Make OWA 2013 the default, other fixes

Tod Beardsley · Tod Beardsley · commit a46839726e32 · 2014-11-05T13:56:37.000-06:00
Thanks @jhart-r7! See rapid7#4083 and see rapid7#4094
diff --git a/modules/auxiliary/scanner/http/owa_login.rb b/modules/auxiliary/scanner/http/owa_login.rb
@@ -18,8 +18,7 @@ def initialize
     super(
       'Name'           => 'Outlook Web App (OWA) Brute Force Utility',
       'Description'    => %q{
-        This module tests credentials on OWA 2003, 2007, 2010, 2013 servers. The default
-        action is set to OWA 2010.
+        This module tests credentials on OWA 2003, 2007, 2010, and 2013 servers.
       },
       'Author'         =>
         [
@@ -70,7 +69,7 @@ def initialize
             }
           ]
         ],
-      'DefaultAction' => 'OWA_2010',
+      'DefaultAction' => 'OWA_2013',
       'DefaultOptions' => {
         'SSL' => true
       }
@@ -93,20 +92,21 @@ def initialize
     deregister_options('BLANK_PASSWORDS', 'RHOSTS','PASSWORD','USERNAME')
   end
 
-  def run
-
-    vhost = datastore['VHOST'] || datastore['RHOST']
-
-    print_status("#{msg} Testing version #{action.name}")
-
+  def setup
     # Here's a weird hack to check if each_user_pass is empty or not
     # apparently you cannot do each_user_pass.empty? or even inspect() it
     isempty = true
     each_user_pass do |user|
       isempty = false
       break
     end
-    print_error("No username/password specified") if isempty
+    raise ArgumentError, "No username/password specified" if isempty
+  end
+
+  def run
+    vhost = datastore['VHOST'] || datastore['RHOST']
+
+    print_status("#{msg} Testing version #{action.name}")
 
     auth_path   = action.opts['AuthPath']
     inbox_path  = action.opts['InboxPath']
@@ -247,6 +247,11 @@ def try_user_pass(opts)
       return :abort
     end
 
+    if res.redirect?
+      vprint_error("#{msg} FAILED LOGIN. '#{user}' : '#{pass}' (response was a #{res.code} redirect)")
+      return :skip_pass
+    end
+
     if res.body =~ login_check
       print_good("#{msg} SUCCESSFUL LOGIN. '#{user}' : '#{pass}'")
 
@@ -261,12 +266,6 @@ def try_user_pass(opts)
 
       report_auth_info(report_hash)
       return :next_user
-
-    if res.redirect?
-      vprint_error("#{msg} FAILED LOGIN. '#{user}' : '#{pass}' (response was a #{res.code} redirect)")
-      return :skip_pass
-    end
-
     else
       vprint_error("#{msg} FAILED LOGIN. '#{user}' : '#{pass}' (response body did not match)")
       return :skip_pass
