Merge pull request #11 from DataDog/ossl_punycode_malicious_server

Ossl punycode malicious server

proof-of-concept-exploits/openssl-punycode-vulnerability/malicious_server/README.md

@@ -0,0 +1,41 @@
+Several scripts are available to ease the generation of server certificates so as to running client / server commands for testing purpose with gdb.
+
+# run.sh
+
+## run_server
+
+This command bootstraps the malicious server.
+
+```run.sh run_server```
+
+1. Fetch OpenSSL 3.0.7 source code, statically compile it with debug symbols. It also adds CFLAGS to generate expand files, useful to generate call graph.
+2. Build server certificate chains
+3. start server with openssl binary compiled at step1.
+
+## run_vuln_client
+
+This command bootstraps the vulnerable client.
+
+```run.sh run_vuln_client```
+
+1. Fetch OpenSSL 3.0.6 source code, statically compile it with debug symbols. It also adds CFLAGS to generate expand files, useful to generate call graph.
+2. start client gdb session with openssl binary compiled at step1. Gdb commands will:
+  * set a breakpoint on the vulnerable function
+
+## compile
+
+```run.sh compile openssl-3.0.6```
+
+Fetches OpenSSL source code based on provided version, statically compiles it with debug symbols. It also adds CFLAGS to generate expand files, useful to generate call graph.
+
+## build_server
+
+```run.sh build_server```
+
+Rebuilds the server certificate chains. Useful if you updated the server configuration and just want to use the new certs.
+
+## clean
+
+```run.sh clean clean_server```
+
+These commands will delete all files created at build step. You can clean globally by calling clean, or just for server with clean_server.

proof-of-concept-exploits/openssl-punycode-vulnerability/malicious_server/client/gdb_client.sh

@@ -1 +1 @@
-gdb ../openssl/apps/openssl -command=client.gdb
+gdb ../openssl-3.0.6/apps/openssl -command=client.gdb

proof-of-concept-exploits/openssl-punycode-vulnerability/malicious_server/client/run_client.sh

@@ -1 +1 @@
-../openssl/apps/openssl s_client -connect 127.0.0.1:3000 -state
+../openssl-3.0.6/apps/openssl s_client -connect 127.0.0.1:3000 -state

proof-of-concept-exploits/openssl-punycode-vulnerability/malicious_server/run.sh

@@ -1,15 +1,15 @@
 cwd=$PWD
 
 compile () {
-  if [ ! -f $cwd/openssl/apps/openssl ]; then
-    echo "[+] Compile debug mode version of OpenSSL 3.0.6"
-    wget https://github.com/openssl/openssl/archive/refs/tags/openssl-3.0.6.zip
-    unzip openssl-3.0.6.zip
-    mv openssl-openssl-3.0.6 openssl
-    cd openssl
+  if [ ! -f $cwd/$1/apps/openssl ]; then
+    echo "[+] Compile debug mode version of $1"
+    wget https://github.com/openssl/openssl/archive/refs/tags/$1.zip
+    unzip $1.zip
+    mv openssl-$1 $1
+    cd $1
     ./Configure no-tests -debug -static && sed -i 's/^CFLAGS=.*/CFLAGS=-Wall -Og -g3 -fno-inline-functions -fdump-rtl-expand/' Makefile && make clean && make -j`nproc`
   else
-    echo "[+] OpenSSL 3.0.6 already compiled: SKIP"
+    echo "[+] $1 already compiled: SKIP"
   fi
 }
 
@@ -29,23 +29,21 @@ clean () {
 }
 
 run_server () {
-  compile
+  compile openssl-3.0.7
   build_server
   cd $cwd/server
   ./run_server.sh
 }
 
 run_vuln_client () {
-  compile
+  compile openssl-3.0.6
   cd $cwd/client
   ./gdb_client.sh
 }
 
 if (test $# -eq 1); then
   if (test $1 = "clean"); then
     clean
-  elif (test $1 = "compile"); then
-    compile
   elif (test $1 = "build_server"); then
     build_server
   elif (test $1 = "clean_server"); then
@@ -55,4 +53,6 @@ if (test $# -eq 1); then
   elif (test $1 = "run_server"); then
     run_server
   fi
+elif ((test $# -eq 2) && (test $1 = "compile")); then
+    compile $2
 fi

proof-of-concept-exploits/openssl-punycode-vulnerability/malicious_server/server/run_server.sh

@@ -1 +1 @@
-../openssl/apps/openssl s_server -accept 127.0.0.1:3000 -CAfile certs/cacert.pem -cert certs/trusted.pem -key certs/server.key.pem -state
+../openssl-3.0.7/apps/openssl s_server -accept 127.0.0.1:3000 -CAfile certs/cacert.pem -cert certs/trusted.pem -key certs/server.key.pem -state