Templatize HttpRawHeaders with ERB

rapid7 · Jul 25, 2019 · a22ad9a · a22ad9a
1 parent 1ba0d1e
commit a22ad9a
Showing 1 changed file with 7 additions and 3 deletions.
diff --git a/lib/msf/core/exploit/http/client.rb b/lib/msf/core/exploit/http/client.rb
@@ -37,7 +37,7 @@ def initialize(info = {})
           ]),
         OptString.new('HttpUsername', [false, 'The HTTP username to specify for authentication', '']),
         OptString.new('HttpPassword', [false, 'The HTTP password to specify for authentication', '']),
-        OptPath.new('HttpRawHeaders', [false, 'Path to raw HTTP headers to append to each request']),
+        OptPath.new('HttpRawHeaders', [false, 'Path to ERB-templatized raw headers to append to existing headers']),
         OptBool.new('DigestAuthIIS', [false, 'Conform to IIS, should work for most servers. Only set to false for non-IIS servers', true]),
         Opt::SSLVersion,
         OptBool.new('FingerprintCheck', [ false, 'Conduct a pre-exploit fingerprint verification', true]),
@@ -188,8 +188,12 @@ def connect(opts={})
       'DigestAuthIIS'          => datastore['DigestAuthIIS']
     )
 
-    if datastore['HttpRawHeaders']
-      nclient.set_config('raw_headers' => File.read(datastore['HttpRawHeaders']))
+    if datastore['HttpRawHeaders'] && File.readable?(datastore['HttpRawHeaders'])
+      # Templatize with ERB
+      headers = ERB.new(File.read(datastore['HttpRawHeaders'])).result(binding)
+
+      # Append templatized headers to existing headers
+      nclient.set_config('raw_headers' => headers)
     end
 
     # If this connection is global, persist it