Merge pull request #20517 from cgranleese-r7/adds-postgres-ssl-support

Adds SSL support to the postgres_login module

Author: smcintyre-r7

lib/metasploit/framework/login_scanner/postgres.rb

@@ -11,6 +11,25 @@ module LoginScanner
       class Postgres
         include Metasploit::Framework::LoginScanner::Base
 
+        # @!attribute ssl
+        #   @return [Boolean] Whether the connection should use SSL
+        attr_accessor :ssl
+        # @!attribute ssl_version
+        #   @return [String] The version of SSL to implement
+        attr_accessor :ssl_version
+        # @!attribute ssl_verify_mode
+        #   @return [String] the SSL certification verification mechanism
+        attr_accessor :ssl_verify_mode
+        # @!attribute ssl_cipher
+        #   @return [String] The SSL cipher to use for the context
+        attr_accessor :ssl_cipher
+        # @!attribute max_send_size
+        #   @return [Integer] The max size of the data to encapsulate in a single packet
+        attr_accessor :max_send_size
+        # @!attribute send_delay
+        #   @return [Integer] The delay between sending packets
+        attr_accessor :send_delay
+
         # @returns [Boolean] If a login is successful and this attribute is true - a Msf::Db::PostgresPR::Connection instance is used as proof,
         #   and the socket is not immediately closed
         attr_accessor :use_client_as_proof
@@ -45,7 +64,20 @@ def attempt_login(credential)
           pg_conn = nil
 
           begin
-            pg_conn = Msf::Db::PostgresPR::Connection.new(db_name,credential.public,credential.private,uri,proxies)
+            ssl_opts = {}
+            ssl_opts[:ssl_version] = ssl_version if ssl_version
+            ssl_opts[:ssl_verify_mode] = ssl_verify_mode if ssl_verify_mode
+            ssl_opts[:ssl_cipher] = ssl_cipher if ssl_cipher
+
+            pg_conn = Msf::Db::PostgresPR::Connection.new(
+              db_name,
+              credential.public,
+              credential.private,
+              uri,
+              proxies,
+              ssl,
+              ssl_opts
+            )
           rescue ::RuntimeError => e
             case e.to_s.split("\t")[1]
               when "C3D000"
@@ -90,13 +122,15 @@ def attempt_login(credential)
 
           ::Metasploit::Framework::LoginScanner::Result.new(result_options)
         end
-      end
 
-      def set_sane_defaults
-        self.connection_timeout ||= 30
-        self.port               ||= DEFAULT_PORT
-      end
+        def set_sane_defaults
+          self.connection_timeout ||= 30
+          self.port               ||= DEFAULT_PORT
+          self.max_send_size      ||= 0
+          self.send_delay         ||= 0
+        end
 
+      end
     end
   end
 end

lib/msf/core/exploit/remote/postgres.rb

@@ -12,7 +12,9 @@ module Exploit::Remote::Postgres
 
   require 'postgres_msf'
   require 'base64'
+  require 'metasploit/framework/tcp/client'
   include Msf::Db::PostgresPR
+  include Exploit::Remote::Tcp
 
   # @!attribute [rw] postgres_conn
   #   @return [::Msf::Db::PostgresPR::Connection]

lib/postgres/postgres-pr/connection.rb

@@ -56,12 +56,12 @@ def transaction_status
     end
   end
 
-  def initialize(database, user, password=nil, uri = nil, proxies = nil)
+  def initialize(database, user, password=nil, uri = nil, proxies = nil, ssl = nil, ssl_opts = {})
     uri ||= DEFAULT_URI
 
     @transaction_status = nil
     @params = { 'username' => user, 'database' => database }
-    establish_connection(uri, proxies)
+    establish_connection(uri, proxies, ssl, ssl_opts)
 
     # Check if the password supplied is a Postgres-style md5 hash
     md5_hash_match = password.match(/^md5([a-f0-9]{32})$/)
@@ -231,7 +231,11 @@ def detect_platform_and_arch
 
   def close
     raise "connection already closed" if @conn.nil?
-    @conn.shutdown
+    if @conn.respond_to?(:shutdown)
+      @conn.shutdown
+    elsif @conn.respond_to?(:close)
+      @conn.close
+    end
     @conn = nil
   end
 
