CVE-2014-0160 PoC — OpenSSL 缓冲区错误漏洞

Source

Associated Vulnerability

Description

This is the Heratbleed bug (CVE-2014-0160) documentation I did for Advenced Cyber Attacks course.

Readme

# Heartbleed Attack: Java-Based Attack Demo

## Overview

This repository features `Heartbleed.java`, a custom Java-based exploit designed to demonstrate the Heartbleed vulnerability (CVE-2014-0160) by extracting sensitive data from a vulnerable server (IP: 192.168.1.132) running Apache (port 443) and Postfix (port 465). The exploit sends malformed TLS heartbeat requests, leveraging the vulnerability in unpatched OpenSSL versions (1.0.1 to 1.0.1f) to leak up to 64KB of memory per request. Supporting Bash scripts (`apache_memload.sh` and `postfix_memload.sh`) flood the services’ memory with sensitive data, such as user credentials, mail server passwords, and SSL certificates, which the Java exploit then extracts.

This project is part of a comprehensive security demonstration documented in a detailed Word document, which outlines the attack methodology, results, and implications for both Apache and Postfix services. The work involved crafting scripts to load memory, executing the exploit from a Windows client (IP: 192.168.1.99) and analyzing the leaked data to highlight the vulnerability’s impact.

## About Heartbleed Expolit

`Heartbleed.java` is the core of this demo, implementing a streamlined attack process:
- Establishes a connection to the target server and completes a TLS handshake.
- Sends malformed heartbeat requests via the `sendHeartbeats` method, which is central to the exploit.
- Captures and displays the server’s response, revealing sensitive data in ASCII format.

The `sendHeartbeats` method, a key component, orchestrates the attack by repeatedly sending crafted heartbeat messages to the server, exploiting the Heartbleed vulnerability to extract memory contents. This method’s role is detailed in the accompanying Word document, alongside a screenshot of its implementation.

## Project Scope and Documentation

The full scope of this work includes:
- **Memory Flooding**: Developed `apache_memload.sh` to flood Apache’s memory with 50 `curl` requests, embedding sensitive data like SHA-512 password hashes via a PHP script (`memload.php`). Similarly, `postfix_memload.sh` sends 50 SMTP payloads to Postfix, embedding email credentials and passwords.
- **Exploit Execution**: Ran `Heartbleed.java` from a Windows client (IP: 192.168.1.99) to target Apache (port 443) and Postfix (port 465), successfully leaking data such as user credentials, passwords, and certificates.
- **Documentation**: Compiled a detailed Word document capturing the attack setup, execution, and results. It includes service verification (Apache and Postfix), attack descriptions, screenshots of script outputs and leaked data, an explanation of the `sendHeartbeats` method, and a conclusion with future mitigation strategies.

## Prerequisites

- **Server**:
  - Ubuntu Linux server (IP: 192.168.1.132) with:
    - Apache2 on port 443 (vulnerable OpenSSL 1.0.1c).
    - Postfix on port 465 (vulnerable OpenSSL 1.0.1c).
    - `memload.php` at `https://localhost/phpmyadmin/memload.php`.
- **Client**:
  - Windows client (IP: 192.168.1.99).
  - Java Development Kit (JDK): `sudo apt install openjdk-11-jdk`.
- **Network**:
  - Client must reach server on ports 443 and 465.

## Installation

1. **Clone the Repository**:
   ```bash
   git clone https://github.com/Shayhha/HeartbleedAttack
   ```

2. **Compile the Exploit**:
   ```bash
   javac -d bin Heartbleed.java
   ```

## Usage

1. **Flood Server Memory** (on 192.168.1.132):
- Apache:
```bash
~/Desktop/apache_memload.sh
```

- Postfix:
```bash
~/Desktop/postfix_memload.sh
```

2. **Run the Exploit** (on 192.168.1.99):
- For Apache (port 443) edit `Heartbleed.java` to set `SERVER_PORT = APACHE_PORT`, recompile, then:
```bash
javac -d bin Heartbleed.java
java -cp bin Heartbleed
```

- For Postfix (port 465) edit `Heartbleed.java` to set `SERVER_PORT = POSTFIX_PORT`, recompile, then:
```bash
javac -d bin Heartbleed.java
java -cp bin Heartbleed
```

## Results

- **Apache**: Leaked user credentials, mail server passwords, and SHA-512 password hashes and SSL certificates.
- **Postfix**: Extracted email headers, shell commands, credentials, passwords, and SSL certificates.

