Fix heartbleed cert parsing, lands rapid7#4338, closes rapid7#4309

HD Moore · HD Moore · commit 176296681a47 · 2014-12-09T14:58:27.000-06:00
diff --git a/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb b/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb
@@ -339,15 +339,15 @@ def jabber_connect_msg(hostname)
 
   def tls_jabber
     sock.put(jabber_connect_msg(xmpp_domain))
-    res = sock.get_once(-1, response_timeout)
+    res = get_data
     if res && res.include?('host-unknown')
       jabber_host = res.match(/ from='([\w.]*)' /)
       if jabber_host && jabber_host[1]
         disconnect
         establish_connect
         vprint_status("#{peer} - Connecting with autodetected remote XMPP hostname: #{jabber_host[1]}...")
         sock.put(jabber_connect_msg(jabber_host[1]))
-        res = sock.get_once(-1, response_timeout)
+        res = get_data
       end
     end
     if res.nil? || res.include?('stream:error') || res !~ /<starttls xmlns=['"]urn:ietf:params:xml:ns:xmpp-tls['"]/
@@ -356,14 +356,14 @@ def tls_jabber
     end
     msg = "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>"
     sock.put(msg)
-    res = sock.get_once(-1, response_timeout)
+    res = get_data
     return nil if res.nil? || !res.include?('<proceed')
     res
   end
 
   def tls_ftp
     # http://tools.ietf.org/html/rfc4217
-    res = sock.get_once(-1, response_timeout)
+    res = get_data
     return nil if res.nil?
     sock.put("AUTH TLS\r\n")
     res = get_data
@@ -383,18 +383,25 @@ def tls_ftp
   # Get data from the socket
   # this ensures the requested length is read (if available)
   def get_data(length = -1)
-
-    return sock.get_once(-1, response_timeout) if length == -1
-
     to_receive = length
     data = ''
-    while to_receive > 0
-      temp = sock.get_once(to_receive, response_timeout)
+    done = false
+    while done == false
+      begin
+        temp = sock.get_once(to_receive, response_timeout)
+      rescue EOFError
+        break
+      end
+
       break if temp.nil?
 
       data << temp
-      to_receive -= temp.length
+      if length != -1
+        to_receive -= temp.length
+        done = true if to_receive <= 0
+      end
     end
+
     data
   end
 
@@ -417,8 +424,7 @@ def establish_connect
 
     vprint_status("#{peer} - Sending Client Hello...")
     sock.put(client_hello)
-
-    server_hello = sock.get_once(-1, response_timeout)
+    server_hello = get_data
     unless server_hello
       vprint_error("#{peer} - No Server Hello after #{response_timeout} seconds...")
       return nil
@@ -777,19 +783,19 @@ def parse_certificate_data(data)
     cert_len_padding = unpacked[0]
     cert_len = unpacked[1]
     vprint_debug("\t\tCertificates length: #{cert_len}")
+    vprint_debug("\t\tData length: #{data.length}")
     # contains multiple certs
     already_read = 3
     cert_counter = 0
     while already_read < cert_len
-      start = already_read
       cert_counter += 1
       # get single certificate length
-      single_cert_unpacked = data[start, 3].unpack('Cn')
+      single_cert_unpacked = data[already_read, 3].unpack('Cn')
       single_cert_len_padding = single_cert_unpacked[0]
       single_cert_len =  single_cert_unpacked[1]
       vprint_debug("\t\tCertificate ##{cert_counter}:")
       vprint_debug("\t\t\tCertificate ##{cert_counter}: Length: #{single_cert_len}")
-      certificate_data = data[(start + 3), single_cert_len]
+      certificate_data = data[(already_read + 3), single_cert_len]
       cert = OpenSSL::X509::Certificate.new(certificate_data)
       # First received certificate is the one from the server
       @cert = cert if @cert.nil?
