Land #14609, Fix bug where vhost wasn't being set correctly when usin…

…g rhost http url
rapid7 · Jan 19, 2021 · 0fc8df3 · 0fc8df3
2 parents 2d7b3b9 + 2d9e25d
commit 0fc8df3
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 4 deletions.
diff --git a/lib/msf/core/exploit/remote/http_client.rb b/lib/msf/core/exploit/remote/http_client.rb
@@ -170,7 +170,7 @@ def connect(opts={})
 
     # Configure the HTTP client with the supplied parameter
     nclient.set_config(
-      'vhost' => opts['vhost'] || opts['rhost'] || self.vhost(),
+      'vhost' => opts['vhost'] || self.vhost(),
       'agent' => datastore['UserAgent'],
       'partial' => opts['partial'],
       'uri_encode_mode'        => datastore['HTTP::uri_encode_mode'],
@@ -443,7 +443,7 @@ def reconfig_redirect_opts!(res, opts)
       end
 
       opts['rhost'] = datastore['RHOST']
-      opts['vhost'] = opts['vhost'] || opts['rhost'] || self.vhost()
+      opts['vhost'] = opts['vhost'] || self.vhost()
       opts['rport'] = datastore['RPORT']
 
       opts['SSL'] = ssl

diff --git a/lib/msf/core/opt_http_rhost_url.rb b/lib/msf/core/opt_http_rhost_url.rb
@@ -51,7 +51,7 @@ def calculate_value(datastore)
       return unless datastore['RHOSTS']
       begin
         uri_type = datastore['SSL'] ? URI::HTTPS : URI::HTTP
-        uri = uri_type.build(host: datastore['RHOSTS'])
+        uri = uri_type.build(host: datastore['VHOST'] || datastore['RHOSTS'])
         uri.port = datastore['RPORT']
         # The datastore uses both `TARGETURI` and `URI` to denote the path of a URL, we try both here and fall back to `/`
         uri.path = (datastore['TARGETURI'] || datastore['URI'] || '/')

diff --git a/spec/lib/msf/core/opt_http_rhost_url_spec.rb b/spec/lib/msf/core/opt_http_rhost_url_spec.rb
@@ -25,7 +25,8 @@
       { expected_url: 'http://example.com', datastore: { 'RHOSTS' => 'example.com', 'RPORT' => 80, 'SSL' => false, 'TARGETURI' => '', 'URI' => '', 'VHOST' => 'example.com', 'HttpUsername' => '', 'HttpPassword' => '' } },
       { expected_url: 'https://example.com', datastore: { 'RHOSTS' => 'example.com', 'RPORT' => 443, 'SSL' => true, 'TARGETURI' => '', 'URI' => '', 'VHOST' => 'example.com', 'HttpUsername' => '', 'HttpPassword' => '' } },
       { expected_url: 'http://user:pass@example.com:1234/somePath', datastore: { 'RHOSTS' => 'example.com', 'RPORT' => 1234, 'SSL' => false, 'TARGETURI' => '/somePath', 'URI' => '/somePath', 'VHOST' => 'example.com', 'HttpUsername' => 'user', 'HttpPassword' => 'pass' } },
-      { expected_url: 'http://127.0.0.1', datastore: { 'RHOSTS' => '127.0.0.1', 'RPORT' => 80, 'SSL' => false, 'TARGETURI' => '', 'URI' => '', 'VHOST' => nil, 'HttpUsername' => '', 'HttpPassword' => '' } }
+      { expected_url: 'http://127.0.0.1', datastore: { 'RHOSTS' => '127.0.0.1', 'RPORT' => 80, 'SSL' => false, 'TARGETURI' => '', 'URI' => '', 'VHOST' => nil, 'HttpUsername' => '', 'HttpPassword' => '' } },
+      { expected_url: 'http://example.com', datastore: { 'RHOSTS' => '127.0.0.1', 'RPORT' => 80, 'SSL' => false, 'TARGETURI' => '', 'URI' => '', 'VHOST' => 'example.com', 'HttpUsername' => '', 'HttpPassword' => '' } }
     ].each do |test|
       context test[:datastore].to_s do
         it "should return #{test[:expected_url]}" do