@@ -343,16 +347,35 @@ def handle_server_error_message(server_error_message)
 
   # tcp://localhost:5432
   # unix:/tmp/.s.PGSQL.5432
-  def establish_connection(uri, proxies)
+  def establish_connection(uri, proxies, ssl = nil, ssl_opts = {})
     u = URI.parse(uri)
     case u.scheme
     when 'tcp'
-      @conn = Rex::Socket.create(
-      'PeerHost' => (u.host || DEFAULT_HOST).gsub(/[\[\]]/, ''),  # Strip any brackets off (IPv6)
-      'PeerPort' => (u.port || DEFAULT_PORT),
-      'proto' => 'tcp',
-      'Proxies' => proxies
-    )
+      params = Rex::Socket::Parameters.from_hash(
+        'PeerHost' => (u.host || DEFAULT_HOST).gsub(/\[|\]/, ''),
+        'PeerPort' => (u.port || DEFAULT_PORT),
+        'proto' => 'tcp',
+        'Proxies' => proxies,
+        'SSLVersion' => ssl_opts[:ssl_version],
+        'SSLVerifyMode' => ssl_opts[:ssl_verify_mode],
+        'SSLCipher' => ssl_opts[:ssl_cipher]
+      )
+      @conn = Rex::Socket.create_param(params)
+
+      if ssl
+        ssl_request_message = SSLRequest.new(80877103)
+        @conn.write(ssl_request_message.dump)
+        response = @conn.read(1)
+        if response == 'S'
+          @conn.extend(Rex::Socket::SslTcp)
+          @conn.initsock_with_ssl_version(params, (params.ssl_version || Rex::Socket::Ssl::DEFAULT_SSL_VERSION))
+        elsif response == 'N'
+          # Server does not support SSL
+          raise "SSL connection requested but server at #{u.host}:#{u.port} does not support SSL"
+        else
+          raise "Unexpected response to SSLRequest: #{response.inspect}"
+        end
+      end
     when 'unix'
       @conn = UNIXSocket.new(u.path)
     else

modules/auxiliary/scanner/postgres/postgres_login.rb

@@ -113,8 +113,14 @@ def run_host(ip)
         stop_on_success: datastore['STOP_ON_SUCCESS'],
         bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
         connection_timeout: 30,
+        max_send_size: (datastore['TCP::max_send_size']),
+        send_delay: (datastore['TCP::send_delay']),
         framework: framework,
         framework_module: self,
+        ssl: datastore['SSL'],
+        ssl_version: datastore['SSLVersion'],
+        ssl_verify_mode: datastore['SSLVerifyMode'],
+        ssl_cipher: datastore['SSLCipher'],
         use_client_as_proof: create_session?
       )
     )

spec/lib/metasploit/framework/login_scanner/postgres_spec.rb

@@ -5,6 +5,7 @@
   let(:public) { 'root' }
   let(:private) { 'toor' }
   let(:realm) { 'template1' }
+  let(:host) { '127.0.0.1' }
 
   let(:full_cred) {
     Metasploit::Framework::Credential.new(
@@ -23,7 +24,7 @@
     )
   }
 
-  subject(:login_scanner) { described_class.new }
+  subject(:login_scanner) { described_class.new(host: host) }
 
   it_behaves_like 'Metasploit::Framework::LoginScanner::Base',  has_realm_key: true, has_default_realm: true
 
