atilacamurca/haertblaad.py

## haertblaad.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-

if __name__ == '__main__':
    file = open("heartbleed.txt")
    lines = ""
    for line in file:
        aux = list(line)
        for i in range(len(aux)):
            if aux[i] == "a":
                aux[i] = "e"
            elif aux[i] == "e":
                aux[i] = "a"
            elif aux[i] == "A":
                aux[i] = "E"
            elif aux[i] == "E":
                aux[i] = "A"
            elif aux[i] == "f":
                aux[i] = "s"
            elif aux[i] == "s":
                aux[i] = "f"
            elif aux[i] == "F":
                aux[i] = "S"
            elif aux[i] == "S":
                aux[i] = "F"

        lines += "".join(aux)

    out = open("haertblaad.txt", 'w')
    out.write(bytes(lines))
    out.close()
    file.close()

## heartbleed.txt
The Heartbleed Bug

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic
software library. This weakness allows stealing the information protected, under
normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS
provides communication security and privacy over the Internet for applications such
as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems
protected by the vulnerable versions of the OpenSSL software. This compromises the
secret keys used to identify the service providers and to encrypt the traffic, the
names and passwords of the users and the actual content. This allows attackers to
eavesdrop on communications, steal data directly from the services and users and
to impersonate services and users.

What leaks in practice?

We have tested some of our own services from attacker's perspective. We attacked
ourselves from outside, without leaving a trace. Without using any privileged
information or credentials we were able steal from ourselves the secret keys used
for our X.509 certificates, user names and passwords, instant messages, emails and
business critical documents and communication.

How to stop the leak?

As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed
OpenSSL has been released and now it has to be deployed. Operating system vendors
and distribution, appliance vendors, independent software vendors have to adopt the
fix and notify their users. Service providers and users have to install the fix as
it becomes available for the operating systems, networked appliances and software
they use.
	#!/usr/bin/env python
	# -- coding: utf-8 --

	if __name__ == '__main__':
	file = open("heartbleed.txt")
	lines = ""
	for line in file:
	aux = list(line)
	for i in range(len(aux)):
	if aux[i] == "a":
	aux[i] = "e"
	elif aux[i] == "e":
	aux[i] = "a"
	elif aux[i] == "A":
	aux[i] = "E"
	elif aux[i] == "E":
	aux[i] = "A"
	elif aux[i] == "f":
	aux[i] = "s"
	elif aux[i] == "s":
	aux[i] = "f"
	elif aux[i] == "F":
	aux[i] = "S"
	elif aux[i] == "S":
	aux[i] = "F"

	lines += "".join(aux)

	out = open("haertblaad.txt", 'w')
	out.write(bytes(lines))
	out.close()
	file.close()
	The Heartbleed Bug

	The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic
	software library. This weakness allows stealing the information protected, under
	normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS
	provides communication security and privacy over the Internet for applications such
	as web, email, instant messaging (IM) and some virtual private networks (VPNs).

	The Heartbleed bug allows anyone on the Internet to read the memory of the systems
	protected by the vulnerable versions of the OpenSSL software. This compromises the
	secret keys used to identify the service providers and to encrypt the traffic, the
	names and passwords of the users and the actual content. This allows attackers to
	eavesdrop on communications, steal data directly from the services and users and
	to impersonate services and users.

	What leaks in practice?

	We have tested some of our own services from attacker's perspective. We attacked
	ourselves from outside, without leaving a trace. Without using any privileged
	information or credentials we were able steal from ourselves the secret keys used
	for our X.509 certificates, user names and passwords, instant messages, emails and
	business critical documents and communication.

	How to stop the leak?

	As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed
	OpenSSL has been released and now it has to be deployed. Operating system vendors
	and distribution, appliance vendors, independent software vendors have to adopt the
	fix and notify their users. Service providers and users have to install the fix as
	it becomes available for the operating systems, networked appliances and software
	they use.