Fix a logic error in HttpServer

When a module is configured to listen on the INADDR_ANY interface, with
a payload that does not have an LHOST option, it attempts to determine
the srvhost from a client socket which would only be available when the
module has included the TcpClient mixin (i.e., it is both passive and
aggressive stance), causing a NameError for the undefined +sock+.

This commit fixes the problem in two ways:

1. It changes the default cli in get_uri to be the module's self.cli,
   which should always be set when passive modules would need it (e.g., in
   the on_request_uri method).

2. It adds a check to make sure that the calling module has a sock
   before trying to get its peerhost. This was @marthieubean's suggested
   solution in rapid7#1775.

[Closes rapid7#1775]

Author: egypt

lib/msf/core/exploit/http/server.rb

@@ -376,9 +376,9 @@ def get_resource
 	# Return a full url of the form <tt>http://1.1.1.1:8080/resource/</tt>
 	#
 	# The address portion should be something a client would be able to route,
-	# but see +srvhost_addr+ for caveats.
+	# but see {#srvhost_addr} for caveats.
 	#
-	def get_uri(cli=nil)
+	def get_uri(cli=self.cli)
 		ssl = !!(datastore["SSL"])
 		proto = (ssl ? "https://" : "http://")
 		if (cli and cli.peerhost)
@@ -405,7 +405,7 @@ def get_uri(cli=nil)
 	end
 
 	#
-	# Return an address to which the client can route.
+	# An address to which the client can route.
 	#
 	# If available, return LHOST which should be the right thing since it
 	# already has to be an address the client can route to for the payload to
@@ -416,28 +416,39 @@ def get_uri(cli=nil)
 	# bind payload but there's nothing we can do about it.
 	#
 	# NOTE: The address will be *incorrect* in the following two situations:
-	# 1) LHOST is pointed at a multi/handler on some other box.
-	# 2) SRVHOST has a value of '0.0.0.0', the user is behind NAT, and we're
+	# 1. LHOST is pointed at a multi/handler on some other box.
+	# 2. SRVHOST has a value of '0.0.0.0', the user is behind NAT, and we're
 	#    using a bind payload.  In that case, we don't have an LHOST and
 	#    the source address will be internal.
 	#
 	# This can potentially be dealt with in a module by using the Host header
 	# from a request if such a header exists.
 	#
+	# @return [String]
 	def srvhost_addr
-		if (datastore['LHOST'])
+		if (datastore['LHOST'] and (!datastore['LHOST'].strip.empty?))
 			host = datastore["LHOST"]
 		else
 			if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
-				if (sock and sock.peerhost)
+				if (respond_to?(:sock) and sock and sock.peerhost)
+					# Then this is a Passive-Aggressive module. It has a socket
+					# connected to the remote server from which we can deduce the
+					# appropriate source address.
 					host = Rex::Socket.source_address(sock.peerhost)
 				else
+					# Otherwise, this module is only a server, not a client, *and*
+					# the payload does not have an LHOST option. This can happen,
+					# for example, with a browser exploit using a download-exec
+					# payload. In that case, just use the address of the interface
+					# with the default gateway and hope for the best.
 					host = Rex::Socket.source_address
 				end
 			else
 				host = datastore['SRVHOST']
 			end
 		end
+
+		host
 	end
 
 	#
@@ -1094,10 +1105,14 @@ def on_request_uri(cli, request, headers={})
 	end
 
 	#
-	# Return the PHP include URL (pre-encoded)
+	# The PHP include URL (pre-encoded)
 	#
-	# Does not take SSL into account.  For the reasoning behind this, see +exploit+.
+	# Does not take SSL into account.  For the reasoning behind this, see
+	# {#exploit}.
 	#
+	# @return [String] The URL to be used as the argument in a call to
+	#   +require+, +require_once+, or +include+ or +include_once+ in a
+	#   vulnerable PHP app.
 	def php_include_url(sock=nil)
 		host = srvhost_addr
 		if Rex::Socket.is_ipv6?(host)