Security Summer School

User Tools

Site Tools

Sidebar

session:extra:heartbleed-poc

This is an old revision of the document!

Table of Contents

Extra - Heartbleed PoC

Information Leak Attacks

Environment Setup

We are going to setup a minimal vulnerable environment to experiment with the exploit. We need a vulnerable OpenSSL version and a webserver. We also need to configure a basic website that will just serve a static page.

Download Nginx & OpenSSL

Compile Nginx & vulnerable OpenSSL

tar xvf ~/Downloads/openssl-1.0.1f.tar.gz
tar xvf ~/Downloads/nginx-1.6.0.tar.gz

If Perl 5.18.X is installed on your machine, you'll have to apply a patch to the OpenSSL sources in order to compile. Use the first command to find Perl's version, and skip to the next group of commands if it's older than 5.18.X. 

perl -v
 
This is perl 5, version 18, subversion 2 (v5.18.2) built for x86_64-linux-gnu-thread-multi
(with 41 registered patches, see perl -V for more detail)
...

Download this patch: openssl-perl-5.18.x.patch.tar.gz 

cd openssl-1.0.1f.tar.gz
tar xvf ~/Downloads/openssl-perl-5.18.x.patch.tar.gz
patch -p1 < openssl-perl-5.18.x.patch

Use default options for any exception that patch will encounter.

Continue from here if your Perl version is older than 5.18.X. 

cd nginx-1.6.0.tar.gz
mkdir ~/vuln
./configure --prefix=$HOME/vuln --with-openssl=../openssl-1.0.1f --with-http_ssl_module --without-http_rewrite_module
make
make install

You should be able to run the Nginx binary after this step: 

~nginx-1.6.0.tar.gz$ ~/vuln/sbin/nginx -V
nginx version: nginx/1.6.0
built by gcc 4.8.2 (Ubuntu 4.8.2-19ubuntu1) 
TLS SNI support enabled
configure arguments: --prefix=/home/vladum/vuln --with-openssl=../openssl-1.0.1f --with-http_ssl_module --without-http_rewrite_module

Basic SSL website

Prepare a self-signed certificate: 

sudo mkdir -p /etc/nginx/ssl
sudo openssl genrsa -des3 -out /etc/nginx/ssl/server.key 1024

Enter any passphrase. 

sudo openssl req -new -key /etc/nginx/ssl/server.key -out /etc/nginx/ssl/server.csr
sudo cp /etc/nginx/ssl/server.key /etc/nginx/ssl/server.key.org
sudo openssl rsa -in /etc/nginx/ssl/server.key.org -out /etc/nginx/ssl/server.key
sudo openssl x509 -req -days 365 -in /etc/nginx/ssl/server.csr -signkey /etc/nginx/ssl/server.key -out /etc/nginx/ssl/server.crt

Replace ~/vuln/conf/nginx.conf with the following configuration: 

worker_processes  1;
 
events {
    worker_connections  1024;
}
 
http {   
    server {
        listen 127.0.0.1:11443;
        server_name localhost;
 
        root /usr/share/nginx/www;
        index index.html;
 
        ssl on;
        ssl_certificate /etc/nginx/ssl/server.crt;
        ssl_certificate_key /etc/nginx/ssl/server.key; 
    }
}

Nginx configuration and a static HTML page: 

sudo mkdir -p /usr/share/nginx/www
sudo chown vladum: /usr/share/nginx/www
echo “Hello” > /usr/share/nginx/www/index.html

You should see the page live at https://127.0.0.1:11443. Ignore the certificate warning.

Vulnerability

Exploit

session/extra/heartbleed-poc.1406789340.txt.gz · Last modified: 2014/07/31 09:49 by vladum

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki