CVE-2014-0160 PoC — OpenSSL 缓冲区错误漏洞

Source

https://github.com/artofscripting-zz/cmty-ssl-heartbleed-CVE-2014-0160-HTTP-HTTPS

Associated Vulnerability

Title:OpenSSL 缓冲区错误漏洞 (CVE-2014-0160)
Description:OpenSSL是OpenSSL团队开发的一个开源的能够实现安全套接层（SSL v2/v3）和安全传输层（TLS v1）协议的通用加密库，它支持多种加密算法，包括对称密码、哈希算法、安全散列算法等。 OpenSSL的TLS和DTLS实现过程中的d1_both.c和t1_lib.c文件中存在安全漏洞，该漏洞源于当处理Heartbeat Extension数据包时，缺少边界检查。远程攻击者可借助特制的数据包利用该漏洞读取服务器内存中的敏感信息(如用户名、密码、Cookie、私钥等)。以下版本的OpenSSL受到

Readme

## This check is for demostration only. 
# cmty-ssl-heartbleed-CVE-2014-0160-HTTP-HTTPS
Targets the OpenSSL product directly on discovered HTTP and HTTPS services. This does not check for OpenSSL 1.0.2-beta which is vulnerable. Also, OpenSSL is commonly packaged into other software and better targeted on any service responding using SSL. 

##### Note: This check is version checking and does not test the vulnerability directly. 

### Other Routes for detection. 
- discover and extract a list of ports and targets using SSL from `nmap -A -T4 --xml targets` 
Loop through target hosts with NMAP 6.3+ `nmap -sV -p targethostPorts --xml --script=ssl-heartbleed.nse targethost` 
- `masscan targethosts -p0-65535 --rate 100000 --heartbleed`
- bleed.py can be used `python3.exe bleed.py targethost -p targetport`

File Snapshot


 [4.0K]  /data/pocs/0bbc5f7b994beebb495b1157b900a1ccc4e669f4
├── [4.0K]  bleed.py
├── [ 319]  cmty-ssl-heartbleed-CVE-2014-0160-HTTP-HTTPS.vck
├── [1.8K]  cmty-ssl-heartbleed-CVE-2014-0160-HTTP-HTTPS.xml
├── [ 34K]  LICENSE
└── [ 812]  README.md

0 directories, 5 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!