In short, Yes.
A list of POCs are provided below. If we’re missing anything let us know via Twitter @bugcrowd, and we’ll add it to the list and credit you for helping out.
Last update: 30 April 2014 6:07 PDT
Unless you spent yesterday and this morning under a rock you’ll have heard about a very serious vulnerability in OpenSSL yesterday.
OpenSSL is the open-source software that provides SSL capability (e.g. the “S” in HTTPS) for up to 66% of Internet connected devices. The vulnerability allows an attacker to read the memory of the vulnerable system. The important thing to remember is that memory is where an attacker is most likely to find decrypted data, like passwords and private keys.
After a vulnerability like this is disclosed there is usually a short period before an exploit (a piece of software that uses the vulnerability to do bad things, also referred to as a POC) is released. So, after all the attention Heartbleed received yesterday, the question on the minds of many is “How long until the exploit is released, what tools are available to test if I am vulnerable to this issue, and when will we see wide scale exploitation of this vulnerability in the wild?”
The answer: Yes, it’s out there in the wild right now, and was released less than a few hours after the vulnerability notice went public.
A list of Heartbeat exploit POCs is provided below.
Note: Running code from the internet, especially exploit POC code, is a really bad idea unless you know what you are doing. This list is provided without warranty and for information only. Don’t be evil.
- http://filippo.io/Heartbleed/ (An online test for exposure to Heartbleed) and https://github.com/FiloSottile/Heartbleed (The codebase the @filippo indicates is running on the site)
- http://pastebin.com/WmxzjkXJ (ssltest.py)
- https://www.ssllabs.com/ssltest/index.html (An online test for exposure to Heartbleed)
- https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb (Metasploit module)
- https://svn.nmap.org/nmap/scripts/ssl-heartbleed.nse (Nmap NSE script)
- https://gist.github.com/bonsaiviking/10402038 (Guide for using Nmap script)
- https://github.com/titanous/heartbleeder?files=1 (POC in Go)
- https://gist.github.com/rcvalle/10223042 (A C version from @rcvalle)
- https://bitbucket.org/fb1h2s/cve-2014-0160/src (Scanner in python) and http://www.garage4hackers.com/entry.php?b=2551 (Writeup)
- https://gist.github.com/RealRancor/10140249 (OpenVAS NASL script) and
- https://www.nth-dimension.org.uk/pub/s_client-vs-cve-2014-0160.diff.txt (Patch which allows exploitation using the OpenSSL client)
- https://gist.github.com/anantshri/10238615 (Modified for readability)
- http://1337day.com/exploit/22114 (Exploit POC)
- https://play.google.com/store/apps/details?id=com.bblabs.heartbleedscanner (Mobile test for exposure)
- https://github.com/HackerFantastic/Public/blob/master/exploits/heartbleed.c (Exploit POC)
- https://github.com/sensepost/heartbleed-poc (Exploit POC)
- https://gist.github.com/eelsivart/10174134 (Improved on ssltest.py)
- http://www.tenable.com/plugins/index.php?view=single&id=73404 (Official Tenable NASL plugin)
- https://chrome.google.com/webstore/detail/chromebleed/eeoekjnjgppnaegdjbcafdggilajhpic (Chrome plugin using test by Filippo Valsorda)
- https://nextsuite.websecurify.com/apps/heartbleed/ (Test multiple targets)
- https://lastpass.com/heartbleed/ (Test for exposure with added features for lastpass users)
- https://play.google.com/store/apps/details?id=com.lookout.heartbleeddetector (Mobile detector)
- https://github.com/zerquix18/heartbleed (POC translated to PHP)
- https://testssl.sh/ (Testing TSL/SSL Encryption)
- http://www.sysvalue.com/heartbleed-cupid-wireless/ (“Cupid” Linux/Android wireless exploit)
Thanks to these contributors for updates:
If we’re missing anything, or you’d think any of the information needs to be changed, please tweet us @bugcrowd and we’ll credit you on this post as a contributor.