OWA bruteforce shouldnt edit datastore (@wchen-r7)

This module was written in an era where the defaults for bruteforcing
included a lot of lock-inducing behavior, thus, it was quite serious
about setting datastore options directly. Also, there was apparently a
bug in USER_AS_PASS that this module attempted to avoid by setting the
datastore directly, rather than fixing the bug directly. As far as I
know, this bug has been long since resolved.
bug/bundler_fix
Tod Beardsley 2014-05-23 14:51:08 -05:00
parent dc7ec450da
commit f189033e8a
No known key found for this signature in database
GPG Key ID: 1EFFB682ADB9F193
1 changed files with 0 additions and 19 deletions

View File

@ -93,26 +93,7 @@ class Metasploit3 < Msf::Auxiliary
deregister_options('BLANK_PASSWORDS', 'RHOSTS','PASSWORD','USERNAME') deregister_options('BLANK_PASSWORDS', 'RHOSTS','PASSWORD','USERNAME')
end end
def cleanup
# Restore the original settings
datastore['BLANK_PASSWORDS'] = @blank_passwords_setting
datastore['USER_AS_PASS'] = @user_as_pass_setting
end
def run def run
# Store the original setting
@blank_passwords_setting = datastore['BLANK_PASSWORDS']
# OWA doesn't support blank passwords or usernames!
datastore['BLANK_PASSWORDS'] = false
# If there's a pre-defined username/password, we need to turn off USER_AS_PASS
# so that the module won't just try username:username, and then exit.
@user_as_pass_setting = datastore['USER_AS_PASS']
if not datastore['USERNAME'].nil? and not datastore['PASSWORD'].nil?
print_status("Disabling 'USER_AS_PASS' because you've specified an username/password")
datastore['USER_AS_PASS'] = false
end
vhost = datastore['VHOST'] || datastore['RHOST'] vhost = datastore['VHOST'] || datastore['RHOST']