Codebase list hb-honeypot / upstream/latest
Imported Upstream version 0.1.1 Emanuele Acri (Kali Developer) 10 years ago
1 changed file(s) with 66 addition(s) and 0 deletion(s). Raw diff Collapse all Expand all
+66
-0
hb_honeypot.pl less more
0 #!/usr/bin/perl
1
2 # hb_honeypot.pl -- a quick 'n dirty honeypot hack for Heartbleed
3 #
4 # This Perl script listens on TCP port 443 and responds with completely bogus
5 # SSL heartbeat responses, unless it detects the start of a byte pattern
6 # similar to that used in Jared Stafford's ([email protected]) demo for
7 # CVE-2014-0160 'Heartbleed'.
8 #
9 # Run as root for the privileged port. Outputs IPs of suspected heartbleed scan
10 # to the console. Rickrolls scanner in the hex dump.
11 #
12 # 8 April 2014
13 # http://www.glitchwrks.com/
14 # shouts to binrev
15
16 use strict;
17 use warnings;
18 use IO::Socket;
19
20 my $sock = new IO::Socket::INET (
21 LocalPort => '443',
22 Proto => 'tcp',
23 Listen => 1,
24 Reuse => 1,
25 );
26
27 die "Could not create socket!" unless $sock;
28
29 # The "done" bit of the handshake response
30 my $done = pack ("H*", '16030100010E');
31
32 # Your message here
33 my $taunt = "09809*)(*)(76&^%&(*&^7657332 Hi there! Your scan has been logged! Have no fear, this is for research only -- We're never gonna give you up, never gonna let you down!";
34 my $troll = pack ("H*", ('180301' . sprintf( "%04x", length($taunt))));
35
36 # main "barf responses into the socket" loop
37 while (my $client = $sock->accept()) {
38 $client->autoflush(1);
39
40 my $found = 0;
41
42 # read things that look like lines, puke nonsense heartbeat responses until
43 # a line that looks like it's from the PoC shows up
44 while (<$client>) {
45 my $line = unpack("H*", $_);
46
47 if ($line =~ /^0034.*/) {
48 print $client $done;
49 $found = 1;
50 } else {
51 print $client $troll;
52 print $client $taunt;
53 }
54
55 if ($found == 1) {
56 print $client $troll;
57 print $client $taunt;
58 print $client->peerhost . "\n";
59 $found = 0;
60 }
61 }
62 }
63
64 close($sock);
65