Land rapid7#9431, Fix owa_login to handle inserting credentials for a hostname

Author: busterb

lib/rex/proto/http/client.rb

@@ -229,6 +229,7 @@ def _send_recv(req, t = -1, persist=false)
     send_request(req, t)
     res = read_response(t)
     res.request = req.to_s if res
+    res.peerinfo = peerinfo if res
     res
   end
 
@@ -628,6 +629,22 @@ def pipelining?
     pipeline
   end
 
+  #
+  # Target host addr and port for this connection
+  #
+  def peerinfo
+    if self.conn
+      pi = self.conn.peerinfo || nil
+      if pi
+        return {
+          'addr' => pi.split(':')[0],
+          'port' => pi.split(':')[1].to_i
+        }
+      end
+    end
+    nil
+  end
+
   #
   # The client request configuration
   #

lib/rex/proto/http/response.rb

@@ -238,6 +238,10 @@ def cmd_string
   #
   attr_accessor :request
 
+  #
+  # Host address:port associated with this request/response
+  #
+  attr_accessor :peerinfo
 
   attr_accessor :code
   attr_accessor :message

modules/auxiliary/scanner/http/owa_login.rb

@@ -197,6 +197,10 @@ def try_user_pass(opts)
       return
     end
 
+    if res.peerinfo['addr'] != datastore['RHOST']
+      vprint_status("#{msg} Resolved hostname '#{datastore['RHOST']}' to address #{res.peerinfo['addr']}")
+    end
+
     if action.name != "OWA_2013" and res.get_cookies.empty?
         print_error("#{msg} Received invalid repsonse due to a missing cookie (possibly due to invalid version), aborting")
         return :abort
@@ -207,7 +211,7 @@ def try_user_pass(opts)
       if res.headers['location'] =~ /expiredpassword/
         print_good("#{msg} SUCCESSFUL LOGIN. #{elapsed_time} '#{user}' : '#{pass}': NOTE password change required")
         report_cred(
-          ip: datastore['RHOST'],
+          ip: res.peerinfo['addr'],
           port: datastore['RPORT'],
           service_name: 'owa',
           user: user,
@@ -221,7 +225,7 @@ def try_user_pass(opts)
       if res.headers['location'] =~ /owa/ and res.headers['location'] !~ /reason/
         print_good("#{msg} SUCCESSFUL LOGIN. #{elapsed_time} '#{user}' : '#{pass}': NOTE a mailbox is not setup")
         report_cred(
-          ip: datastore['RHOST'],
+          ip: res.peerinfo['addr'],
           port: datastore['RPORT'],
           service_name: 'owa',
           user: user,
@@ -241,7 +245,7 @@ def try_user_pass(opts)
         # Login didn't work. no point in going on, however, check if valid domain account by response time.
         if elapsed_time <= 1
           report_cred(
-            ip: datastore['RHOST'],
+            ip: res.peerinfo['addr'],
             port: datastore['RPORT'],
             service_name: 'owa',
             user: user
@@ -287,7 +291,7 @@ def try_user_pass(opts)
     if res.redirect?
       if elapsed_time <= 1
         report_cred(
-          ip: datastore['RHOST'],
+          ip: res.peerinfo['addr'],
           port: datastore['RPORT'],
           service_name: 'owa',
           user: user
@@ -303,7 +307,7 @@ def try_user_pass(opts)
     if res.body =~ login_check
       print_good("#{msg} SUCCESSFUL LOGIN. #{elapsed_time} '#{user}' : '#{pass}'")
       report_cred(
-        ip: datastore['RHOST'],
+        ip: res.peerinfo['addr'],
         port: datastore['RPORT'],
         service_name: 'owa',
         user: user,
@@ -313,7 +317,7 @@ def try_user_pass(opts)
     else
       if elapsed_time <= 1
         report_cred(
-          ip: datastore['RHOST'],
+          ip: res.peerinfo['addr'],
           port: datastore['RPORT'],
           service_name: 'owa',
           user: user

spec/lib/rex/proto/http/client_spec.rb

@@ -119,6 +119,7 @@ def excuse_needs_auth
     it "should send creds after receiving a 401" do
       conn = double
       allow(conn).to receive(:put)
+      allow(conn).to receive(:peerinfo)
       allow(conn).to receive(:shutdown)
       allow(conn).to receive(:close)
       allow(conn).to receive(:closed?).and_return(false)