API tools faq
paste
Advertisement
Guest User

ssl-heartbleed.nse

a guest
Apr 10th, 2014
607
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.97 KB | None | 0 0
raw download clone embed print report
  1. description = [[
  2. Detects whether a server is vulnerable to the OpenSSL Heartbleed bug (CVE-2014-0160).
  3. The code is based on the Python script ssltest.py authored by Jared Stafford ([email protected])
  4. ]]
  5.  
  6. ---
  7. -- @usage
  8. -- nmap -p 443 --script ssl-heartbleed <target>
  9. --
  10. -- @output
  11. -- PORT STATE SERVICE
  12. -- 443/tcp open https
  13. -- | ssl-heartbleed:
  14. -- | VULNERABLE:
  15. -- | The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
  16. -- | State: VULNERABLE
  17. -- | Risk factor: High
  18. -- | Description:
  19. -- | OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
  20. -- |
  21. -- | References:
  22. -- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
  23. -- | http://www.openssl.org/news/secadv_20140407.txt
  24. -- |_ http://cvedetails.com/cve/2014-0160/
  25. --
  26. --
  27.  
  28. local bin = require('bin')
  29. local match = require('match')
  30. local nmap = require('nmap')
  31. local shortport = require('shortport')
  32. local sslcert = require('sslcert')
  33. local stdnse = require('stdnse')
  34. local string = require('string')
  35. local vulns = require('vulns')
  36.  
  37. author = "Patrik Karlsson <[email protected]>"
  38. license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
  39. categories = { "vuln", "safe" }
  40.  
  41. portrule = function(host, port)
  42. return shortport.ssl(host, port) or sslcert.isPortSupported(port)
  43. end
  44.  
  45. local function recvmsg(s)
  46. local status, hdr = s:receive_buf(match.numbytes(5), true)
  47. if not status then
  48. stdnse.print_debug(3, 'Unexpected EOF receiving record header - server closed connection')
  49. return
  50. end
  51. local pos, typ, ver, ln = bin.unpack('>CSS', hdr)
  52. local pay
  53. status, pay = s:receive_buf(match.numbytes(ln), true)
  54. if not status then
  55. stdnse.print_debug(3, 'Unexpected EOF receiving record payload - server closed connection')
  56. return
  57. end
  58. return true, typ, ver, pay
  59. end
  60.  
  61. action = function(host, port)
  62. local vuln_table = {
  63. title = "The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.",
  64. state = vulns.STATE.NOT_VULN,
  65. risk_factor = "High",
  66. description = [[
  67. OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
  68. ]],
  69.  
  70. references = {
  71. 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160',
  72. 'http://www.openssl.org/news/secadv_20140407.txt ',
  73. 'http://cvedetails.com/cve/2014-0160/'
  74. }
  75. }
  76.  
  77. local hello = bin.pack('H', [[16 03 02 00 dc 01 00 00 d8 03 02 53
  78. 43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf
  79. bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00
  80. 00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88
  81. 00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c
  82. c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09
  83. c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44
  84. c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c
  85. c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11
  86. 00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04
  87. 03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19
  88. 00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08
  89. 00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13
  90. 00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00
  91. 00 0f 00 01 01]])
  92.  
  93. local hb = bin.pack('H', '18 03 02 00 03 01 40 00')
  94.  
  95. local report = vulns.Report:new(SCRIPT_NAME, host, port)
  96. local s = nmap.new_socket()
  97. s:set_timeout(5000)
  98. s:connect(host, port, "tcp")
  99. s:send(hello)
  100.  
  101. while(true) do
  102. local status, typ, ver, pay = recvmsg(s)
  103. if not status then
  104. return report:make_output(vuln_table)
  105. end
  106. if ( typ == 22 and string.byte(pay,1) == 14 ) then break end
  107. end
  108.  
  109. s:send(hb)
  110. while(true) do
  111. local status, typ, ver, pay = recvmsg(s)
  112. if not status then
  113. stdnse.print_debug(3, 'No heartbeat response received, server likely not vulnerable')
  114. break
  115. end
  116. if typ == 24 then
  117. s:close()
  118. if #pay > 3 then
  119. vuln_table.state = vulns.STATE.VULN
  120. break
  121. else
  122. stdnse.print_debug(3, 'Server processed malformed heartbeat, but did not return any extra data.')
  123. break
  124. end
  125. elseif typ == 21 then
  126. stdnse.print_debug(3, 'Server returned error, likely not vulnerable')
  127. break
  128. end
  129. end
  130. return report:make_output(vuln_table)
  131. end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!