## Ethical Use

This exploit is for educational purposes only. Do not use it to harm systems without explicit permission. Ensure compliance with legal and ethical standards.

## License

MIT License—see [LICENSE](LICENSE.txt) for details.

File Snapshot

 [4.0K]  /data/pocs/516ece384e0c4214c382ec6c2f7a1e1daca45a87
├── [4.0K]  Bash Scripts
│   ├── [ 742]  apache_memload.sh
│   ├── [ 648]  memload.php
│   └── [ 742]  postfix_memload.sh
├── [4.0K]  bin
│   └── [6.0K]  Heartbleed.class
├── [4.0K]  Heartbleed Attack Demonstration
│   └── [ 210]  Heartbleed Attack Demonstration Video.txt
├── [4.0K]  Heartbleed Attack Demonstration Screenshots
│   ├── [4.0K]  Attacks
│   │   ├── [4.0K]  Apache
│   │   │   ├── [617K]  Apache leaked HTTPS request and SSL certificate that was used for TLS connection.png
│   │   │   ├── [550K]  Apache leaked mail users credentials, including their SHA-512 password hashes and the mail server's database tab.png
│   │   │   ├── [655K]  Apache leaked MySQL users credentials, including their SHA-256 password hashes.png
│   │   │   └── [464K]  Running apacche_memload.sh to load sensatvie data into Apache memory.png
│   │   └── [4.0K]  Postfix
│   │       ├── [1.1M]  Postfix leaked mail users information and SSL certificate that was used for TLS connection.png
│   │       ├── [218K]  Postfix leaked shell commands used for sending email containing sensative data, including mail password.png
│   │       ├── [1.1M]  Postfix leaked the email headers of messages sent via SMTPS, including the sender and recipient information.png
│   │       └── [407K]  Running postfix_memload.sh to load sensative data into Postfix memory.png
│   ├── [4.0K]  Database with mail users
│   │   ├── [821K]  Showing local mail users in mailserver database with their hashes.png
│   │   ├── [1.4M]  Showing the user table in mysql database with phpMyAdmin.png
│   │   ├── [829K]  Showing the virtual users table in mailserver database with phpMyAdmin.png
│   │   └── [469K]  Showing user’s mailbox with emails he received from shay.png
│   ├── [4.0K]  OpenSSL
│   │   ├── [646K]  Apache, MySQL and Postfix are using OpenSSL 1.0.1c.png
│   │   ├── [4.0K]  Mechines Info
│   │   │   ├── [572K]  Ubuntu Linux server running OpenSSL 1.0.1c with IP 192.168.1.132.png
│   │   │   └── [ 44K]  Windows running Java Heartbleed exploit with IP 192.168.1.99.png
│   │   ├── [101K]  Ubuntu Linux server is using OpenSSL 1.0.1c.png
│   │   ├── [929K]  Verifying Apache is vulnerable using NMAP Heartbleed test (on Kali Linux machine).png
│   │   └── [913K]  Verifying Postfix is vulnerable using NMAP Heartbleed test (on Kali Linux machine).png
│   ├── [4.0K]  Postfix with Dovecot
│   │   ├── [1.2M]  Reading email in user inbox via Dovecot with IMAP on port 993.png
│   │   └── [928K]  Sending email from shay to user via Postfix with SMTPS on port 465.png
│   ├── [4.0K]  Scripts
│   │   ├── [349K]  Bash script apache_memload.sh for flooding Apache.png
│   │   ├── [548K]  Bash script postfix_memload.sh for flooding Postfix.png
│   │   ├── [489K]  PHP script memload.php.png
│   │   └── [ 87K]  sendMessages method - Heartbleed.java.png
│   └── [4.0K]  Sevices
│       ├── [1.3M]  Apache service is running on port 443 (HTTPS).png
│       ├── [1.3M]  Dovecot service is running on port 993 (IMAP).png
│       ├── [845K]  MySQL service is running with phpMyAdmin.png
│       └── [763K]  Postfix service is running on port 465 (SMTPS).png
├── [4.0K]  Heartbleed Attack Documentation
│   ├── [ 14M]  Heartbleed Attack Demonstration.docx
│   ├── [5.2M]  Heartbleed Attack Demonstration (PDF).pdf
│   └── [621K]  Heartbleed Attack Presentation.pptx
├── [1.0K]  LICENSE.txt
├── [4.3K]  README.md
└── [4.0K]  src
    └── [9.5K]  Heartbleed.java

15 directories, 39 files

Remarks