Skip to content

Commit 714fd0b

Browse files
author
Tod Beardsley
committed
Incorporate @jhart-r7's better fix
2 parents 9c028c1 + ba5035c commit 714fd0b

File tree

1 file changed

+20
-13
lines changed

1 file changed

+20
-13
lines changed

modules/auxiliary/scanner/http/owa_login.rb

Lines changed: 20 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -204,24 +204,31 @@ def try_user_pass(opts)
204204
end
205205

206206
#No password change required moving on.
207-
reason = res.headers['location'].split('reason=')[1]
207+
unless location = res.headers['location']
208+
print_error("#{msg} No HTTP redirect. This is not OWA 2013, aborting.")
209+
return :abort
210+
end
211+
reason = location.split('reason=')[1]
208212
if reason == nil
209213
headers['Cookie'] = 'PBack=0;' << res.get_cookies
210214
else
211215
#Login didn't work. no point on going on.
212-
vprint_error("#{msg} FAILED LOGIN. '#{user}' : '#{pass}'")
216+
vprint_error("#{msg} FAILED LOGIN. '#{user}' : '#{pass}' (HTTP redirect with reason #{reason})")
213217
return :Skip_pass
214218
end
215219
else
216220
# The authentication info is in the cookies on this response
217221
cookies = res.get_cookies
218-
sessionid_value = cookies.split('sessionid=')[1]
219-
sessionid_value = sessionid_value.to_s.split('; ')[0]
220-
sessionid_header = "sessionid=#{sessionid_value}"
221-
cadata_value = cookies.split('cadata=')[1]
222-
cadata_value = cadata_value.to_s.split('; ')[0]
223-
cadata_header = "cadata=#{cadata_value}"
224-
headers['Cookie'] = 'PBack=0; ' << sessionid_header << '; ' << cadata_header
222+
cookie_header = 'PBack=0'
223+
%w(sessionid cadata).each do |necessary_cookie|
224+
if cookies =~ /#{necessary_cookie}=([^;]+)/
225+
cookie_header << "; #{Regexp.last_match(1)}"
226+
else
227+
print_error("#{msg} Missing #{necessary_cookie} cookie. This is not OWA 2010, aborting")
228+
return :abort
229+
end
230+
end
231+
headers['Cookie'] = cookie_header
225232
end
226233

227234
begin
@@ -240,8 +247,8 @@ def try_user_pass(opts)
240247
return :abort
241248
end
242249

243-
if res.code == 302
244-
vprint_error("#{msg} FAILED LOGIN. '#{user}' : '#{pass}'")
250+
if res.redirect?
251+
vprint_error("#{msg} FAILED LOGIN. '#{user}' : '#{pass}' (response was a #{res.code} redirect)")
245252
return :skip_pass
246253
end
247254

@@ -260,7 +267,7 @@ def try_user_pass(opts)
260267
report_auth_info(report_hash)
261268
return :next_user
262269
else
263-
vprint_error("#{msg} FAILED LOGIN. '#{user}' : '#{pass}'")
270+
vprint_error("#{msg} FAILED LOGIN. '#{user}' : '#{pass}' (response body did not match)")
264271
return :skip_pass
265272
end
266273
end
@@ -295,7 +302,7 @@ def get_ad_domain
295302
next
296303
end
297304

298-
if res and res.code == 401 and res['WWW-Authenticate'].match(/^NTLM/i)
305+
if res && res.code == 401 && res.headers.has_key?('WWW-Authenticate') && res.headers['WWW-Authenticate'].match(/^NTLM/i)
299306
hash = res['WWW-Authenticate'].split('NTLM ')[1]
300307
domain = Rex::Proto::NTLM::Message.parse(Rex::Text.decode_base64(hash))[:target_name].value().gsub(/\0/,'')
301308
print_good("Found target domain: " + domain)

0 commit comments

Comments
 (0)