blaquee

Cardiac Arrest

Hut3 Cardiac Arrest - A script to check OpenSSL servers for the Heartbleed bug (CVE-2014-0160).

Note: This code was originally a GitHub Gist but has been copied to a full GitHub Repository so issues can also be tracked. Both will be kept updated with the latest code revisions.

DISCLAIMER: There have been unconfirmed reports that this script can render HP iLO unresponsive. This script complies with the TLS specification, so responsitivity issues are likely the result of a bad implementation of TLS on the server side. CNS Hut3 and Adrian Hayter do not accept responsibility if this script crashes a server you test it against. USE IT AT YOUR OWN RISK. As always, the correct way to test for the vulnerability is to check the version of OpenSSL installed on the server in question. OpenSSL 1.0.1 through 1.0.1f are vulnerable.

This script has several advantages over similar scripts that have been re

blaquee

00415000 > $  90            nop
00415001   .  90            nop
00415002   .  68 B142B600   push    0B642B1
00415007   .  5B            pop     ebx
00415008   .  90            nop
00415009   .  BA 20504100   mov     edx, 00415020
0041500E   .  90            nop
0041500F   .  90            nop
00415010   .  BF 98050000   mov     edi, 598
00415015   .  90            nop

blaquee

int open_pipe(int *readpipe, int *writepipe)
{
    int fdpipe[2]; // read, write
#if defined(WIN32) || defined(_WIN32)
    int r = pipe( fdpipe, BUFFER_SIZE, O_BINARY );
#else
    int r = pipe(fdpipe);
#endif
    *readpipe = fdpipe[0];
    *writepipe = fdpipe[1];

blaquee

Keybase proof

I hereby claim:

• I am blaquee on github.
• I am g3nuin3 (https://keybase.io/g3nuin3) on keybase.
• I have a public key whose fingerprint is ADB4 BE35 7968 3F89 1B47 610F 841E C906 2AB6 E77E

To claim this, I am signing this object:

blaquee

#undef UNICODE
#include <Windows.h>

#pragma comment(linker, "/INCLUDE:__tls_used")

void NTAPI TlsCallBack(PVOID h, DWORD dwReason, PVOID pv);

#pragma data_seg(".CRT$XLB")
PIMAGE_TLS_CALLBACK p_thread_callback = TlsCallBack;
#pragma data_seg()

blaquee

import web
from web.wsgiserver import CherryPyWSGIServer

CherryPyWSGIServer.ssl_certificate = "/ssl/server.crt"
CherryPyWSGIServer.ssl_private_key = "/ssl/server.key"

urls = ("/secrets/.*", 'secrets')
app = web.application(urls, globals())

class hello:

blaquee

004013FE  |.  890424        MOV DWORD PTR SS:[LOCAL.271],EAX              ; /string => OFFSET LOCAL.264
00401401  |.  E8 EE060000   CALL <JMP.&msvcrt.strlen>                     ; \MSVCRT.strlen
00401406  |.  83F8 06       CMP EAX,6
00401409  |.  74 64         JE SHORT 0040146F

blaquee

.text:00401CC1                 push    24h
.text:00401CC3                 call    sub_401980
.text:00401CC8                 mov     eax, dword_413D1C
.text:00401CCD                 mov     ecx, [eax+90h]
.text:00401CD3                 push    ecx
.text:00401CD4                 push    esi
.text:00401CD5                 call    get_embedded_exe
.text:00401CDA                 add     esp, 0Ch
.text:00401CDD                 test    eax, eax
.text:00401CDF                 jz      short loc_401CF6

blaquee

#include <Windows.h>
#include <strsafe.h>
#include <Shlobj.h>
#include <string.h>

//the exported function
typedef void(__cdecl* display_message)(void);
//this can change
#define DLL_NAME L"\\display.dll"

blaquee