HeartBleed python测试脚本 [英] HeartBleed python test script

问题描述

我遇到了此Python脚本，该脚本测试服务器的HeartBleed漏洞:

I came across this Python script that tests the server for the HeartBleed vulnerability:

有人可以解释你好"的内容，发送的内容以及该内容的构造方式吗?

Would someone be able to explain the content of the "hello", what is being sent and how was this content constructed?

我不是要恶意使用此脚本.我被要求测试此漏洞的Tomcat 7.0.2服务器:我确认tcnative-1.dll确实使用了openssl 1.0.1d，但是我尝试测试该服务器的一些独立测试工具报告说它不是.易受伤害的.

I am not trying to use this script maliciously. I was asked to test a Tomcat 7.0.2 server for the vulnerability: I verified that tcnative-1.dll does use openssl 1.0.1d, but a few of the standalone test tools that I tried testing the server with report that it is not vulnerable.

推荐答案

hello和hb以更具可读性的方式定义字节字符串.

hello and hb define bytestrings in a more readable fashion.

h2bin(x)函数完成所有工作:

def h2bin(x):
    return x.replace(' ', '').replace('\n', '').decode('hex')

因此十六进制数字的字符串已删除所有空格，然后从十六进制解码为字节:

so the string of hex digits has all whitespace removed, then is decoded from hex to bytes:

>>> '16 03 02 00 dc'.replace(' ', '')
'16030200dc'
>>> '16 03 02 00 '.replace(' ', '').decode('hex')
'\x16\x03\x02\x00\xdc'

这是使用十六进制表示法和多余空格指定一系列字节的一种紧凑方法.

It's just a compact way to specify a series of bytes using hexadecimal notation and extra whitespace.

十六进制数据本身只是普通的心跳协议消息，以原始字节为单位. hello字符串包含 TLS 1.1记录消息，由第一个字节(16十六进制，十进制22)标识作为握手记录，发送一个client_hello(第六个字节是01).这只是建立TLS会话，告诉服务器客户端支持哪种密码.到底包含什么内容并不重要，除了它告诉服务器客户端支持心跳扩展(消息末尾的00 0f字节对)之外.

The hex data itself is just a normal heartbeat protocol message, in raw bytes. The hello string contains a TLS 1.1 record message, identified by the first byte (16 hex, 22 decimal) as a handshake record, sending a client_hello (sixth byte is 01). This is just setting up a TLS session, telling the server what kind of ciphers the client supports. It doesn't really matter what's contained in this, other than that it tells the server the client supports the Heartbeat extension (a 00 0f byte pair at the end of the message).

真正有趣的是 hb消息:

It is the hb message that is interesting one, really:

hb = h2bin(''' 
18 03 02 00 03
01 40 00
''')

18是心跳内容类型记录，03 02标识TLS 1.1协议版本. 00 03表示消息的有效负载有多大； 3个字节或第二行的全部内容.

18 is the heartbeat content type record, 03 02 identifies the TLS 1.1 protocol version. The 00 03 denotes how large the payload of the message is; 3 bytes, or all of the second line.

消息本身的3个字节由心跳类型(01或'request')和消息长度(40 00，16384字节)组成，后跟无实际消息 >.这会导致损坏的SSL服务器发回包含16kb内存的心跳响应.回传不存在的0长度请求消息，再加上内存以弥补请求长度.

The 3 bytes of the message itself consists of the heartbeat type (01, or 'request'), and the message length (40 00, 16384 bytes), followed by no actual message. This causes a broken SSL server to send back a heartbeat response containing 16kb of memory; the non-existing 0-length request message is echoed plus the memory to make up the request length.

这篇关于HeartBleed python测试脚本的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！