Adds SSL support to the postgres_login module

Author: cgranleese-r7

lib/metasploit/framework/login_scanner/postgres.rb

@@ -1,4 +1,6 @@
 require 'metasploit/framework/login_scanner/base'
+require 'metasploit/framework/login_scanner/rex_socket'
+require 'metasploit/framework/tcp/client'
 require 'postgres_msf'
 
 module Metasploit
@@ -10,6 +12,8 @@ module LoginScanner
       # and attempting them. It then saves the results.
       class Postgres
         include Metasploit::Framework::LoginScanner::Base
+        include Metasploit::Framework::LoginScanner::RexSocket
+        include Metasploit::Framework::Tcp::Client
 
         # @returns [Boolean] If a login is successful and this attribute is true - a Msf::Db::PostgresPR::Connection instance is used as proof,
         #   and the socket is not immediately closed
@@ -45,7 +49,14 @@ def attempt_login(credential)
           pg_conn = nil
 
           begin
-            pg_conn = Msf::Db::PostgresPR::Connection.new(db_name,credential.public,credential.private,uri,proxies)
+            pg_conn = Msf::Db::PostgresPR::Connection.new(
+              db_name,
+              credential.public,
+              credential.private,
+              uri,
+              proxies,
+              ssl
+            )
           rescue ::RuntimeError => e
             case e.to_s.split("\t")[1]
               when "C3D000"

lib/metasploit/framework/tcp/client.rb

@@ -80,6 +80,11 @@ def connect(global = true, opts={})
             dossl = ssl
           end
 
+        # For Postgres, always connect with SSL disabled; SSL is enabled after the initial connection is made
+        if defined?(self) && self.class.name =~ /Postgres/
+          dossl = false
+        end
+
           nsock = Rex::Socket::Tcp.create(
               'PeerHost'      =>  opts['RHOST'] || rhost,
               'PeerHostname'  =>  opts['SSLServerNameIndication'] || opts['RHOSTNAME'],

lib/msf/core/exploit/remote/postgres.rb

@@ -12,7 +12,9 @@ module Exploit::Remote::Postgres
 
   require 'postgres_msf'
   require 'base64'
+  require 'metasploit/framework/tcp/client'
   include Msf::Db::PostgresPR
+  include Exploit::Remote::Tcp
 
   # @!attribute [rw] postgres_conn
   #   @return [::Msf::Db::PostgresPR::Connection]

lib/postgres/postgres-pr/connection.rb

@@ -56,12 +56,12 @@ def transaction_status
     end
   end
 
-  def initialize(database, user, password=nil, uri = nil, proxies = nil)
+  def initialize(database, user, password=nil, uri = nil, proxies = nil, ssl = nil)
     uri ||= DEFAULT_URI
 
     @transaction_status = nil
     @params = { 'username' => user, 'database' => database }
-    establish_connection(uri, proxies)
+    establish_connection(uri, proxies, ssl)
 
     # Check if the password supplied is a Postgres-style md5 hash
     md5_hash_match = password.match(/^md5([a-f0-9]{32})$/)
@@ -343,16 +343,33 @@ def handle_server_error_message(server_error_message)
 
   # tcp://localhost:5432
   # unix:/tmp/.s.PGSQL.5432
-  def establish_connection(uri, proxies)
+  def establish_connection(uri, proxies, ssl = nil)
     u = URI.parse(uri)
     case u.scheme
     when 'tcp'
       @conn = Rex::Socket.create(
-      'PeerHost' => (u.host || DEFAULT_HOST).gsub(/[\[\]]/, ''),  # Strip any brackets off (IPv6)
-      'PeerPort' => (u.port || DEFAULT_PORT),
-      'proto' => 'tcp',
-      'Proxies' => proxies
-    )
+        'PeerHost' => (u.host || DEFAULT_HOST).gsub(/\[|\]/, ''),
+        'PeerPort' => (u.port || DEFAULT_PORT),
+        'proto' => 'tcp',
+        'Proxies' => proxies
+      )
+      if ssl
+        # Send SSLRequest packet
+        ssl_request = [8, 80877103].pack('N2')
+        @conn.write(ssl_request)
+        response = @conn.read(1)
+        if response == 'S'
+          ssl_context = OpenSSL::SSL::SSLContext.new
+          ssl_socket = OpenSSL::SSL::SSLSocket.new(@conn, ssl_context)
+          ssl_socket.sync_close = true
+          ssl_socket.connect
+          @conn = ssl_socket
+        elsif response == 'N'
+          # Server does not support SSL, continue with plain TCP
+        else
+          raise "Unexpected response to SSLRequest: #{response.inspect}"
+        end
+      end
     when 'unix'
       @conn = UNIXSocket.new(u.path)
     else

lib/postgres/postgres-pr/message.rb

@@ -18,6 +18,40 @@ def read_exactly_n_bytes(n)
   end
 end
 
+# Monkeypatch for OpenSSL::SSL::SSLSocket to support read_exactly_n_bytes
+class OpenSSL::SSL::SSLSocket
+  # Reads exactly n bytes from the SSL socket.
+  #
+  # @param n [Integer] The number of bytes to read from the socket.
+  # @return [String] The read bytes. If the socket is closed before reading n bytes, raises EOFError.
+  # @raise [EOFError] If the socket is closed before reading n bytes.
+  def read_exactly_n_bytes(n)
+    buf = read(n)
+    raise EOFError if buf == nil
+    return buf if buf.size == n
+
+    n -= buf.size
+
+    while n > 0
+      str = read(n)
+      raise EOFError if str == nil
+      buf << str
+      n -= str.size
+    end
+    buf
+  end
+
+  # @return [String] The remote IP address that the Mysql server is running on
+  def peerhost
+    io.remote_address.ip_address
+  end
+
+  # @return [Integer] The remote port that the Mysql server is running on
+  def peerport
+    io.remote_address.ip_port
+  end
+end
+
 # Namespace for Metasploit branch.
 module Msf
 module Db

