OpenSSL CMS (Auth)EnvelopedData AEAD IV Stack Buffer Overflow

The repository contains a single GitHub Actions workflow, .github/workflows/blank.yml, which serves as the entire exploit. It is not a traditional source repository but an automation script that builds and exercises a proof-of-concept for CVE-2025-15467 against OpenSSL 3.4.0. Structure and purpose: the workflow has one job that (1) checks out the repository, (2) installs build dependencies, (3) downloads OpenSSL 3.4.0 from openssl.org, (4) compiles it locally with reduced exploit mitigations (-fno-stack-protector, disabled FORTIFY, -O0, execstack), (5) generates a self-signed certificate and a valid CMS encrypted template, (6) writes an inline Python script create_malicious.py that edits the DER-encoded CMS object to replace the expected GCM IV OCTET STRING with an oversized 168-byte field, and (7) invokes openssl cms -decrypt on the crafted exploit.cms to trigger a crash. Finally, it uploads the generated artifacts and logs. Main exploit capability: denial-of-service via process crash. The exploit does not provide code execution, a shell, or post-exploitation features. Its goal is to reliably trigger a stack buffer overflow condition in CMS decryption handling and demonstrate the vulnerability through SIGSEGV or stack-smashing termination. Attack surface: primarily local/file-based. The malformed input is a crafted CMS DER file consumed by the vulnerable OpenSSL binary. There is also a supply-chain style aspect because the exploit is packaged as CI automation that fetches and builds a specific vulnerable dependency version inside GitHub Actions. Notable implementation details: the Python payload logic searches the CMS template for the GCM IV OCTET STRING marker (preferring byte pattern 0x04 0x10), then replaces the original 16-byte IV encoding with a longer ASN.1 OCTET STRING header and 168 bytes of 'A'. The workflow uses LD_LIBRARY_PATH to ensure the locally built vulnerable libraries are loaded when generating and decrypting CMS content. Overall, this is an operational crash PoC embedded in CI rather than a standalone exploit program.

This repository is a small Python-based exploit lab for CVE-2025-15467. It contains two substantive files: cms_server.py, a Flask application simulating a vulnerable CMS/S/MIME decryption service, and exploit.py, the attacker script. README.md is minimal and only labels the repository. The vulnerable service listens on port 8080 and exposes a simple web UI plus four API routes: /cert, /sample, /version, and /decrypt. Internally it shells out to /opt/openssl-vuln/bin/openssl with LD_LIBRARY_PATH set to /opt/openssl-vuln/lib64, using cms -decrypt against uploaded DER CMS content. The service returns plaintext on success, structured error output on parse/decrypt failure, and explicit crash metadata when the OpenSSL subprocess dies from a signal such as SIGSEGV. This makes it suitable as a lab target and also provides a direct crash oracle. The exploit script is a standalone Python exploit, not part of a larger framework. Based on the visible code and embedded documentation, it implements a network attack against the HTTP decryption endpoint. The exploit chain is: fetch a valid CMS object from the target (/sample), modify the CMS/AuthEnvelopedData structure so the AEAD IV becomes oversized, and send the malicious CMS back to /decrypt. The script states the bug is a stack buffer overflow in evp_cipher_get_asn1_aead_params() where attacker-controlled IV data is copied into a fixed 16-byte stack buffer. It uses a hardcoded RIP offset of 56 bytes and a hardcoded jmp rsp gadget address (0x7ffff7ae841d) for a Linux/amd64 Ubuntu 22.04-style environment with ASLR disabled. Exploit capabilities include: (1) crash mode for denial of service without needing code-reuse addresses, (2) RCE proof mode that executes amd64 shellcode to create /tmp/pwn and write marker content, and (3) reverse shell mode that generates callback shellcode to an attacker-supplied IP and port. The script can use pwntools for shellcode generation if installed, but also includes a manual fallback shellcode path for the file-creation payload. The exploit is therefore more than a PoC: it contains working payload logic, but it is still environment-specific due to hardcoded gadget assumptions and ASLR requirements. Overall, the repository’s purpose is to demonstrate and test exploitation of a vulnerable OpenSSL CMS parsing path in a controlled lab setting. The server file provides the target surface and the exploit file automates both crash verification and code-execution attempts against that surface.

