Home page logo

metasploit logo Metasploit mailing list archives

SSL Class?
From: tyronmiller at gmail.com (Ty Miller)
Date: Mon, 12 Mar 2007 11:42:53 +1100

Thanks for the quick response mate. Will test it out.


-----Original Message-----
From: H D Moore [mailto:hdm at metasploit.com] 
Sent: Monday, 12 March 2007 11:26 AM
To: framework at metasploit.com
Subject: Re: [framework] SSL Class?

There isn't one really -- we support OpenSSL, but the API isn't really 
exploit-friendly when it comes to SSL implementation bugs. To trigger the 
cipher overflow, just create a request manually with all the ciphers 
inside and send it. The trouble I ran into when writing this exploit is 
that before the bug would trigger, you had to complete the SSL handshake. 
The best approach would be to MITM an existing SSL implementation and 
rewrite the hello packet to include the new cipher list. 


On Sunday 11 March 2007 19:19, Ty Miller wrote:
What Metasploit Class would I use to be able to mess around with the
SSL ciphers?

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]