|
| 1 | +## |
| 2 | +# This module requires Metasploit: http://metasploit.com/download |
| 3 | +# Current source: https://github.com/rapid7/metasploit-framework |
| 4 | +## |
| 5 | + |
| 6 | +require 'rex/proto/http' |
| 7 | +require 'msf/core' |
| 8 | + |
| 9 | + |
| 10 | +class Metasploit3 < Msf::Auxiliary |
| 11 | + |
| 12 | + # Exploit mixins should be called first |
| 13 | + include Msf::Exploit::Remote::HttpClient |
| 14 | + # Scanner mixin should be near last |
| 15 | + include Msf::Auxiliary::Scanner |
| 16 | + |
| 17 | + def initialize |
| 18 | + super( |
| 19 | + 'Name' => 'HTTP SSL/TLS Version Detection (POODLE scanner)', |
| 20 | + 'Description' => %q{ |
| 21 | + Check if an HTTP server supports a given version of SSL/TLS. |
| 22 | +
|
| 23 | + If a web server can successfully establish an SSLv3 session, it is |
| 24 | + likely to be vulnerable to the POODLE attack described on |
| 25 | + October 14, 2014, as a patch against the attack is unlikely. |
| 26 | + }, |
| 27 | + 'Author' => 'todb', |
| 28 | + 'License' => MSF_LICENSE, |
| 29 | + 'DefaultOptions' => |
| 30 | + { |
| 31 | + 'SSL' => true, |
| 32 | + 'RPORT' => 443, |
| 33 | + 'SSLVersion' => 'SSL3' |
| 34 | + }, |
| 35 | + 'References' => |
| 36 | + [ |
| 37 | + [ 'URL', 'http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html'], |
| 38 | + [ 'OSVDB', '113251'], |
| 39 | + [ 'CVE', '2014-3566'] |
| 40 | + ], |
| 41 | + 'DisclosureDate' => 'Oct 14 2014' |
| 42 | + ) |
| 43 | + |
| 44 | + register_options( |
| 45 | + [ |
| 46 | + OptEnum.new('SSLVersion', [true, 'Specify the version of SSL that should be used', 'SSL3', ['SSL2', 'SSL3', 'TLS1']]) |
| 47 | + ] |
| 48 | + ) |
| 49 | + |
| 50 | + end |
| 51 | + |
| 52 | + # Fingerprint a single host |
| 53 | + def run_host(ip) |
| 54 | + begin |
| 55 | + connect |
| 56 | + res = send_request_raw({ 'uri' => '/', 'method' => 'GET' }) |
| 57 | + fp = http_fingerprint(:response => res) |
| 58 | + if fp |
| 59 | + vprint_status("#{peer} connected and fingerprinted: #{fp}") |
| 60 | + # TODO: Interrogate the connection itself to see what version |
| 61 | + # was used. Where that actually lives is eluding me. :/ |
| 62 | + if datastore['SSLVersion'] == 'SSL3' |
| 63 | + print_good("#{peer} accepts SSLv3") |
| 64 | + report_poodle_vuln(ip) |
| 65 | + end |
| 66 | + end |
| 67 | + rescue ::OpenSSL::SSL::SSLError => e |
| 68 | + ssl_version = e.message.match(/ state=([^\s]+)/)[1] |
| 69 | + vprint_status("#{peer} does not accept #{ssl_version}") |
| 70 | + rescue ::Timeout::Error, ::Errno::EPIPE |
| 71 | + ensure |
| 72 | + disconnect |
| 73 | + end |
| 74 | + end |
| 75 | + |
| 76 | + def report_poodle_vuln(ip) |
| 77 | + report_vuln( |
| 78 | + :host => ip, |
| 79 | + :port => rport, |
| 80 | + :proto => 'tcp', |
| 81 | + :name => self.name, |
| 82 | + :info => "Module #{self.fullname} confirmed SSLv3 is available", |
| 83 | + :refs => self.references, |
| 84 | + :exploited_at => Time.now.utc |
| 85 | + ) |
| 86 | + end |
| 87 | + |
| 88 | +end |
0 commit comments