Repository purpose: a proof-of-concept/operational exploit for a claimed OpenSSL CMS AuthEnvelopedData AES-GCM IV parsing stack buffer overflow (CVE-2025-15467), resulting in code execution when a victim application decrypts/parses a malicious CMS/PKCS#7 (DER) object. Structure (5 files): - exploit.py (~22 KB): primary exploit generator. It takes a valid CMS file as a template and patches the AES-GCM IV (nonce) OCTET STRING to an oversized value that overflows a fixed 16-byte stack buffer in OpenSSL’s evp_cipher_get_asn1_aead_params(). The payload layout is padding to saved RIP (RIP_OFFSET=56), followed by a ROP chain that calls mprotect() on the stack page (RWX) and then transfers execution to stack-resident shellcode via a jmp/call rsp gadget. Embedded x86_64 shellcode performs execve("/bin/sh", NULL, NULL). - Supports two modes: - Auto mode (--auto): intended to discover runtime addresses (libc/libcrypto/stack) using GDB and optionally pwntools for gadget discovery (the provided content shows a truncated implementation, but the intent is clear from function names and README usage). - Manual mode: user supplies libcrypto base, libc base, and a stack address (RSP) to build absolute addresses for the ROP chain. - setup.sh (~2.2 KB): builds and installs OpenSSL 3.4.0 into /opt/openssl-vuln with exploit-friendly flags (no stack protector, execstack, no PIE) and generates dummy.key/dummy.crt and a valid.cms template in /tmp. - README.md / TECHNICAL.md: documentation and technical deep-dive, including the vulnerable code snippet, call chain (CMS_decrypt → … → evp_cipher_get_asn1_aead_params), stack layout, and example gadget offsets for specific library versions. Exploit capabilities: - Generates a malicious CMS DER file by modifying the AES-GCM IV field to exceed EVP_MAX_IV_LENGTH (16), triggering a stack overflow during CMS decryption/parsing. - Achieves instruction pointer control and executes a ROP chain to bypass NX by calling mprotect() on the stack. - Executes embedded x86_64 shellcode to spawn /bin/sh, yielding a shell in the context of the vulnerable process. Attack surface/targets: - Any application that processes untrusted CMS/S/MIME/PKCS#7 AuthEnvelopedData using vulnerable OpenSSL versions (claimed 3.0–3.6 pre-fix), especially when decrypting CMS with AES-GCM parameters. Notable observables: - No hardcoded C2 network infrastructure; the exploit is file-based (malicious CMS) and local execution is demonstrated via invoking the openssl cms -decrypt command. - Fingerprintable paths and URLs include /opt/openssl-vuln, /proc/sys/kernel/randomize_va_space, /tmp/{dummy.key,dummy.crt,valid.cms}, and https://www.openssl.org/source/openssl-3.4.0.tar.gz.

Repository provides a network-triggerable DoS proof-of-concept for CVE-2025-15467 (OpenSSL CMS AuthEnvelopedData parsing stack buffer overflow in evp_cipher_get_asn1_aead_params()). Structure/purpose: - dos.py: Standalone Python exploit that constructs a DER-encoded CMS ContentInfo/AuthEnvelopedData object. It embeds AES-256-GCM GCMParameters with an oversized nonce/IV (default 512 bytes) intended to overflow a 16-byte stack buffer during OpenSSL’s AEAD parameter parsing. The script delivers the payload via raw TCP HTTP POST (Content-Type: application/cms) to a configurable endpoint (default /cms), then checks liveness via GET /health to confirm a crash. - vulnerable_service/: A Dockerized intentionally vulnerable HTTP service to reproduce the issue. - cms_server.c: Minimal multithreaded HTTP server exposing GET /version, GET /health, and POST /cms. The /cms handler reads request body and calls d2i_CMS_bio() followed by CMS_decrypt(), which triggers the vulnerable code path when parsing AEAD parameters. - Dockerfile: Builds OpenSSL 3.0.14 from source and compiles cms_server with exploit-friendly flags (-fno-stack-protector, -z execstack, -no-pie). Exposes port 8080. - entrypoint.sh: Attempts to disable ASLR via /proc/sys/kernel/randomize_va_space (requires --privileged) and runs the server in an auto-restart loop to facilitate repeated crash testing. Exploit capability: - Primary: Remote denial-of-service (process crash) against services that parse CMS/PKCS#7 AuthEnvelopedData using vulnerable OpenSSL versions. - The repo mentions potential RCE in theory, and the container reduces mitigations, but the provided exploit code itself is DoS-oriented and does not implement code execution primitives.