Quick'n dirty script to test MS14-066

check-ms14-066.sh

#!/bin/bash
#
# @_hugsy_
#
# Simple (harmless) to test if target is vulnerable to SChannel() memory corruption - MS14-066
#
# It uses the fact that MS added 4 new cipher suites to the patch
# TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
# TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
# TLS_RSA_WITH_AES_256_GCM_SHA384
# TLS_RSA_WITH_AES_128_GCM_SHA256
# A system is *potentially* vulnerable if it doesn't support any of them.
#
# Refs:
# https://technet.microsoft.com/library/security/ms14-066
# https://support.microsoft.com/kb/2992611
#

# set -x

if [ $# -ne 1 ]; then
    echo "Usage: $0 vhost:port"
    echo "Example: $0 bing.com:443"
    exit 1
fi

host=$1
n=0

function is_iis() {
    ret="`curl --silent --head https://${host} | egrep -i '^Server: Microsoft-IIS'`"
    if [ x"${ret}" == x"" ]; then
        echo "[-] Server is *not* IIS"
        exit 1
    else
        echo "[+] Server is IIS version: `echo ${ret} | cut -d ' ' -f 2`"
    fi
}

function connect() {
    cipher=$1
    req="`echo Q | openssl s_client -verify_return_error -cipher ${cipher} -connect ${host} 2>&1`"

    # check if it's ssl first
    test -n "$(echo $req | grep 'SSL23_GET_SERVER_HELLO:unknown protocol')" && exit 1

    # check for new cipher
    test -n "$(echo $req | grep 'Cipher is (NONE)')" && n=$((n + 1))
}

is_iis

for c in DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-GCM-SHA256;
do
    connect $c
done

case $n in
    4) echo "[+] ${host} is vulnerable";;
    *) echo "[-] ${host} is not vulnerable";;
esac

exit 0