Land rapid7#5493, update OWA scanner creds persistence

Author: trevrosen

modules/auxiliary/scanner/http/owa_login.rb

@@ -76,7 +76,6 @@ def initialize
       }
     )
 
-
     register_options(
       [
         OptInt.new('RPORT', [ true, "The target port", 443]),
@@ -128,21 +127,29 @@ def run
       each_user_pass do |user, pass|
         next if (user.blank? or pass.blank?)
         vprint_status("#{msg} Trying #{user} : #{pass}")
-        try_user_pass({"user" => user, "domain"=>domain, "pass"=>pass, "auth_path"=>auth_path, "inbox_path"=>inbox_path, "login_check"=>login_check, "vhost"=>vhost})
+        try_user_pass({
+          user: user,
+          domain: domain,
+          pass: pass,
+          auth_path: auth_path,
+          inbox_path: inbox_path,
+          login_check: login_check,
+          vhost: vhost
+        })
       end
     rescue ::Rex::ConnectionError, Errno::ECONNREFUSED
       print_error("#{msg} HTTP Connection Error, Aborting")
     end
   end
 
   def try_user_pass(opts)
-    user = opts["user"]
-    pass = opts["pass"]
-    auth_path = opts["auth_path"]
-    inbox_path = opts["inbox_path"]
-    login_check = opts["login_check"]
-    vhost = opts["vhost"]
-    domain = opts["domain"]
+    user = opts[:user]
+    pass = opts[:pass]
+    auth_path = opts[:auth_path]
+    inbox_path = opts[:inbox_path]
+    login_check = opts[:login_check]
+    vhost = opts[:vhost]
+    domain = opts[:domain]
 
     user = domain + '\\' + user if domain
 
@@ -199,16 +206,13 @@ def try_user_pass(opts)
       # Check if the password needs to be changed.
       if res.headers['location'] =~ /expiredpassword/
         print_good("#{msg} SUCCESSFUL LOGIN. #{elapsed_time} '#{user}' : '#{pass}': NOTE password change required")
-        report_hash = {
-          :host   => datastore['RHOST'],
-          :port   => datastore['RPORT'],
-          :sname  => 'owa',
-          :user   => user,
-          :pass   => pass,
-          :active => true,
-          :type => 'password'}
-
-        report_auth_info(report_hash)
+        report_cred(
+          ip: datastore['RHOST'],
+          port: datastore['RPORT'],
+          service_name: 'owa',
+          user: user,
+          password: pass
+        )
         return :next_user
       end
 
@@ -263,17 +267,13 @@ def try_user_pass(opts)
 
     if res.body =~ login_check
       print_good("#{msg} SUCCESSFUL LOGIN. #{elapsed_time} '#{user}' : '#{pass}'")
-
-      report_hash = {
-        :host   => datastore['RHOST'],
-        :port   => datastore['RPORT'],
-        :sname  => 'owa',
-        :user   => user,
-        :pass   => pass,
-        :active => true,
-        :type => 'password'}
-
-      report_auth_info(report_hash)
+      report_cred(
+        ip: datastore['RHOST'],
+        port: datastore['RPORT'],
+        service_name: 'owa',
+        user: user,
+        password: pass
+      )
       return :next_user
     else
       vprint_error("#{msg} FAILED LOGIN. #{elapsed_time} '#{user}' : '#{pass}' (response body did not match)")
@@ -282,14 +282,14 @@ def try_user_pass(opts)
   end
 
   def get_ad_domain
-    urls = ["aspnet_client",
-      "Autodiscover",
-      "ecp",
-      "EWS",
-      "Microsoft-Server-ActiveSync",
-      "OAB",
-      "PowerShell",
-      "Rpc"]
+    urls = ['aspnet_client',
+      'Autodiscover',
+      'ecp',
+      'EWS',
+      'Microsoft-Server-ActiveSync',
+      'OAB',
+      'PowerShell',
+      'Rpc']
 
     domain = nil
 
@@ -299,7 +299,7 @@ def get_ad_domain
           'encode'   => true,
           'uri'      => "/#{url}",
           'method'   => 'GET',
-          'headers'  =>  {"Authorization" => "NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw=="}
+          'headers'  =>  {'Authorization' => 'NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw=='}
         })
       rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
         vprint_error("#{msg} HTTP Connection Failed")
@@ -314,14 +314,40 @@ def get_ad_domain
       if res && res.code == 401 && res.headers.has_key?('WWW-Authenticate') && res.headers['WWW-Authenticate'].match(/^NTLM/i)
         hash = res['WWW-Authenticate'].split('NTLM ')[1]
         domain = Rex::Proto::NTLM::Message.parse(Rex::Text.decode_base64(hash))[:target_name].value().gsub(/\0/,'')
-        print_good("Found target domain: " + domain)
+        print_good("Found target domain: #{domain}")
         return domain
       end
     end
 
     return domain
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      last_attempted_at: DateTime.now,
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def msg
     "#{vhost}:#{rport} OWA -"
   end