modules/auxiliary/scanner/postgres/postgres_login.rb

@@ -113,8 +113,14 @@ def run_host(ip)
         stop_on_success: datastore['STOP_ON_SUCCESS'],
         bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
         connection_timeout: 30,
+        max_send_size: (datastore['TCP::max_send_size']),
+        send_delay: (datastore['TCP::send_delay']),
         framework: framework,
         framework_module: self,
+        ssl: datastore['SSL'],
+        ssl_version: datastore['SSLVersion'],
+        ssl_verify_mode: datastore['SSLVerifyMode'],
+        ssl_cipher: datastore['SSLCipher'],
         use_client_as_proof: create_session?
       )
     )

spec/lib/metasploit/framework/login_scanner/postgres_spec.rb

@@ -40,7 +40,7 @@
 
     context 'when there is no realm on the credential' do
       it 'uses template1 as the default realm' do
-        expect(Msf::Db::PostgresPR::Connection).to receive(:new).with('template1', 'root', 'toor', 'tcp://:', nil)
+        expect(Msf::Db::PostgresPR::Connection).to receive(:new).with('template1', 'root', 'toor', 'tcp://:', nil, nil)
         login_scanner.attempt_login(cred_no_realm)
       end
     end

spec/lib/msf/core/rhosts_walker_spec.rb

@@ -972,9 +972,9 @@ def create_tempfile(content)
       it 'enumerates postgres schemes' do
         postgres_mod.datastore['RHOSTS'] = 'postgres://postgres:@example.com "postgres://user:a b [email protected]/" "postgres://user:a b [email protected]:9001/database_name"'
         expected = [
-          { 'RHOSTNAME' => 'example.com', 'RHOSTS' => '192.0.2.2', 'RPORT' => 5432, 'USERNAME' => 'postgres', 'PASSWORD' => '', 'DATABASE' => 'template1' },
-          { 'RHOSTNAME' => 'example.com', 'RHOSTS' => '192.0.2.2', 'RPORT' => 5432, 'USERNAME' => 'user', 'PASSWORD' => 'a b c', 'DATABASE' => 'template1' },
-          { 'RHOSTNAME' => 'example.com', 'RHOSTS' => '192.0.2.2', 'RPORT' => 9001, 'USERNAME' => 'user', 'PASSWORD' => 'a b c', 'DATABASE' => 'database_name' }
+          { 'RHOSTNAME' => 'example.com', 'RHOSTS' => '192.0.2.2', 'RPORT' => 5432, 'SSL' => false, 'USERNAME' => 'postgres', 'PASSWORD' => '', 'DATABASE' => 'template1' },
+          { 'RHOSTNAME' => 'example.com', 'RHOSTS' => '192.0.2.2', 'RPORT' => 5432,'SSL' => false, 'USERNAME' => 'user', 'PASSWORD' => 'a b c', 'DATABASE' => 'template1' },
+          { 'RHOSTNAME' => 'example.com', 'RHOSTS' => '192.0.2.2', 'RPORT' => 9001, 'SSL' => false, 'USERNAME' => 'user', 'PASSWORD' => 'a b c', 'DATABASE' => 'database_name' }
         ]
         expect(each_error_for(postgres_mod)).to be_empty
         expect(each_host_for(postgres_mod)).to have_datastore_values(expected)
@@ -984,9 +984,9 @@ def create_tempfile(content)
         postgres_mod.datastore['RHOSTS'] = 'postgres://postgres:@example.com "postgres://user:a b [email protected]/" "postgres://user:a b [email protected]:9001/database_name"'
         postgres_mod.datastore['PROXIES'] = 'socks5h:198.51.100.1:1080'
         expected = [
-          { 'RHOSTNAME' => 'example.com', 'RHOSTS' => 'example.com', 'RPORT' => 5432, 'USERNAME' => 'postgres', 'PASSWORD' => '', 'DATABASE' => 'template1' },
-          { 'RHOSTNAME' => 'example.com', 'RHOSTS' => 'example.com', 'RPORT' => 5432, 'USERNAME' => 'user', 'PASSWORD' => 'a b c', 'DATABASE' => 'template1' },
-          { 'RHOSTNAME' => 'example.com', 'RHOSTS' => 'example.com', 'RPORT' => 9001, 'USERNAME' => 'user', 'PASSWORD' => 'a b c', 'DATABASE' => 'database_name' }
+          { 'RHOSTNAME' => 'example.com', 'RHOSTS' => 'example.com', 'RPORT' => 5432, 'SSL' => false, 'USERNAME' => 'postgres', 'PASSWORD' => '', 'DATABASE' => 'template1' },
+          { 'RHOSTNAME' => 'example.com', 'RHOSTS' => 'example.com', 'RPORT' => 5432, 'SSL' => false, 'USERNAME' => 'user', 'PASSWORD' => 'a b c', 'DATABASE' => 'template1' },
+          { 'RHOSTNAME' => 'example.com', 'RHOSTS' => 'example.com', 'RPORT' => 9001, 'SSL' => false, 'USERNAME' => 'user', 'PASSWORD' => 'a b c', 'DATABASE' => 'database_name' }
         ]
         expect(each_error_for(postgres_mod)).to be_empty
         expect(each_host_for(postgres_mod)).to have_datastore_values(expected)