metasploit-framework/modules/auxiliary/scanner/http/ssl_version.rb

89 lines
2.5 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'rex/proto/http'
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
# Exploit mixins should be called first
include Msf::Exploit::Remote::HttpClient
# Scanner mixin should be near last
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'HTTP SSL/TLS Version Detection (POODLE scanner)',
'Description' => %q{
Check if an HTTP server supports a given version of SSL/TLS.
If a web server can successfully establish an SSLv3 session, it is
likely to be vulnerable to the POODLE attack described on
October 14, 2014, as a patch against the attack is unlikely.
},
'Author' => 'todb',
'License' => MSF_LICENSE,
'DefaultOptions' =>
{
'SSL' => true,
'RPORT' => 443,
'SSLVersion' => 'SSL3'
},
'References' =>
[
[ 'URL', 'http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html'],
[ 'OSVDB', '113251'],
[ 'CVE', '2014-3566']
],
2014-10-17 17:35:28 +00:00
'DisclosureDate' => 'Oct 14 2014'
)
register_options(
[
OptEnum.new('SSLVersion', [true, 'Specify the version of SSL that should be used', 'SSL3', ['SSL2', 'SSL3', 'TLS1']])
]
)
end
# Fingerprint a single host
def run_host(ip)
begin
connect
res = send_request_raw({ 'uri' => '/', 'method' => 'GET' })
fp = http_fingerprint(:response => res)
if fp
2014-10-16 15:43:58 +00:00
vprint_status("#{peer} connected and fingerprinted: #{fp}")
# TODO: Interrogate the connection itself to see what version
# was used. Where that actually lives is eluding me. :/
if datastore['SSLVersion'] == 'SSL3'
print_good("#{peer} accepts SSLv3")
report_poodle_vuln(ip)
end
end
rescue ::OpenSSL::SSL::SSLError => e
ssl_version = e.message.match(/ state=([^\s]+)/)[1]
vprint_status("#{peer} does not accept #{ssl_version}")
rescue ::Timeout::Error, ::Errno::EPIPE
ensure
disconnect
end
end
def report_poodle_vuln(ip)
report_vuln(
:host => ip,
:port => rport,
:proto => 'tcp',
:name => self.name,
:info => "Module #{self.fullname} confirmed SSLv3 is available",
:refs => self.references,
:exploited_at => Time.now.utc
)
end
end