How does the Heartbleed exploit work?

Question

I was wondering, what it means in the Heartbleed exploit. Let me explain. I'm trying to understand what does "hello" and "heartbeat" mean. Example:

hello = h2bin("16 03 02 00  dc 01 00 00 d8 03 02 53
43 5b 90 9d 9b 72 0b bc  0c bc 2b 92 a8 48 97 cf
bd 39 04 cc 16 0a 85 03  90 9f 77 04 33 d4 de 00
00 66 c0 14 c0 0a c0 22  c0 21 00 39 00 38 00 88
00 87 c0 0f c0 05 00 35  00 84 c0 12 c0 08 c0 1c
c0 1b 00 16 00 13 c0 0d  c0 03 00 0a c0 13 c0 09
c0 1f c0 1e 00 33 00 32  00 9a 00 99 00 45 00 44
c0 0e c0 04 00 2f 00 96  00 41 c0 11 c0 07 c0 0c
c0 02 00 05 00 04 00 15  00 12 00 09 00 14 00 11
00 08 00 06 00 03 00 ff  01 00 00 49 00 0b 00 04
03 00 01 02 00 0a 00 34  00 32 00 0e 00 0d 00 19
00 0b 00 0c 00 18 00 09  00 0a 00 16 00 17 00 08
00 06 00 07 00 14 00 15  00 04 00 05 00 12 00 13
00 01 00 02 00 03 00 0f  00 10 00 11 00 23 00 00
00 0f 00 01 01")

hb = h2bin("18 03 02 00 03
01 40 00")

So, what does that mean? How did the attacker imagine that? I tried to translate that from decimal to ASCII, but I can't understand the result (the characters are not understandable). How is it constructed?

Answer 1

The data you've posted are TLS messages. You'd need to look at the structure of TLS messages to understand the data. It's not like HTTP, SMTP, etc., where the protocol is a plaintext protocol that can be trivially read by a person.

A Hello message is one of the initial handshake messages in TLS (there's ClientHello and ServerHello) and a heartbeat message is essentially a way to say "I'm still here" to keep the connection alive. Heartbeats may optionally include data to be echoed back (I honestly have no idea why that feature was added, and it's that part of the heartbeat that led to heartbleed).

XKCD actually has a great cartoon about heartbleed that explains more or less what the messages do: https://xkcd.com/1354/

If you want to understand the TLS messages, looking at the TLS spec can be useful, and there's a good explanation of the code that led to heartbleed at OWASP.