Skip to content

Instantly share code, notes, and snippets.

@zachfi

zachfi/.gitignore

Last active August 29, 2015 13:58
Show Gist options
  • Save zachfi/10421688 to your computer and use it in GitHub Desktop.
Save zachfi/10421688 to your computer and use it in GitHub Desktop.
Download ZIP
Upgrade OpenSSL
Raw
.gitignore
good.yaml
bad.yaml
list.txt
Raw
exec.rb
#! /usr/bin/env ruby
require 'pp'
require 'yaml'
require 'net/ssh'
class PuppetHost
attr_accessor
def initialize(host)
@host = host
end
def name
@host
end
def get_openssl_output
command = "ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=5 #{@host} openssl version -a"
output = %x{#{command}}
if $? == 0
output
else
puts "unable to access host!"
nil
end
end
def update_openssl
manifest = 'if $::osfamily == "Debian" { package { ["openssl", "libssl1.0.0"]: ensure => latest } } elsif $::osfamily == "RedHat" { package { openssl: ensure => latest } }'
command = "echo \'#{manifest}\' | ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=5 #{@host} sudo puppet apply -v"
output = %x{#{command}}
puts output
end
def is_vulnerable?
output = get_openssl_output
if output.nil?
return nil
end
if output =~ /OpenSSL 0.9.8/
return false
else
if output =~ /OpenSSL\s+1.0.1e/
if output =~ /built\s+on:(.*)?(Tue)?\s+Apr\s+8(.*)2014/
return false
else
return true
end
elsif output =~ /OpenSSL\s+1.0.1g/
return false
else
return true
end
end
end
def to_bounce
command = "ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=5 -tq #{@host} sudo /usr/sbin/lsof -Pn"
output = %x{#{command}}
bounce_these = []
output.split("\n").each {|l|
if l =~ /.*DEL.*lib(crypto|ssl).*/
bounce_these << l.split(" ")[0].gsub('"',"")
end
}
bounce_these = bounce_these.uniq
if bounce_these.size > 0
pp bounce_these
end
end
end
class NodeCache
attr_accessor
def initialize
@good_yaml = 'good.yaml'
@bad_yaml = 'bad.yaml'
unless File.exists? @good_yaml
@good = []
else
@good = YAML.load(File.read(@good_yaml))
end
unless File.exists? @bad_yaml
@bad = []
else
@bad = YAML.load(File.read(@bad_yaml))
end
end
def good_yaml
@good_yaml
end
def bad_yaml
@bad_yaml
end
def bad
@bad
end
def good
@good
end
def append_good(host)
@good << host
end
def remove_good(host)
@good.reject!{|g| g == host }
end
def append_bad(host)
@bad << host
end
def remove_bad(host)
@bad.reject!{|g| g == host }
end
def write
@bad.sort!.uniq!
@good.sort!.uniq!
File.open(@good_yaml, 'w') {|f|
f.write good.to_yaml
}
File.open('bad.yaml', 'w') {|f|
f.write bad.to_yaml
}
end
end
def host_list
File.open('list.txt').readlines.map {|l|
l.chomp!
}
end
cache = NodeCache.new
def update_cache
cache = NodeCache.new
host_list.each {|d|
puts "checking on #{d}"
host = PuppetHost.new(d)
vuln = host.is_vulnerable?
if vuln
cache.append_bad d
elsif vuln == nil
puts "FUCK! No Access!!! #{host}"
else
cache.append_good d
end
cache.write
}
end
def recheck
puts "re-checking hosts"
cache = NodeCache.new
cache.bad.each {|b|
host = PuppetHost.new(b)
puts host.name
vuln = host.is_vulnerable?
if vuln == nil
puts "FUCK! No Access!!! #{host}"
elsif vuln == false
cache.remove_bad b
cache.append_good b
end
cache.write
}
end
def bounce
cache = NodeCache.new
host_list.each {|d|
puts "checking for bounces on #{d}"
host = PuppetHost.new(d)
host.to_bounce
}
end
if not File.exists?(cache.good_yaml) or not File.exists?(cache.bad_yaml)
update_cache
end
#recheck()
bounce()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment