Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2014-0160 PoC — OpenSSL 缓冲区错误漏洞

Source
https://github.com/titanous/heartbleeder
Associated Vulnerability
Title:OpenSSL 缓冲区错误漏洞 (CVE-2014-0160)
Description:The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
Description
OpenSSL CVE-2014-0160 Heartbleed vulnerability test
Readme
# Heartbleeder

Tests your servers for OpenSSL
[CVE-2014-0160](https://www.openssl.org/news/secadv_20140407.txt) aka
[Heartbleed](http://heartbleed.com/).

**WARNING**: No guarantees are made about the accuracy of results, and you
should verify them independently by checking your OpenSSL build.

Pull requests welcome.

## Usage

```text
$ heartbleeder example.com
INSECURE - example.com:443 has the heartbeat extension enabled and is vulnerable
```

### Multiple hosts

Multiple hosts may be monitored by setting `-hostfile` flag to a file with
newline separated addresses. A web dashboard is available at
`http://localhost:5000` by default.

### Testing PostgreSQL

Postgres uses OpenSSL in a slightly different way. To test whether a Postgres
server is vulnerable, run the following (defaults to port 5432):

```text
$ heartbleeder -pg example.com
SECURE - example:5432 does not have the heartbeat extension enabled
```

### Installation

Binaries are available from
[gobuild.io](https://gobuild.io/download/github.com/titanous/heartbleeder).

Build from source by running `go get -u github.com/titanous/heartbleeder`, which
will put the code in `$GOPATH/src/github.com/titanous/heartbleeder` and a binary
at `$GOPATH/bin/heartbleeder`.

Requires Go version >= 1.2. On Ubuntu
[godeb](http://blog.labix.org/2013/06/15/in-flight-deb-packages-of-go) is an
easy way of getting the latest version of Go.

## Credits

The TLS implementation was borrowed from the Go standard library.
File Snapshot

 [4.0K]  /data/pocs/09196259622974002a51d09f17d63a6c569c0333
├── [3.9K]  heartbleeder.go
├── [1.6K]  LICENSE
├── [4.0K]  man
│   ├── [ 104]  heartbleeder.1.header
│   ├── [1.7K]  heartbleeder.txt
│   └── [ 142]  Makefile
├── [5.4K]  monitor.go
├── [1.4K]  README.md
└── [4.0K]  tls
    ├── [2.5K]  alert.go
    ├── [9.1K]  cipher_suites.go
    ├── [ 17K]  common.go
    ├── [ 29K]  conn.go
    ├── [5.3K]  conn_test.go
    ├── [2.2K]  example_test.go
    ├── [3.0K]  generate_cert.go
    ├── [ 16K]  handshake_client.go
    ├── [ 12K]  handshake_client_test.go
    ├── [ 28K]  handshake_messages.go
    ├── [6.1K]  handshake_messages_test.go
    ├── [ 18K]  handshake_server.go
    ├── [ 25K]  handshake_server_test.go
    ├── [4.2K]  handshake_test.go
    ├── [ 12K]  key_agreement.go
    ├── [8.2K]  prf.go
    ├── [4.9K]  prf_test.go
    ├── [4.0K]  testdata
    │   ├── [9.7K]  Client-TLSv10-ClientCert-ECDSA-ECDSA
    │   ├── [9.4K]  Client-TLSv10-ClientCert-ECDSA-RSA
    │   ├── [9.6K]  Client-TLSv10-ClientCert-RSA-ECDSA
    │   ├── [9.3K]  Client-TLSv10-ClientCert-RSA-RSA
    │   ├── [6.4K]  Client-TLSv10-ECDHE-ECDSA-AES
    │   ├── [7.2K]  Client-TLSv10-ECDHE-RSA-AES
    │   ├── [6.1K]  Client-TLSv10-RSA-RC4
    │   ├── [6.6K]  Client-TLSv11-ECDHE-ECDSA-AES
    │   ├── [7.4K]  Client-TLSv11-ECDHE-RSA-AES
    │   ├── [6.1K]  Client-TLSv11-RSA-RC4
    │   ├── [ 10K]  Client-TLSv12-ClientCert-ECDSA-ECDSA
    │   ├── [9.5K]  Client-TLSv12-ClientCert-ECDSA-RSA
    │   ├── [10.0K]  Client-TLSv12-ClientCert-RSA-ECDSA
    │   ├── [9.5K]  Client-TLSv12-ClientCert-RSA-RSA
    │   ├── [6.6K]  Client-TLSv12-ECDHE-ECDSA-AES
    │   ├── [6.2K]  Client-TLSv12-ECDHE-ECDSA-AES-GCM
    │   ├── [7.4K]  Client-TLSv12-ECDHE-RSA-AES
    │   ├── [6.1K]  Client-TLSv12-RSA-RC4
    │   ├── [6.2K]  Server-SSLv3-RSA-3DES
    │   ├── [6.2K]  Server-SSLv3-RSA-AES
    │   ├── [5.9K]  Server-SSLv3-RSA-RC4
    │   ├── [6.3K]  Server-TLSv10-ECDHE-ECDSA-AES
    │   ├── [5.9K]  Server-TLSv10-RSA-3DES
    │   ├── [6.1K]  Server-TLSv10-RSA-AES
    │   ├── [5.6K]  Server-TLSv10-RSA-RC4
    │   ├── [5.6K]  Server-TLSv11-RSA-RC4
    │   ├── [6.8K]  Server-TLSv12-CipherSuiteCertPreferenceECDSA
    │   ├── [7.6K]  Server-TLSv12-CipherSuiteCertPreferenceRSA
    │   ├── [9.2K]  Server-TLSv12-ClientAuthRequestedAndECDSAGiven
    │   ├── [9.1K]  Server-TLSv12-ClientAuthRequestedAndGiven
    │   ├── [6.0K]  Server-TLSv12-ClientAuthRequestedNotGiven
    │   ├── [6.6K]  Server-TLSv12-ECDHE-ECDSA-AES
    │   ├── [6.5K]  Server-TLSv12-IssueTicket
    │   ├── [2.6K]  Server-TLSv12-Resume
    │   ├── [6.2K]  Server-TLSv12-RSA-3DES
    │   ├── [6.5K]  Server-TLSv12-RSA-AES
    │   ├── [7.0K]  Server-TLSv12-RSA-AES-GCM
    │   ├── [5.9K]  Server-TLSv12-RSA-RC4
    │   └── [5.6K]  Server-TLSv12-SNI
    ├── [4.1K]  ticket.go
    ├── [7.5K]  tls.go
    └── [7.1K]  tls_test.go

3 directories, 66 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →