Browse Source

Respect SSLCipher in server mixins

This allows us to set a sane cipher spec for SSL-enabled server modules.
Adam Cammack 3 years ago
parent
commit
fda4c62c1f
No account linked to committer's email address

+ 12
- 24
lib/msf/core/exploit/browser_autopwn2.rb View File

@@ -130,16 +130,12 @@ module Msf
130 130
       xploit.datastore['PAYLOAD']     = p.first[:payload_name]
131 131
       xploit.datastore['LPORT']       = p.first[:payload_lport]
132 132
       xploit.datastore['SRVHOST']     = datastore['SRVHOST']
133
-      xploit.datastore['JsObfuscate'] = datastore['JsObfuscate'] if datastore['JsObfuscate']
134
-      xploit.datastore['CookieName']  = datastore['CookieName'] if datastore['CookieName']
135
-      xploit.datastore['VERBOSE']     = datastore['VERBOSE'] if datastore['VERBOSE']
136
-      xploit.datastore['Retries']     = datastore['Retries'] if datastore['Retries']
137
-      xploit.datastore['SSL']         = datastore['SSL'] if datastore['SSL']
138
-      xploit.datastore['SSLVersion']  = datastore['SSLVersion'] if datastore['SSLVersion']
139
-      xploit.datastore['URIHOST']     = datastore['URIHOST'] if datastore['URIHOST']
140
-      xploit.datastore['URIPORT']     = datastore['URIPORT'] if datastore['URIPORT']
141 133
       xploit.datastore['LHOST']       = get_payload_lhost
142 134
 
135
+      %w(JsObfuscate CookieName VERBOSE Retries SSL SSLVersion SSLCipher URIHOST URIPORT).each do |opt|
136
+        xploit.datastore[opt] = datastore[opt] if datastore[opt]
137
+      end
138
+
143 139
       # Set options only configurable by BAP.
144 140
       xploit.datastore['DisablePayloadHandler'] = true
145 141
       xploit.datastore['BrowserProfilePrefix']  = browser_profile_prefix
@@ -325,22 +321,14 @@ module Msf
325 321
         multi_handler.datastore['LHOST']                = get_payload_lhost
326 322
         multi_handler.datastore['PAYLOAD']              = payload_name
327 323
         multi_handler.datastore['LPORT']                = wanted[:payload_lport]
328
-        multi_handler.datastore['DebugOptions']         = datastore['DebugOptions'] if datastore['DebugOptions']
329
-        multi_handler.datastore['AutoLoadAndroid']      = datastore['AutoLoadAndroid'] if datastore['AutoLoadAndroid']
330
-        multi_handler.datastore['PrependMigrate']       = datastore['PrependMigrate'] if datastore['PrependMigrate']
331
-        multi_handler.datastore['PrependMigrateProc']   = datastore['PrependMigrateProc'] if datastore['PrependMigrateProc']
332
-        multi_handler.datastore['InitialAutoRunScript'] = datastore['InitialAutoRunScript'] if datastore['InitialAutoRunScript']
333
-        multi_handler.datastore['AutoRunScript']        = datastore['AutoRunScript'] if datastore['AutoRunScript']
334
-        multi_handler.datastore['CAMPAIGN_ID']          = datastore['CAMPAIGN_ID'] if datastore['CAMPAIGN_ID']
335
-        multi_handler.datastore['HandlerSSLCert']       = datastore['HandlerSSLCert'] if datastore['HandlerSSLCert']
336
-        multi_handler.datastore['StagerVerifySSLCert']  = datastore['StagerVerifySSLCert'] if datastore['StagerVerifySSLCert']
337
-        multi_handler.datastore['PayloadUUIDTracking']  = datastore['PayloadUUIDTracking'] if datastore['PayloadUUIDTracking']
338
-        multi_handler.datastore['PayloadUUIDName']      = datastore['PayloadUUIDName'] if datastore['PayloadUUIDName']
339
-        multi_handler.datastore['IgnoreUnknownPayloads'] = datastore['IgnoreUnknownPayloads'] if datastore['IgnoreUnknownPayloads']
340
-        multi_handler.datastore['SessionRetryTotal']     = datastore['SessionRetryTotal'] if datastore['SessionRetryTotal']
341
-        multi_handler.datastore['SessionRetryWait']      = datastore['SessionRetryWait'] if datastore['SessionRetryWait']
342
-        multi_handler.datastore['SessionExpirationTimeout'] = datastore['SessionExpirationTimeout'] if datastore['SessionExpirationTimeout']
343
-        multi_handler.datastore['SessionCommunicationTimeout'] = datastore['SessionCommunicationTimeout'] if datastore['SessionCommunicationTimeout']
324
+
325
+        %w(DebugOptions AutoLoadAndroid PrependMigrate PrependMigrateProc
326
+           InitialAutoRunScript AutoRunScript CAMPAIGN_ID HandlerSSLCert
327
+           StagerVerifySSLCert PayloadUUIDTracking PayloadUUIDName
328
+           IgnoreUnknownPayloads SessionRetryTotal SessionRetryWait
329
+           SessionExpirationTimeout SessionCommunicationTimeout).each do |opt|
330
+          multi_handler.datastore[opt] = datastore[opt] if datastore[opt]
331
+        end
344 332
 