@@ -40,7 +41,7 @@
 
     context 'when there is no realm on the credential' do
       it 'uses template1 as the default realm' do
-        expect(Msf::Db::PostgresPR::Connection).to receive(:new).with('template1', 'root', 'toor', 'tcp://:', nil)
+        expect(Msf::Db::PostgresPR::Connection).to receive(:new).with('template1', 'root', 'toor', 'tcp://127.0.0.1:5432', nil, nil, {})
         login_scanner.attempt_login(cred_no_realm)
       end
     end

spec/lib/msf/core/rhosts_walker_spec.rb

@@ -972,9 +972,9 @@ def create_tempfile(content)
       it 'enumerates postgres schemes' do
         postgres_mod.datastore['RHOSTS'] = 'postgres://postgres:@example.com "postgres://user:a b [email protected]/" "postgres://user:a b [email protected]:9001/database_name"'
         expected = [
-          { 'RHOSTNAME' => 'example.com', 'RHOSTS' => '192.0.2.2', 'RPORT' => 5432, 'USERNAME' => 'postgres', 'PASSWORD' => '', 'DATABASE' => 'template1' },
-          { 'RHOSTNAME' => 'example.com', 'RHOSTS' => '192.0.2.2', 'RPORT' => 5432, 'USERNAME' => 'user', 'PASSWORD' => 'a b c', 'DATABASE' => 'template1' },
-          { 'RHOSTNAME' => 'example.com', 'RHOSTS' => '192.0.2.2', 'RPORT' => 9001, 'USERNAME' => 'user', 'PASSWORD' => 'a b c', 'DATABASE' => 'database_name' }
+          { 'RHOSTNAME' => 'example.com', 'RHOSTS' => '192.0.2.2', 'RPORT' => 5432, 'SSL' => false, 'USERNAME' => 'postgres', 'PASSWORD' => '', 'DATABASE' => 'template1' },
+          { 'RHOSTNAME' => 'example.com', 'RHOSTS' => '192.0.2.2', 'RPORT' => 5432,'SSL' => false, 'USERNAME' => 'user', 'PASSWORD' => 'a b c', 'DATABASE' => 'template1' },
+          { 'RHOSTNAME' => 'example.com', 'RHOSTS' => '192.0.2.2', 'RPORT' => 9001, 'SSL' => false, 'USERNAME' => 'user', 'PASSWORD' => 'a b c', 'DATABASE' => 'database_name' }
         ]
         expect(each_error_for(postgres_mod)).to be_empty
         expect(each_host_for(postgres_mod)).to have_datastore_values(expected)
@@ -984,9 +984,9 @@ def create_tempfile(content)
         postgres_mod.datastore['RHOSTS'] = 'postgres://postgres:@example.com "postgres://user:a b [email protected]/" "postgres://user:a b [email protected]:9001/database_name"'
         postgres_mod.datastore['PROXIES'] = 'socks5h:198.51.100.1:1080'
         expected = [
-          { 'RHOSTNAME' => 'example.com', 'RHOSTS' => 'example.com', 'RPORT' => 5432, 'USERNAME' => 'postgres', 'PASSWORD' => '', 'DATABASE' => 'template1' },
-          { 'RHOSTNAME' => 'example.com', 'RHOSTS' => 'example.com', 'RPORT' => 5432, 'USERNAME' => 'user', 'PASSWORD' => 'a b c', 'DATABASE' => 'template1' },
-          { 'RHOSTNAME' => 'example.com', 'RHOSTS' => 'example.com', 'RPORT' => 9001, 'USERNAME' => 'user', 'PASSWORD' => 'a b c', 'DATABASE' => 'database_name' }
+          { 'RHOSTNAME' => 'example.com', 'RHOSTS' => 'example.com', 'RPORT' => 5432, 'SSL' => false, 'USERNAME' => 'postgres', 'PASSWORD' => '', 'DATABASE' => 'template1' },
+          { 'RHOSTNAME' => 'example.com', 'RHOSTS' => 'example.com', 'RPORT' => 5432, 'SSL' => false, 'USERNAME' => 'user', 'PASSWORD' => 'a b c', 'DATABASE' => 'template1' },
+          { 'RHOSTNAME' => 'example.com', 'RHOSTS' => 'example.com', 'RPORT' => 9001, 'SSL' => false, 'USERNAME' => 'user', 'PASSWORD' => 'a b c', 'DATABASE' => 'database_name' }
         ]
         expect(each_error_for(postgres_mod)).to be_empty
         expect(each_host_for(postgres_mod)).to have_datastore_values(expected)

spec/lib/rex/proto/postgresql/client_spec.rb

@@ -11,16 +11,81 @@
   let(:socket) { double(Rex::Socket, peerhost: host, peerport: port) }
   let(:message) { Msf::Db::PostgresPR::ReadyForQuery.new('') }
 
