Auto-resolve target if it's a hostname (owa_login).

pbarry-r7 · pbarry-r7 · commit e9ce2374e5f9 · 2018-01-17T16:47:21.000-06:00
Ensures the module does save the creds which it claims to be saving.  See MS-2968.
diff --git a/modules/auxiliary/scanner/http/owa_login.rb b/modules/auxiliary/scanner/http/owa_login.rb
@@ -4,6 +4,7 @@
 ##
 
 require 'rex/proto/ntlm/message'
+require 'rex/socket'
 
 class MetasploitModule < Msf::Auxiliary
   include Msf::Auxiliary::Report
@@ -93,6 +94,19 @@ def initialize
     deregister_options('BLANK_PASSWORDS', 'RHOSTS')
   end
 
+  def lookup_addr(host)
+    return host if Rex::Socket.dotted_ip?(host)
+
+    begin
+      addr = Rex::Socket.resolv_to_dotted(host)
+      vprint_status("#{msg} Resolved hostname '#{host.to_s}' to address #{addr.to_s}")
+    rescue ResolverArgumentError, Errno::ETIMEDOUT, ::NoResponseError, ::Timeout::Error => e
+      print_error("#{msg} Failed to lookup address for #{host}, datastore persistence skipped")
+      addr = nil
+    end
+    addr
+  end
+
   def setup
     # Here's a weird hack to check if each_user_pass is empty or not
     # apparently you cannot do each_user_pass.empty? or even inspect() it
@@ -207,7 +221,7 @@ def try_user_pass(opts)
       if res.headers['location'] =~ /expiredpassword/
         print_good("#{msg} SUCCESSFUL LOGIN. #{elapsed_time} '#{user}' : '#{pass}': NOTE password change required")
         report_cred(
-          ip: datastore['RHOST'],
+          ip: lookup_addr(datastore['RHOST']),
           port: datastore['RPORT'],
           service_name: 'owa',
           user: user,
@@ -221,7 +235,7 @@ def try_user_pass(opts)
       if res.headers['location'] =~ /owa/ and res.headers['location'] !~ /reason/
         print_good("#{msg} SUCCESSFUL LOGIN. #{elapsed_time} '#{user}' : '#{pass}': NOTE a mailbox is not setup")
         report_cred(
-          ip: datastore['RHOST'],
+          ip: lookup_addr(datastore['RHOST']),
           port: datastore['RPORT'],
           service_name: 'owa',
           user: user,
@@ -241,7 +255,7 @@ def try_user_pass(opts)
         # Login didn't work. no point in going on, however, check if valid domain account by response time.
         if elapsed_time <= 1
           report_cred(
-            ip: datastore['RHOST'],
+            ip: lookup_addr(datastore['RHOST']),
             port: datastore['RPORT'],
             service_name: 'owa',
             user: user
@@ -287,7 +301,7 @@ def try_user_pass(opts)
     if res.redirect?
       if elapsed_time <= 1
         report_cred(
-          ip: datastore['RHOST'],
+          ip: lookup_addr(datastore['RHOST']),
           port: datastore['RPORT'],
           service_name: 'owa',
           user: user
@@ -303,7 +317,7 @@ def try_user_pass(opts)
     if res.body =~ login_check
       print_good("#{msg} SUCCESSFUL LOGIN. #{elapsed_time} '#{user}' : '#{pass}'")
       report_cred(
-        ip: datastore['RHOST'],
+        ip: lookup_addr(datastore['RHOST']),
         port: datastore['RPORT'],
         service_name: 'owa',
         user: user,
@@ -313,7 +327,7 @@ def try_user_pass(opts)
     else
       if elapsed_time <= 1
         report_cred(
-          ip: datastore['RHOST'],
+          ip: lookup_addr(datastore['RHOST']),
           port: datastore['RPORT'],
           service_name: 'owa',
           user: user
