Land #4024, auto-negotiate SSL versions

Thanks @hmoore-r7!
2014-10-15 16:04:38 -05:00 · 2014-10-15 16:04:38 -05:00 · d5a0b81680
parent 8ec0aa0a75 5a350b2bf3
commit d5a0b81680
5 changed files with 53 additions and 13 deletions
--- a/lib/msf/core/auxiliary/crawler.rb
+++ b/lib/msf/core/auxiliary/crawler.rb
@ -44,7 +44,7 @@ module Auxiliary::HttpCrawler
        OptString.new('HTTPAdditionalHeaders', [false, "A list of additional headers to send (separated by \\x01)"]),
        OptString.new('HTTPCookie', [false, "A HTTP cookie header to send with each request"]),
        OptBool.new('SSL', [ false, 'Negotiate SSL for outgoing connections', false]),
-        OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL that should be used', 'SSL3', ['SSL2', 'SSL23', 'SSL3', 'TLS1']]),
+        OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL that should be used', 'Auto', ['Auto', 'SSL2', 'SSL23', 'SSL3', 'TLS1']]),
      ], self.class
    )

--- a/lib/msf/core/exploit/http/client.rb
+++ b/lib/msf/core/exploit/http/client.rb
@ -50,7 +50,7 @@ module Exploit::Remote::HttpClient
        OptString.new('PASSWORD', [false, 'The HTTP password to specify for  authentication', '']),
        OptBool.new('DigestAuthIIS', [false, 'Conform to IIS, should work for most servers. Only set to false for non-IIS servers', true]),
        OptBool.new('SSL', [ false, 'Negotiate SSL for outgoing connections', false]),
-        OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL that should be used', 'SSL3', ['SSL2', 'SSL3', 'TLS1']]),
+        OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL that should be used', 'Auto', ['Auto', 'SSL2', 'SSL3', 'TLS1']]),
        OptBool.new('FingerprintCheck', [ false, 'Conduct a pre-exploit fingerprint verification', true]),
        OptString.new('DOMAIN', [ true, 'The domain to use for windows authentification', 'WORKSTATION'])
      ], self.class
--- a/lib/msf/core/exploit/tcp.rb
+++ b/lib/msf/core/exploit/tcp.rb
@ -62,7 +62,7 @@ module Exploit::Remote::Tcp
    register_advanced_options(
      [
        OptBool.new('SSL',        [ false, 'Negotiate SSL for outgoing connections', false]),
-        OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL that should be used', 'SSL3', ['SSL2', 'SSL3', 'TLS1']]),
+        OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL that should be used', 'Auto', ['Auto', 'SSL2', 'SSL3', 'TLS1']]),
        OptEnum.new('SSLVerifyMode',  [ false, 'SSL verification method', 'PEER', %W{CLIENT_ONCE FAIL_IF_NO_PEER_CERT NONE PEER}]),
        OptString.new('SSLCipher',    [ false, 'String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"']),
        Opt::Proxies,
@ -290,7 +290,7 @@ module Exploit::Remote::TcpServer
    register_options(
      [
        OptBool.new('SSL',        [ false, 'Negotiate SSL for incoming connections', false]),
-        OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL that should be used', 'SSL3', ['SSL2', 'SSL3', 'TLS1']]),
+        OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL that should be used', 'Auto', ['Auto', 'SSL2', 'SSL3', 'TLS1']]),
        OptPath.new('SSLCert',    [ false, 'Path to a custom SSL certificate (default is randomly generated)']),
        OptAddress.new('SRVHOST', [ true, "The local host to listen on. This must be an address on the local machine or 0.0.0.0", '0.0.0.0' ]),
        OptPort.new('SRVPORT',    [ true, "The local port to listen on.", 8080 ]),
--- a/lib/rex/socket/parameters.rb
+++ b/lib/rex/socket/parameters.rb
@ -56,7 +56,7 @@ class Rex::Socket::Parameters
  # @option hash [Bool] 'Bool' Create a bare socket
  # @option hash [Bool] 'Server' Whether or not this should be a server
  # @option hash [Bool] 'SSL' Whether or not SSL should be used
-  # @option hash [String] 'SSLVersion' Specify SSL2, SSL3, or TLS1 (SSL3 is
+  # @option hash [String] 'SSLVersion' Specify Auto, SSL2, SSL3, or TLS1 (Auto is
  #   default)
  # @option hash [String] 'SSLCert' A file containing an SSL certificate (for
  #   server sockets)
@ -117,7 +117,7 @@ class Rex::Socket::Parameters
      self.ssl = false
    end

