initial OWA 2016 support

busterb · busterb · commit 56c00a8cb6ff · 2018-02-19T21:43:49.000-06:00
diff --git a/modules/auxiliary/scanner/http/owa_login.rb b/modules/auxiliary/scanner/http/owa_login.rb
@@ -16,7 +16,7 @@ def initialize
     super(
       'Name'           => 'Outlook Web App (OWA) Brute Force Utility',
       'Description'    => %q{
-        This module tests credentials on OWA 2003, 2007, 2010, and 2013 servers.
+        This module tests credentials on OWA 2003, 2007, 2010, 2013, and 2016 servers.
       },
       'Author'         =>
         [
@@ -68,6 +68,15 @@ def initialize
               'InboxPath'   => '/owa/',
               'InboxCheck'  => /Inbox|logoff\.owa/
             }
+          ],
+          [
+            'OWA_2016',
+            {
+              'Description' => 'OWA version 2016',
+              'AuthPath'    => '/owa/auth.owa',
+              'InboxPath'   => '/owa/',
+              'InboxCheck'  => /Inbox|logoff\.owa/
+            }
           ]
         ],
       'DefaultAction' => 'OWA_2013',
@@ -158,13 +167,13 @@ def try_user_pass(opts)
     }
 
     if datastore['SSL']
-      if action.name == "OWA_2013"
+      if ["OWA_2013", "OWA_2016"].include?(action.name)
         data = 'destination=https://' << vhost << '/owa&flags=4&forcedownlevel=0&username=' << user << '&password=' << pass << '&isUtf8=1'
       else
         data = 'destination=https://' << vhost << '&flags=0&trusted=0&username=' << user << '&password=' << pass
       end
     else
-      if action.name == "OWA_2013"
+      if ["OWA_2013", "OWA_2016"].include?(action.name)
         data = 'destination=http://' << vhost << '/owa&flags=4&forcedownlevel=0&username=' << user << '&password=' << pass << '&isUtf8=1'
       else
         data = 'destination=http://' << vhost << '&flags=0&trusted=0&username=' << user << '&password=' << pass
@@ -201,12 +210,12 @@ def try_user_pass(opts)
       vprint_status("#{msg} Resolved hostname '#{datastore['RHOST']}' to address #{res.peerinfo['addr']}")
     end
 
-    if action.name != "OWA_2013" and res.get_cookies.empty?
+    if !["OWA_2013", "OWA_2016"].include?(action.name) && res.get_cookies.empty?
         print_error("#{msg} Received invalid repsonse due to a missing cookie (possibly due to invalid version), aborting")
         return :abort
     end
-    if action.name == "OWA_2013"
-      # Check for a response code to make sure login was valid. Changes from 2010 to 2013.
+    if ["OWA_2013", "OWA_2016"].include?(action.name)
+      # Check for a response code to make sure login was valid. Changes from 2010 to 2013 / 2016
       # Check if the password needs to be changed.
       if res.headers['location'] =~ /expiredpassword/
         print_good("#{msg} SUCCESSFUL LOGIN. #{elapsed_time} '#{user}' : '#{pass}': NOTE password change required")
@@ -222,8 +231,9 @@ def try_user_pass(opts)
 
       # No password change required moving on.
       # Check for valid login but no mailbox setup
-      if res.headers['location'] =~ /owa/ and res.headers['location'] !~ /reason/
-        print_good("#{msg} SUCCESSFUL LOGIN. #{elapsed_time} '#{user}' : '#{pass}': NOTE a mailbox is not setup")
+      print_good("server type: #{res.headers["X-FEServer"]}")
+      if res.headers['location'] =~ /owa/
+        print_good("#{msg} SUCCESSFUL LOGIN. #{elapsed_time} '#{user}' : '#{pass}'")
         report_cred(
           ip: res.peerinfo['addr'],
           port: datastore['RPORT'],
@@ -235,7 +245,7 @@ def try_user_pass(opts)
       end
 
       unless location = res.headers['location']
-        print_error("#{msg} No HTTP redirect.  This is not OWA 2013, aborting.")
+        print_error("#{msg} No HTTP redirect.  This is not OWA 2013 / 2016 system, aborting.")
         return :abort
       end
       reason = location.split('reason=')[1]
