Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add LEAK_COUNT option to Heartbleed #10680

Merged
merged 1 commit into from
Sep 21, 2018
Merged

Add LEAK_COUNT option to Heartbleed #10680

merged 1 commit into from
Sep 21, 2018

Conversation

wvu
Copy link
Contributor

@wvu wvu commented Sep 20, 2018
edited
Loading

I should have done this in 2014, but I'm a slacker.

  • Test with LEAK_COUNT
  • Test with repeat
msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set leak_count 9001
leak_count => 9001
msf5 auxiliary(scanner/ssl/openssl_heartbleed) > run

[+] 127.0.0.1:443         - Heartbeat response with leak, 589880535 bytes
[+] 127.0.0.1:443         - Heartbeat data stored in /Users/wvu/.msf4/loot/20180920171424_default_127.0.0.1_openssl.heartble_551227.bin
[*] 127.0.0.1:443         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssl/openssl_heartbleed) >

msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set leak_count 100
leak_count => 100
msf5 auxiliary(scanner/ssl/openssl_heartbleed) > repeat -n 2 run; sleep 10

[+] 127.0.0.1:443         - Heartbeat response with leak, 6553500 bytes
[+] 127.0.0.1:443         - Heartbeat data stored in /Users/wvu/.msf4/loot/20180920172522_default_127.0.0.1_openssl.heartble_399065.bin
[*] 127.0.0.1:443         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[+] 127.0.0.1:443         - Heartbeat response with leak, 6553500 bytes
[+] 127.0.0.1:443         - Heartbeat data stored in /Users/wvu/.msf4/loot/20180920172535_default_127.0.0.1_openssl.heartble_300407.bin
[*] 127.0.0.1:443         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssl/openssl_heartbleed) >

#3206, #10625

@wvu wvu self-assigned this Sep 20, 2018
@wvu wvu force-pushed the feature/heartbleed branch 3 times, most recently from 756d56f to 054f2d7 Compare September 20, 2018 20:57
@h00die
Copy link
Contributor

h00die commented Sep 20, 2018

Add both to .md?

@wvu
Copy link
Contributor Author

wvu commented Sep 20, 2018

There is no module doc.

@h00die
Copy link
Contributor

h00die commented Sep 20, 2018

Most likely because there wasn't a good vuln target to show actual exploitation (like pulling creds/key/sensitive data) since you'd need to make a bunch of requests to get memory filled up.
Since you all have a target, that could make some good doc examples (after removing sensitive data)

@wvu wvu force-pushed the feature/heartbleed branch 3 times, most recently from dbdc478 to 5d5da51 Compare September 20, 2018 21:36
@wvu
Copy link
Contributor Author

wvu commented Sep 20, 2018

We didn't have module docs back then. :)

@wvu
Copy link
Contributor Author

wvu commented Sep 20, 2018 

msf5 auxiliary(scanner/ssl/openssl_heartbleed) > check
^C[-] Check failed: Interrupt
msf5 auxiliary(scanner/ssl/openssl_heartbleed) > run

[+] 127.0.0.1:443         - Heartbeat response with leak, 65535 bytes
[+] 127.0.0.1:443         - Heartbeat data stored in /Users/wvu/.msf4/loot/20180920174641_default_127.0.0.1_openssl.heartble_640224.bin
[*] 127.0.0.1:443         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssl/openssl_heartbleed) >

check is broken for scanners. RHOST is not set but used. Probably a regression from #7349 and #9246. We are currently tracking this internally.

@wvu wvu force-pushed the feature/heartbleed branch 2 times, most recently from 19a4cb4 to 7de28cc Compare September 20, 2018 22:53
@wvu
Add LEAK_COUNT option to Heartbleed
9da87a6 
I should have done this in 2014, but I'm a slacker.
@wvu wvu removed the request for review from acammack-r7 September 21, 2018 00:50
@wvu wvu merged commit 9da87a6 into rapid7:master Sep 21, 2018
wvu added a commit that referenced this pull request Sep 21, 2018
@wvu
Land #10680, LEAK_COUNT option for Heartbleed
9bdc5b2
@wvu
Copy link
Contributor Author

wvu commented Sep 21, 2018

Release Notes

This adds the LEAK_COUNT option to the Heartbleed scanner, allowing a user to specify the number of memory leaks to attempt per SCAN or DUMP action.

@wvu wvu deleted the feature/heartbleed branch September 21, 2018 01:27
@wvu wvu mentioned this pull request Sep 21, 2018
Merged
@busterb
Copy link
Member

busterb commented Sep 21, 2018

See #10688 for check method fixes.

msjenkins-r7 pushed a commit that referenced this pull request Sep 24, 2018
@wvu @msjenkins-r7
Land #10680, LEAK_COUNT option for Heartbleed
7ef006f
@gdavidson-r7 gdavidson-r7 added the rn-enhancement release notes enhancement label Oct 10, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@wvu wvu

Labels
enhancement module rn-enhancement release notes enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@wvu @h00die @busterb @gdavidson-r7