-    supported_ssl_versions = ['SSL2', 'SSL23', 'TLS1', 'SSL3', :SSLv2, :SSLv3, :SSLv23, :TLSv1]
+    supported_ssl_versions = ['Auto', 'SSL2', 'SSL23', 'TLS1', 'SSL3', :Auto, :SSLv2, :SSLv3, :SSLv23, :TLSv1]
    if (hash['SSLVersion'] and supported_ssl_versions.include? hash['SSLVersion'])
      self.ssl_version = hash['SSLVersion']
    end
@ -324,7 +324,7 @@ class Rex::Socket::Parameters
  # @return [Bool]
  attr_accessor :ssl

-  # What version of SSL to use (SSL2, SSL3, SSL23, TLS1)
+  # What version of SSL to use (Auto, SSL2, SSL3, SSL23, TLS1)
  # @return [String,Symbol]
  attr_accessor :ssl_version

--- a/lib/rex/socket/ssl_tcp.rb
+++ b/lib/rex/socket/ssl_tcp.rb
@ -56,18 +56,55 @@ begin
  def initsock(params = nil)
    super

-    version = :SSLv3
-    if(params)
+    # The autonegotiation preference for SSL/TLS versions
+    versions = [:TLSv1, :SSLv3, :SSLv23, :SSLv2]
+
+    # Limit this to a specific SSL/TLS version if specified
+    if params
      case params.ssl_version
      when 'SSL2', :SSLv2
-        version = :SSLv2
+        versions = [:SSLv2]
      when 'SSL23', :SSLv23
-        version = :SSLv23
+        versions = [:SSLv23]
+      when 'SSL3', :SSLv3
+        versions = [:SSLv3]
      when 'TLS1', :TLSv1
-        version = :TLSv1
+        versions = [:TLSv1]
+      else
+        # Leave the version list as-is (Auto)
      end
    end

+    # Limit our versions to those supported by the linked OpenSSL library
+    versions = versions.select {|v| OpenSSL::SSL::SSLContext::METHODS.include? v }
+
+    # Raise an error if no selected versions are supported
+    if versions.length == 0
+      raise ArgumentError, 'The system OpenSSL does not support the requested SSL/TLS version'
+    end
+
+    last_error = nil
+
+    # Iterate through SSL/TLS versions until we successfully negotiate
+    versions.each do |version|
+      begin
+        # Try intializing the socket with this SSL/TLS version
+        # This will throw an exception if it fails
+        initsock_with_ssl_version(params, version)
+
+        # Success! Record what method was used and return
+        self.ssl_negotiated_version = version
+        return
+      rescue OpenSSL::SSL::SSLError => e
+        last_error = e
+      end
+    end
+
+    # No SSL/TLS versions succeeded, raise the last error
+    raise last_error
+  end
+
+  def initsock_with_ssl_version(params, version)
    # Build the SSL connection
    self.sslctx  = OpenSSL::SSL::SSLContext.new(version)

@ -84,7 +121,9 @@ begin
      # Could also do this as graceful faildown in case a passed verify_mode is not supported
      self.sslctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
    end
+
    self.sslctx.options = OpenSSL::SSL::OP_ALL
+
    if params.ssl_cipher
      self.sslctx.ciphers = params.ssl_cipher
    end
@ -101,7 +140,6 @@ begin
    # XXX - enabling this causes infinite recursion, so disable for now
    # self.sslsock.sync_close = true

-
    # Force a negotiation timeout
    begin
    Timeout.timeout(params.timeout) do
@ -327,11 +365,13 @@ begin
  end

  attr_reader :peer_verified # :nodoc:
+  attr_reader :ssl_negotiated_version # :nodoc:
  attr_accessor :sslsock, :sslctx # :nodoc:

 protected

  attr_writer :peer_verified # :nodoc:
+  attr_writer :ssl_negotiated_version # :nodoc:


 rescue LoadError