Didier Stevens

Thursday 10 April 2014

Heartbleed: Packet Capture – Full TLS

Filed under: Networking,Vulnerabilities — Didier Stevens @ 22:34

Yesterday I posted my heartbleed packet capture with an unencrypted heartbeat record.

Now I post a capture with full TLS session setup, hence here the heartbeat records are encrypted. I use heartbleed.c by HackerFantastic.

heartbleed_packet_capture_tls.zip (https)
MD5: 7D19146C2ACC28AFAD6E1FD217E908BB
SHA256: 7FDECDD05269731EDD57FFEE24323C672D620A533CD412089F055D6266C76164


  1. Hello didier. I need some help from you.
    when i try to compile the code made by Hacker Fantastic (the same you use), ive got some problems
    i hope you can help me compiling this code.
    im using ubuntu 12.03 with OpenSSL 1.0.1 14 Mar 2012 on it.
    im using the next code yo try to compile:
    gcc heartbleed.c -o heart -lssl -lssl3 -lcrypto

    but this comand does not work
    the output:

    /tmp/ccOvusmc.o: In function `heartbleed’:
    heartbleed.c:(.text+0x8fd): undefined reference to `ssl3_write_bytes’
    /tmp/ccOvusmc.o: In function `sneakyleaky’:
    heartbleed.c:(.text+0x9f0): undefined reference to `ssl3_read_n’
    heartbleed.c:(.text+0xb77): undefined reference to `ssl3_read_n’
    heartbleed.c:(.text+0xbe0): undefined reference to `tls1_enc’
    heartbleed.c:(.text+0xd4d): undefined reference to `ssl3_cbc_copy_mac’
    heartbleed.c:(.text+0xdbd): undefined reference to `tls1_mac’
    heartbleed.c:(.text+0xeea): undefined reference to `ssl3_do_uncompress’
    collect2: ld devolvió el estado de salida 1

    Could you please tell me what is happening or maby tell me what can i do
    Thank you in advance!!!!

    Comment by zorro — Friday 11 April 2014 @ 1:12

  2. @zorro I too had problems compiling this, so I installed ArchLinux, gcc and openssl, and compiled without -lssl3 option.

    Comment by Didier Stevens — Friday 11 April 2014 @ 6:26

  3. it’compiles without the -lssl3 option on Arch. But does it work? With my testserver with an vulnereable OpenSSL Version it always fails with “problem handling SSL record packet -wrong type?” “error to many bad packets recieved”.

    locking in the heartbleed.c source it always fails after:

    if ((s->rstate != SSL_ST_READ_BODY) ||
    (s->packet_length s3->rbuf.len, 0);
    if (n <= 0)
    goto apple;

    (it goes to apple, where it does the print outs)

    you're sure it really works withouth the -lssl3? What is lssl3 anyway? I can't find the library!

    Comment by Cheeers — Saturday 12 April 2014 @ 9:43

  4. @Cheeers Of course it works, since I posted a packet capture with encrypted heartbeats.

    Comment by Didier Stevens — Saturday 12 April 2014 @ 9:48

  5. true.

    Do you have any idea what else I can try?


    Comment by Cheeers — Saturday 12 April 2014 @ 10:15

  6. @Cheeers startup Wireshark, capture your test and see what you get. Moght give you a clue as to what goes wrong. Also, have you tested your server with other PoCs that don’t encrypt?

    Comment by Didier Stevens — Saturday 12 April 2014 @ 10:18

  7. Hi all,
    In Debian based compile this way:

    gcc heartbleed.c -o heartbleed -Wl,-Bstatic -lssl -Wl,-Bdynamic -lssl3 -lcrypto

    Worked fine on Raspberry Pi with the most updated packages and libssl-dev.

    Comment by Filipe YaBa Polido — Saturday 12 April 2014 @ 20:49

  8. I tried on Ubuntu, but got the same “undefined reference to `ssl3_write_bytes’” error as OP.

    any ideas?

    Comment by t — Monday 14 April 2014 @ 12:35

  9. “gcc heartbleed.c -o heartbleed -Wl,-Bstatic -lssl -Wl,-Bdynamic -lssl3 -lcrypto” works great in ubuntu 12.04

    Comment by Anonymous — Wednesday 7 May 2014 @ 8:08

  10. I’ve compiled the heartbleed.c this way here
    “gcc heartbleed.c -o heartbleed -Wl,-Bstatic -lssl -Wl,-Bdynamic -lssl3 -lcrypto” System Ubuntu 12.04
    After that I’ve created a virtualbox with Ubuntu 14.04 and installed openssl 1.0.1f
    Now when I want to test this I got every time this error message:
    ./heartbleed -s x.x.x.x -p 443 -f out -t 1
    [ heartbleed – CVE-2014-0160 – OpenSSL information leak exploit
    [ =============================================================
    [ connecting to x.x.x.x 443/tcp
    [!] FATAL: could not connect to x.x.x.x 443/tcp

    What is wrong?

    Comment by Elec — Tuesday 14 October 2014 @ 9:00

  11. @Elec capture the traffic and see if you get a tcp connection.

    Comment by Didier Stevens — Tuesday 14 October 2014 @ 13:39

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.