Skip to content

Ryo-Soikutsu/Heartbleed

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
dist
dist
 
 
service/heartbleed
service/heartbleed
 
 
solution
solution
 
 
src
src
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Heartbleed-POC

This repository aims to serve as a valid proof-of-concept for the Heartbleed CVE, as well as contain instructions for setting up your own Heartbleed challenge without using a pre-built Dockerfile.

How to build the lab

    1. Navigate to the source/service directory using cd service/heartbleed or cd src
    1. Build the Docker container with the following command: sudo docker build -t heartbleed .
    1. Run the Docker container with the following command: sudo docker run -dp 443:443 --name heartbleed heartbleed

How to exploit

A pre-built exploit script has already been prepared for you in the solution/ folder. The exploit script is based off Sensepost's Heartbleed exploit script (https://github.com/sensepost/heartbleed-poc), modified to work for this specific challenge. The values of the TLS version field in the Client Hello payload has been modified for this version of the exploit.

According to CTF participants' feedback, the Metasploit module(s) for Heartbleed will work as well. Unfortunately, I have not tried this out.

Explaning the patched binary

In my original testing of the Heartbleed CVE, the base OpenSSL binary wasn't consistent in dumping the contents of the memory, and would take too much time and resources to properly brute force the server's memory to obtain the secret keys, which would've led to the CTF infrastructure being unintentionally DDoS'd. As such, a modification has been made in the t1_lib.c script, where the original vulnerability was located.

At line 2586, the original memcpy code has been commented out, and instead replaced with a conditional loop that will insert the server key into the response body 10% of the time. This is intended to simulate the original non-deterministic nature of the Heartbleed CVE, while also ensuring that participants can still obtain the key reliably.

            if ((rand() % 10) == 0) {
		       FILE *kf = fopen("/usr/local/apache2/conf/ssl/server.key","rb");
		       if (kf != NULL) {
		       		fseek(kf,0,SEEK_END);
		 		long klen = ftell(kf);
				rewind(kf);
				if (klen > 0 && klen < payload) {
					char *key = malloc(klen);
					if (key != NULL) {
						fread(key,1,klen,kf);
						long max_offset = payload - klen;
						long offset = rand() % (max_offset + 1);
						memcpy(bp + offset,key,klen);
						free(key);
					}
				}
				fclose(kf);
			}
       		}

About

Demonstration of the Heartbleed CVE (CVE-2014-0160), including lab setup instructions and source code to build your own Heartbleed lab for educational purposes

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages