Land rapid7#4819, Normalize HTTP LoginScanner modules

Author: wchen-r7

lib/metasploit/framework/login_scanner/axis2.rb

@@ -20,7 +20,7 @@ def attempt_login(credential)
             host, port, {'Msf' => framework, 'MsfExploit' => framework_module}, ssl, ssl_version, proxies
           )
 
-          http_client = config_client(http_client)
+          configure_http_client(http_client)
 
           result_opts = {
               credential: credential,

lib/metasploit/framework/login_scanner/buffalo.rb

@@ -35,6 +35,7 @@ def attempt_login(credential)
           end
           begin
             cli = Rex::Proto::Http::Client.new(host, port, {'Msf' => framework, 'MsfExploit' => framework_module}, ssl, ssl_version)
+            configure_http_client(cli)
             cli.connect
             req = cli.request_cgi({
               'method'=>'POST',

lib/metasploit/framework/login_scanner/chef_webui.rb

@@ -63,6 +63,7 @@ def check_setup
         # @return [Rex::Proto::Http::Response] The HTTP response
         def send_request(opts)
           cli = Rex::Proto::Http::Client.new(host, port, {'Msf' => framework, 'MsfExploit' => self}, ssl, ssl_version, proxies)
+          configure_http_client(cli)
           cli.connect
           req = cli.request_raw(opts)
           res = cli.send_recv(req)

lib/metasploit/framework/login_scanner/glassfish.rb

@@ -62,6 +62,7 @@ def check_setup
         # @return [Rex::Proto::Http::Response] The HTTP response
         def send_request(opts)
           cli = Rex::Proto::Http::Client.new(host, port, {'Msf' => framework, 'MsfExploit' => framework_module}, ssl, ssl_version, proxies)
+          configure_http_client(cli)
           cli.connect
           req = cli.request_raw(opts)
           res = cli.send_recv(req)

lib/metasploit/framework/login_scanner/http.rb

@@ -37,6 +37,122 @@ class HTTP
         #   @return [String] the Virtual Host name for the target Web Server
         attr_accessor :vhost
 
+        # @!attribute evade_uri_encode_mode
+        #   @return [String] The type of URI encoding to use
+        attr_accessor :evade_uri_encode_mode
+
+        # @!attribute evade_uri_full_url
+        #   @return [Boolean] Whether to use the full URL for all HTTP requests
+        attr_accessor :evade_uri_full_url
+
+        # @!attribute evade_pad_method_uri_count
+        #   @return [Fixnum] How many whitespace characters to use between the method and uri
+        attr_accessor :evade_pad_method_uri_count
+
+        # @!attribute evade_pad_uri_version_count
+        #   @return [Fixnum] How many whitespace characters to use between the uri and version
+        attr_accessor :evade_pad_uri_version_count
+
+        # @!attribute evade_pad_method_uri_type
+        #   @return [String] What type of whitespace to use between the method and uri
+        attr_accessor :evade_pad_method_uri_type
+
+        # @!attribute evade_pad_uri_version_type
+        #   @return [String] What type of whitespace to use between the uri and version
+        attr_accessor :evade_pad_uri_version_type
+
+        # @!attribute evade_method_random_valid
+        #   @return [Boolean] Whether to use a random, but valid, HTTP method for request
+        attr_accessor :evade_method_random_valid
+
+        # @!attribute evade_method_random_invalid
+        #   @return [Boolean] Whether to use a random invalid, HTTP method for request
+        attr_accessor :evade_method_random_invalid
+
+        # @!attribute evade_method_random_case
+        #   @return [Boolean] Whether to use random casing for the HTTP method
+        attr_accessor :evade_method_random_case
+
+        # @!attribute evade_uri_dir_self_reference
+        #   @return [Boolean] Whether to insert self-referential directories into the uri
+        attr_accessor :evade_uri_dir_self_reference
+
+        # @!attribute evade_uri_dir_fake_relative
+        #   @return [Boolean] Whether to insert fake relative directories into the uri
+        attr_accessor :evade_uri_dir_fake_relative
+
+        # @!attribute evade_uri_use_backslashes
+        #   @return [Boolean] Whether to use back slashes instead of forward slashes in the uri
+        attr_accessor :evade_uri_use_backslashes
+
+        # @!attribute evade_pad_fake_headers
+        #   @return [Boolean] Whether to insert random, fake headers into the HTTP request
+        attr_accessor :evade_pad_fake_headers
+
+        # @!attribute evade_pad_fake_headers_count
+        #   @return [Fixnum] How many fake headers to insert into the HTTP request
+        attr_accessor :evade_pad_fake_headers_count
+
+        # @!attribute evade_pad_get_params
+        #   @return [Boolean] Whether to insert random, fake query string variables into the request
+        attr_accessor :evade_pad_get_params
+
+        # @!attribute evade_pad_get_params_count
+        #   @return [Fixnum] How many fake query string variables to insert into the request
+        attr_accessor :evade_pad_get_params_count
+
+        # @!attribute evade_pad_post_params
+        #   @return [Boolean] Whether to insert random, fake post variables into the request
+        attr_accessor :evade_pad_post_params
+
+        # @!attribute evade_pad_post_params_count
+        #   @return [Fixnum] How many fake post variables to insert into the request
+        attr_accessor :evade_pad_post_params_count
+
+        # @!attribute evade_uri_fake_end
+        #   @return [Boolean] Whether to add a fake end of URI (eg: /%20HTTP/1.0/../../)
+        attr_accessor :evade_uri_fake_end
+
+        # @!attribute evade_uri_fake_params_start
+        #   @return [Boolean] Whether to add a fake start of params to the URI (eg: /%3fa=b/../)
+        attr_accessor :evade_uri_fake_params_start
+
+        # @!attribute evade_header_folding
+        #   @return [Boolean]  Whether to enable folding of HTTP headers
+        attr_accessor :evade_header_folding
+
+        # @!attribute ntlm_use_ntlmv2_session
+        #   @return [Boolean] Whether to activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session
+        attr_accessor :ntlm_use_ntlmv2_session
+
+        # @!attribute ntlm_use_ntlmv2
+        #   @return [Boolean] Whether to use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' is enabled
+        attr_accessor :ntlm_use_ntlmv2
+
+        # @!attribute ntlm_send_lm
+        #   @return [Boolean] Whether to always send the LANMAN response (except when NTLMv2_session is specified)
+        attr_accessor :ntlm_send_lm
+
+        # @!attribute ntlm_send_ntlm
+        #   @return [Boolean] Whether to activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses
+        attr_accessor :ntlm_send_ntlm
+
+        # @!attribute ntlm_send_spn
+        #   @return [Boolean] Whether to send an avp of type SPN in the NTLMv2 client blob.
+        attr_accessor :ntlm_send_spn
+
+        # @!attribute ntlm_use_lm_key
+        #   @return [Boolean] Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent
+        attr_accessor :ntlm_use_lm_key
+
+        # @!attribute ntlm_domain
+        #   @return [String] The NTLM domain to use during authentication
+        attr_accessor :ntlm_domain
+
+        # @!attribute digest_auth_iis
+        #   @return [Boolean] Whether to conform to IIS digest authentication mode.
+        attr_accessor :digest_auth_iis
+
 
         validates :uri, presence: true, length: { minimum: 1 }
 
@@ -99,7 +215,7 @@ def attempt_login(credential)
             proxies, credential.public, credential.private
           )
 
-          http_client = config_client(http_client)
+          configure_http_client(http_client)
 
           if credential.realm
             http_client.set_config('domain' => credential.realm)
@@ -127,12 +243,53 @@ def attempt_login(credential)
 
         private
 
-        def config_client(client)
-          client.set_config(
-            'vhost' => vhost || host,
-            'agent' => user_agent
+        # This method is responsible for mapping the caller's datastore options to the
+        # Rex::Proto::Http::Client configuration parameters.
+        def configure_http_client(http_client)
+          http_client.set_config(
+            'vhost'                  => vhost || host,
+            'agent'                  => user_agent
           )
-          client
+
+          possible_params = {
+            'uri_encode_mode'        => evade_uri_encode_mode,
+            'uri_full_url'           => evade_uri_full_url,
+            'pad_method_uri_count'   => evade_pad_method_uri_count,
+            'pad_uri_version_count'  => evade_pad_uri_version_count,
+            'pad_method_uri_type'    => evade_pad_method_uri_type,
+            'pad_uri_version_type'   => evade_pad_uri_version_type,
+            'method_random_valid'    => evade_method_random_valid,
+            'method_random_invalid'  => evade_method_random_invalid,
+            'method_random_case'     => evade_method_random_case,
+            'uri_dir_self_reference' => evade_uri_dir_self_reference,
+            'uri_dir_fake_relative'  => evade_uri_dir_fake_relative,
+            'uri_use_backslashes'    => evade_uri_use_backslashes,
+            'pad_fake_headers'       => evade_pad_fake_headers,
+            'pad_fake_headers_count' => evade_pad_fake_headers_count,
+            'pad_get_params'         => evade_pad_get_params,
+            'pad_get_params_count'   => evade_pad_get_params_count,
+            'pad_post_params'        => evade_pad_post_params,
+            'pad_post_params_count'  => evade_pad_post_params_count,
+            'uri_fake_end'           => evade_uri_fake_end,
+            'uri_fake_params_start'  => evade_uri_fake_params_start,
+            'header_folding'         => evade_header_folding,
+            'usentlm2_session'       => ntlm_use_ntlmv2_session,
+            'use_ntlmv2'             => ntlm_use_ntlmv2,
+            'send_lm'                => ntlm_send_lm,
+            'send_ntlm'              => ntlm_send_ntlm,
+            'SendSPN'                => ntlm_send_spn,
+            'UseLMKey'               => ntlm_use_lm_key,
+            'domain'                 => ntlm_domain,
+            'DigestAuthIIS'          => digest_auth_iis
+          }
+
+          # Set the parameter only if it is not nil
+          possible_params.each_pair do |k,v|
+            next if v.nil?
+            http_client.set_config(k => v)
+          end
+
+          http_client
         end
 
         # This method sets the sane defaults for things

lib/metasploit/framework/login_scanner/ipboard.rb

@@ -12,8 +12,7 @@ def attempt_login(credential)
           http_client = Rex::Proto::Http::Client.new(
               host, port, {'Msf' => framework, 'MsfExploit' => framework_module}, ssl, ssl_version, proxies
           )
-
-          http_client = config_client(http_client)
+          configure_http_client(http_client)
 
           result_opts = {
               credential: credential,

lib/metasploit/framework/login_scanner/jenkins.rb

@@ -34,6 +34,7 @@ def attempt_login(credential)
           end
           begin
             cli = Rex::Proto::Http::Client.new(host, port, {'Msf' => framework, 'MsfExploit' => framework_module}, ssl, ssl_version, proxies)
+            configure_http_client(cli)
             cli.connect
             req = cli.request_cgi({
               'method'=>'POST',

lib/metasploit/framework/login_scanner/mybook_live.rb

@@ -36,6 +36,7 @@ def attempt_login(credential)
             cred = Rex::Text.uri_encode(credential.private)
             body = "data%5BLogin%5D%5Bowner_name%5D=admin&data%5BLogin%5D%5Bowner_passwd%5D=#{cred}"
             cli = Rex::Proto::Http::Client.new(host, port, {'Msf' => framework, 'MsfExploit' => framework_module}, ssl, ssl_version)
+            configure_http_client(cli)
             cli.connect
             req = cli.request_cgi(
               'method' => method,

lib/metasploit/framework/login_scanner/smh.rb

@@ -34,6 +34,7 @@ def attempt_login(credential)
 
           begin
             cli = Rex::Proto::Http::Client.new(host, port, {'Msf' => framework, 'MsfExploit' => framework_module}, ssl, ssl_version, proxies)
+            configure_http_client(cli)
             cli.connect
             req = cli.request_cgi(req_opts)
             res = cli.send_recv(req)

lib/metasploit/framework/login_scanner/wordpress_rpc.rb

@@ -12,6 +12,7 @@ def attempt_login(credential)
           http_client = Rex::Proto::Http::Client.new(
               host, port, {'Msf' => framework, 'MsfExploit' => framework_module}, ssl, ssl_version, proxies
           )
+          configure_http_client(http_client)
 
           result_opts = {
               credential: credential,