Metasploit-framework: [ Metasploit Framework ] OpenSSL

Vulnerable to what exactly?

Also: https://en.wikipedia.org/wiki/Backporting

@bcoles heartbleed information leaked openssl 1.0.1c

Targets ==> 80/tcp open http Apache httpd 2.2.22 ((FreeBSD) PHP/5.2.17 with Suhosin-Patch mod_ssl/2.2.22 OpenSSL/1.0.1c DAV/2)

For Response Handshake :
See this

pict 1 ==> http://i63.tinypic.com/vnzd7a.jpg
pict 2 ==> http://i68.tinypic.com/f1mrz7.jpg
Pict 3 ==> http://i68.tinypic.com/x2rzpl.jpg

It might not be vulnerable.

You could try modifying the HEARTBEAT_LENGTH, or try verifying with another tool such as sslscan or testssl.

@bcoles
Are you sure about that?

When i used check for exploitable it says the targets appears to be vulnerable

This is the result said :

[*] xx. xx.47.159:443 - The target appears to be vulnerable

@bcoles
Are you sure about that?

Nope. You could try modifying the HEARTBEAT_LENGTH, or try verifying with another tool such as sslscan or testssl. Nmap also has a script to dump process memory via heartbleed.

If it is vulnerable, it may not always have any data to leak. You could try requesting multiple times, while also generating traffic to the HTTPS port.

But since the owner of the website is your friend, and you've apparently identified one server that is vulnerable, you may as well recommend updating the version of OpenSSL on both, and call it a day. The latest version of OpenSSL in the 1.0.x branch is OpenSSL 1.0.2q.

@bcoles

Okay, give me some time 24 hours for this issues.
I'll be back.

Thank you.

Are you sure the owner of mail.dvorec.eu is your friend?

@bcoles
Another websites is my friend
The vulnerable websites is the targets

That's why i ask why this targets vulnerable but my friend's websites is not

Generally 1.0.1c is vulnerable, assuming it is upstream and not a backported patch. But this discussion is a bit outside of a Metasploit-specific question, so I'm closing it.