Heartbleed Honeypot Script

[Stealth]

#!/usr/bin/perl

# hb_honeypot.pl -- a quick 'n dirty honeypot hack for Heartbleed

#

# This Perl script listens on TCP port 443 and responds with completely bogus

# SSL heartbeat responses, unless it detects the start of a byte pattern

# similar to that used in Jared Stafford's (jspenguin@jspenguin.org) demo for

# CVE-2014-0160 'Heartbleed'.

#

# Run as root for the privileged port. Outputs IPs of suspected heartbleed scan

# to the console. Rickrolls scanner in the hex dump.

#

# 8 April 2014

# http://www.glitchwrks.com/

# shouts to binrev

use strict;

use warnings;

use IO::Socket;

my $sock = new IO::Socket::INET (

LocalPort => '443',

Proto => 'tcp',

Listen => 1,

Reuse => 1,

);

die "Could not create socket!" unless $sock;

# The "done" bit of the handshake response

my $done = pack ("H*", '16030100010E');

# Your message here

my $taunt = "09809*)(76&^%&(*&^7657332 Hi there! Your scan has been logged! Have no fear, this is for research only -- We're never gonna give you up, never gonna let you down!";

my $troll = pack ("H*", ('180301' . sprintf( "%04x", length($taunt))));

# main "barf responses into the socket" loop

while (my $client = $sock->accept()) {

$client->autoflush(1);

my $found = 0;

# read things that look like lines, puke nonsense heartbeat responses until

# a line that looks like it's from the PoC shows up

while (<$client>) {

my $line = unpack("H*", $_);

if ($line =~ /^0034.*/) {

print $client $done;

$found = 1;

} else {

print $client $troll;

print $client $taunt;

}

if ($found == 1) {

print $client $troll;

print $client $taunt;

print $client->peerhost . "n";

$found = 0;

}

}

}

close($sock);