345 333
         # Configurable only by BAP
346 334
         multi_handler.datastore['ExitOnSession'] = false

+ 2
- 1
lib/msf/core/exploit/http/server.rb View File

@@ -144,7 +144,8 @@ module Exploit::Remote::HttpServer
144 144
       },
145 145
       opts['Comm'],
146 146
       datastore['SSLCert'],
147
-      datastore['SSLCompression']
147
+      datastore['SSLCompression'],
148
+      datastore['SSLCipher']
148 149
     )
149 150
 
150 151
     self.service.server_name = datastore['HTTP::server_name']

+ 10
- 1
lib/msf/core/exploit/tcp_server.rb View File

@@ -28,7 +28,8 @@ module Exploit::Remote::TcpServer
28 28
     register_advanced_options(
29 29
       [
30 30
         OptString.new('ListenerComm', [ false, 'The specific communication channel to use for this service']),
31
-        OptBool.new('SSLCompression', [ false, 'Enable SSL/TLS-level compression', false ])
31
+        OptBool.new('SSLCompression', [ false, 'Enable SSL/TLS-level compression', false ]),
32
+        OptString.new('SSLCipher',    [ false, 'String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH"'])
32 33
       ], Msf::Exploit::Remote::TcpServer)
33 34
 
34 35
     register_evasion_options(
@@ -108,6 +109,7 @@ module Exploit::Remote::TcpServer
108 109
         'LocalPort' => srvport,
109 110
         'SSL'       => ssl,
110 111
         'SSLCert'   => ssl_cert,
112
+        'SSLCipher'   => ssl_cipher,
111 113
         'SSLCompression' => ssl_compression,
112 114
         'Comm'      => comm,
113 115
         'Context'   =>
@@ -195,6 +197,13 @@ module Exploit::Remote::TcpServer
195 197
     datastore['SSLCert']
196 198
   end
197 199
 
200
+  #
201
+  # Returns the SSLCipher option
202
+  #
203
+  def ssl_cipher
204
+    datastore['SSLCipher']
205
+  end
206
+
198 207
   # @return [Bool] enable SSL/TLS-level compression
199 208
   def ssl_compression
200 209
     datastore['SSLCompression']

+ 8
- 4
lib/rex/proto/http/server.rb View File

@@ -99,7 +99,9 @@ class Server
99 99
   # Initializes an HTTP server as listening on the provided port and
100 100
   # hostname.
101 101
   #
102
-  def initialize(port = 80, listen_host = '0.0.0.0', ssl = false, context = {}, comm = nil, ssl_cert = nil, ssl_compression = false)
102
+  def initialize(port = 80, listen_host = '0.0.0.0', ssl = false, context = {},
103
+                 comm = nil, ssl_cert = nil, ssl_compression = false,
104
+                 ssl_cipher = nil)
103 105
     self.listen_host     = listen_host
104 106
     self.listen_port     = port
105 107
     self.ssl             = ssl
@@ -107,6 +109,7 @@ class Server
107 109
     self.comm            = comm
108 110
     self.ssl_cert        = ssl_cert
109 111
     self.ssl_compression = ssl_compression
112
+    self.ssl_cipher      = ssl_cipher
110 113
     self.listener        = nil
111 114
     self.resources       = {}
112 115
     self.server_name     = DefaultServer
@@ -143,9 +146,10 @@ class Server
143 146
       'LocalHost' => self.listen_host,
144 147
       'LocalPort' => self.listen_port,
145 148
       'Context'   => self.context,
146
-      'SSL'		=> self.ssl,
147
-      'SSLCert'	=> self.ssl_cert,
149
+      'SSL'       => self.ssl,
150
+      'SSLCert'   => self.ssl_cert,
148 151
       'SSLCompression' => self.ssl_compression,
152
+      'SSLCipher' => self.ssl_cipher,
149 153
       'Comm'      => self.comm
150 154
     )
151 155
 
@@ -269,7 +273,7 @@ class Server
269 273
   end
270 274
 
271 275
   attr_accessor :listen_port, :listen_host, :server_name, :context, :comm
272
-  attr_accessor :ssl, :ssl_cert, :ssl_compression
276
+  attr_accessor :ssl, :ssl_cert, :ssl_compression, :ssl_cipher
273 277
   attr_accessor :listener, :resources
274 278
 
275 279
 protected

+ 4
- 0
lib/rex/socket/ssl_tcp_server.rb View File

@@ -183,6 +183,10 @@ module Rex::Socket::SslTcpServer
183 183
     ctx.extra_chain_cert = chain
184 184
     ctx.options = 0
185 185
 
186
+    if params.ssl_cipher
187
+      ctx.ciphers = params.ssl_cipher
188
+    end
189
+
186 190
     # Older versions of OpenSSL do not export the OP_NO_COMPRESSION symbol
187 191
     if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
188 192
       # enable/disable the SSL/TLS-level compression

Loading…
Cancel
Save