresses are changing. > > > > Like for example if I knew value of hex from objdump -R > > /path/to/your/httpd |grep free I am pretty sure that I could succeed. > > However, there are some cases when I tried it on exactly the > > same versions > > of kernel and apache servers and it DIDN'T work. So, answer > > lies somewhere > > else, not in openssl itself. > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
