Closed jetz closed 8 years ago
Thanks @jetz . Could you share us how to reproduce the issue ?
Here is a thirdparty heardbleed.py , download and do as follow:
@jetz
http
here (Heartbleed is for https) ?~ uname -a
Darwin demo.local 15.5.0 Darwin Kernel Version 15.5.0: Tue Apr 19 18:36:36 PDT 2016; root:xnu-3248.50.21~8/RELEASE_X86_64 x86_64
ks-pocsuite $ ./pocsuite.py -u http://www.mi.com -r /tmp/pocs/heartbleed.py --verify
,--. ,--.
,---. ,---. ,---.,---.,--.,--`--,-' '-.,---. {1.2.7-71242cd}
| .-. | .-. | .--( .-'| || ,--'-. .-| .-. :
| '-' ' '-' \ `--.-' `' '' | | | | \ --.
| |-' `---' `---`----' `----'`--' `--' `----'
`--' http://seebug.org
[!] legal disclaimer: Usage of pocsuite for attacking targets without prior mutual consent is illegal.
[*] starting at 22:15:33
[22:15:33] [*] checking heartbleed
[22:15:33] [*] poc:'heartbleed' target:'http://www.mi.com'
[22:15:33] [-] need more than 1 value to unpack
[22:15:33] [-] poc-1219 'Openssl 1.0.1 内存读取 信息泄露漏洞' failed.
+-------------------+------------+--------+-----------+---------------------------------------+--------+
| target-url | poc-name | poc-id | component | version | status |
+-------------------+------------+--------+-----------+---------------------------------------+--------+
| http://www.mi.com | heartbleed | 1219 | OpenSSL | 1.0.1~1.0.1f, 1.0.2-beta, 1.0.2-beta1 | failed |
+-------------------+------------+--------+-----------+---------------------------------------+--------+
success : 0 / 1
[*] shutting down at 22:15:33
ks-pocsuite $ ./pocsuite.py --version
1.2.7
root@lab:~/ks-pocsuite# uname -a
Linux lab 4.3.0-kali1-686-pae #1 SMP Debian 4.3.5-1kali1 (2016-02-11) i686 GNU/Linux
root@lab:~/ks-pocsuite# ./pocsuite.py -u http://www.mi.com -r /tmp/pocs/heartbleed.py --verify
,--. ,--.
,---. ,---. ,---.,---.,--.,--`--,-' '-.,---. {1.2.7-71242cd}
| .-. | .-. | .--( .-'| || ,--'-. .-| .-. :
| '-' ' '-' \ `--.-' `' '' | | | | \ --.
| |-' `---' `---`----' `----'`--' `--' `----'
`--' http://seebug.org
[!] legal disclaimer: Usage of pocsuite for attacking targets without prior mutual consent is illegal.
[*] starting at 23:27:13
[23:27:13] [*] checking heartbleed
[23:27:13] [*] poc:'heartbleed' target:'http://www.mi.com'
[23:27:13] [-] need more than 1 value to unpack
[23:27:13] [-] poc-1219 'Openssl 1.0.1 内存读取 信息泄露漏洞' failed.
+-------------------+------------+--------+-----------+---------------------------------------+--------+
| target-url | poc-name | poc-id | component | version | status |
+-------------------+------------+--------+-----------+---------------------------------------+--------+
| http://www.mi.com | heartbleed | 1219 | OpenSSL | 1.0.1~1.0.1f, 1.0.2-beta, 1.0.2-beta1 | failed |
+-------------------+------------+--------+-----------+---------------------------------------+--------+
success : 0 / 1
[*] shutting down at 23:27:13
OS: ubuntu 16.04
. Here http
is misspelled, https
has same result.
cannot concatenate 'str' and 'exceptions.ValueError' objects
This is the point.
And, this bug is imported by a recent commit, version 2.0.4.1-c9c150a
(see picture) contains it, but you test with 1.2.7-71242cd
, so...
My patch is for the dev branch, so please test with this branch.
Thanks @jetz.
ks-pocsuite $ ./pocsuite.py -u http://www.mi.com -r /tmp/pocs/heartbleed.py --verify
,--. ,--.