-  subject do
+  before do
     allow(socket).to receive(:<<)
+    allow(socket).to receive(:write)
+    allow(socket).to receive(:read).and_return('S')
+    allow(socket).to receive(:extend)
+    allow(socket).to receive(:initsock_with_ssl_version)
     allow(Msf::Db::PostgresPR::Message).to receive(:read).and_return(message)
-    allow(Rex::Socket).to receive(:create).and_return(socket)
-    client = described_class.new(db_name, 'username', 'password', "tcp://#{host}:#{port}")
-    client
+    allow(Rex::Socket).to receive(:create_param).and_return(socket)
+  end
+
+  subject do
+    described_class.new(db_name, 'username', 'password', "tcp://#{host}:#{port}")
   end
 
   it_behaves_like 'session compatible SQL client'
 
+  describe 'SSL connection' do
+    let(:ssl_request_message) { instance_double(Msf::Db::PostgresPR::SSLRequest) }
+    let(:ssl_opts) { { ssl_version: 'TLS1.2', ssl_verify_mode: 'peer', ssl_cipher: 'AES256' } }
+
+    before do
+      allow(Msf::Db::PostgresPR::SSLRequest).to receive(:new).with(80877103).and_return(ssl_request_message)
+      allow(ssl_request_message).to receive(:dump).and_return('ssl_request_data')
+    end
+
+    context 'when SSL is enabled and server supports SSL' do
+      it 'successfully establishes SSL connection' do
+        allow(socket).to receive(:read).with(1).and_return('S')
+
+        expect(socket).to receive(:write).with('ssl_request_data')
+        expect(socket).to receive(:extend).with(Rex::Socket::SslTcp)
+        expect(socket).to receive(:initsock_with_ssl_version)
+
+        client = described_class.new(db_name, 'username', 'password', "tcp://#{host}:#{port}", nil, true, ssl_opts)
+        expect(client).to be_a(Msf::Db::PostgresPR::Connection)
+      end
+    end
+
+    context 'when SSL is enabled but server does not support SSL' do
+      it 'raises an error when server responds with N' do
+        allow(socket).to receive(:read).with(1).and_return('N')
+
+        expect(socket).to receive(:write).with('ssl_request_data')
+        expect(socket).not_to receive(:extend)
+
+        expect {
+          described_class.new(db_name, 'username', 'password', "tcp://#{host}:#{port}", nil, true, ssl_opts)
+        }.to raise_error("SSL connection requested but server at #{host}:#{port} does not support SSL")
+      end
+    end
+
+    context 'when SSL is enabled but server responds unexpectedly' do
+      it 'raises an error for unexpected SSL response' do
+        allow(socket).to receive(:read).with(1).and_return('X')
+
+        expect(socket).to receive(:write).with('ssl_request_data')
+        expect(socket).not_to receive(:extend)
+
+        expect {
+          described_class.new(db_name, 'username', 'password', "tcp://#{host}:#{port}", nil, true, ssl_opts)
+        }.to raise_error('Unexpected response to SSLRequest: "X"')
+      end
+    end
+
+    context 'when SSL is disabled' do
+      it 'does not attempt SSL handshake' do
+        expect(socket).not_to receive(:write).with('ssl_request_data')
+        expect(socket).not_to receive(:extend).with(Rex::Socket::SslTcp)
+
+        client = described_class.new(db_name, 'username', 'password', "tcp://#{host}:#{port}", nil, false, ssl_opts)
+        expect(client).to be_a(Msf::Db::PostgresPR::Connection)
+      end
+    end
+  end
+
   describe '#map_compile_os_to_platform' do
     [
       { info: 'linux', expected: Msf::Platform::Linux.realname },