,---. ,---. ,---.,---.,--.,--`--,-' '-.,---. {2.0.4.1-0e8fca2}
| .-. | .-. | .--( .-'| || ,--'-. .-| .-. :
| '-' ' '-' \ `--.-' `' '' | | | | \ --.
| |-' `---' `---`----' `----'`--' `--' `----'
`--' http://pocsuite.org
[!] legal disclaimer: Usage of pocsuite for attacking targets without prior mutual consent is illegal.
[*] starting at 21:43:48
[21:43:48] [*] checking heartbleed
[21:43:48] [*] poc:'heartbleed' target:'http://www.mi.com'
[21:43:48] [-] need more than 1 value to unpack
[21:43:48] [-] thread MainThread: unhandled exception occurred in pocsuite/2.0.4.1-0e8fca2. It is recommended to retry your run with the latest development version from official Gitlab repository at 'https://github.com/knownsec/Pocsuite'. If the exception persists, please open a new issue at 'https://github.com/knownsec/Pocsuite/issues' with the following text and any other information required to reproduce the bug. The developers will try to reproduce the bug, fix it accordingly and get back to you
pocsuite version: 2.0.4.1-0e8fca2
Python version: 2.7.10
Operating system: posix
Command line: pocsuite.py -u http://www.mi.com -r /tmp/pocs/heartbleed.py --verify
Traceback (most recent call last):
File "/Users/Open-Security/Code/ks-pocsuite/pocsuite/lib/core/threads.py", line 37, in runThreads
threadFunction()
File "/Users/Open-Security/Code/ks-pocsuite/pocsuite/lib/controller/controller.py", line 95, in pocThreads
result_error = "Error," + result.error[1] if result.error[1] else "failed"
TypeError: cannot concatenate 'str' and 'exceptions.ValueError' objects
[*] shutting down at 21:43:48
ks-pocsuite $ ./pocsuite.py --version
2.0.4.1
The issue informations as follow:
-> result_error = "Error," + result.error[1] if result.error[1] else "failed"
(Pdb) result.error
(4, ValueError('need more than 1 value to unpack',))
(Pdb) result.error[1]
ValueError('need more than 1 value to unpack',)
(Pdb) "Error, {}".format(result.error[1])
'Error, need more than 1 value to unpack'
(Pdb) "Error, {}" + result.error[1]
*** TypeError: cannot concatenate 'str' and 'exceptions.ValueError' objects
set
+ string
will make an error.
The pr is tested and merged. You, cool guy !
ks-pocsuite [fix-return_error-bug●] ./pocsuite.py -u http://www.mi.com -r /tmp/pocs/heartbleed.py --verify
,--. ,--.
,---. ,---. ,---.,---.,--.,--`--,-' '-.,---. {2.0.4.1-6a8b270}
| .-. | .-. | .--( .-'| || ,--'-. .-| .-. :
| '-' ' '-' \ `--.-' `' '' | | | | \ --.
| |-' `---' `---`----' `----'`--' `--' `----'
`--' http://pocsuite.org
[!] legal disclaimer: Usage of pocsuite for attacking targets without prior mutual consent is illegal.
[*] starting at 21:57:15
[21:57:15] [*] checking heartbleed
[21:57:15] [*] poc:'heartbleed' target:'http://www.mi.com'
[21:57:15] [-] need more than 1 value to unpack
[21:57:15] [-] poc-1219 'Openssl 1.0.1 内存读取 信息泄露漏洞' failed.
+-------------------+------------+--------+-----------+---------------------------------------+-----------------------------------------+
| target-url | poc-name | poc-id | component | version | status |
+-------------------+------------+--------+-----------+---------------------------------------+-----------------------------------------+
| http://www.mi.com | heartbleed | 1219 | OpenSSL | 1.0.1~1.0.1f, 1.0.2-beta, 1.0.2-beta1 | Error: need more than 1 value to unpack |
+-------------------+------------+--------+-----------+---------------------------------------+-----------------------------------------+
success : 0 / 1
[*] shutting down at 21:57:15
Here I got the following exception because of concatenating mismatched type(python 2.7.11):