use the authbrute mixin

git-svn-id: file:///home/svn/framework3/trunk@8150 4d416f70-5f16-0410-b530-b9f4589650da

lib/msf/core/exploit/mysql.rb

@@ -29,8 +29,8 @@ module Exploit::Remote::MYSQL
 			[
 				Opt::RHOST,
 				Opt::RPORT(3306),
-				OptString.new('MYSQL_USER', [ true, 'The username to authenticate as', 'root']),
-				OptString.new('MYSQL_PASS', [ false, 'The password for the specified username', '']),
+				OptString.new('USERNAME', [ false, 'The username to authenticate as' ]),
+				OptString.new('PASSWORD', [ false, 'The password for the specified username' ]),
 			], Msf::Exploit::Remote::MYSQL
 		)
 	end
@@ -55,7 +55,7 @@ module Exploit::Remote::MYSQL
 	end
 
 	def mysql_login_datastore
-		mysql_login(datastore['MYSQL_USER'], datastore['MYSQL_PASS'])
+		mysql_login(datastore['USERNAME'], datastore['PASSWORD'])
 	end
 
 	def mysql_query(sql)

modules/auxiliary/scanner/mysql/mysql_login.rb

@@ -16,9 +16,10 @@ require 'msf/core'
 class Metasploit3 < Msf::Auxiliary
 
 	include Msf::Exploit::Remote::MYSQL
-	include Msf::Auxiliary::Scanner
 	include Msf::Auxiliary::Report
+	include Msf::Auxiliary::AuthBrute
 
+	include Msf::Auxiliary::Scanner
 
 	def initialize(info = {})
 		super(update_info(info,
@@ -31,56 +32,15 @@ class Metasploit3 < Msf::Auxiliary
 
 		register_options(
 			[
-				OptString.new('MYSQL_PASS_FILE', [ false, 'A dictionary of passwords to perform a bruteforce attempt']),
 				OptBool.new('VERBOSE', [ true, 'Verbose output', false])
 			], self.class)
 	end
 
 
 	def run_host(ip)
-
-		user = datastore['MYSQL_USER'].to_s
-		user = "root" if user.empty?
-
-		if (datastore['MYSQL_PASS_FILE'] and not datastore['MYSQL_PASS_FILE'].empty?)
-			stime = Time.now.to_f
-			cnt = 0
-
-			File.open(datastore['MYSQL_PASS_FILE'], "rb") do |fd|
-				lcnt = 0
-				fd.each_line{lcnt += 1 }
-				fd.seek(0)
-
-				# Always try a blank password (not handled in the file parsing)
-				ret = do_login(user, '', datastore['VERBOSE'])
-				return if ret == :pass
-				return if ret == :error
-
-				fd.each_line do |line|
-					line.strip!
-					next if line =~ /^#/
-					next if line.empty?
-
-					ret = do_login(user, line.strip, datastore['VERBOSE'])
-					break if ret == :pass
-					break if ret == :error
-
-					cnt += 1
-					if(cnt % 1000 == 0)
-						pps = (cnt / (Time.now.to_f - stime)).to_i
-						pct = (cnt/lcnt.to_f * 100.0).to_i
-						eta = ((lcnt - cnt) / pps / 60.0).to_i
-						print_status(
-							"#{rhost}:#{rport} completed #{cnt}/#{lcnt} passwords (#{pct}%) " +
-							"at a rate of #{pps} per second " +
-							"ETA #{eta} minutes"
-						)
-					end
-				end
-			end
-		else
-			do_login(user, datastore['MYSQL_PASS'], datastore['VERBOSE'])
-		end
+		each_user_pass { |user, pass|
+			do_login(user, pass, datastore['VERBOSE'])
+		}
 	end
 
 
@@ -92,24 +52,34 @@ class Metasploit3 < Msf::Auxiliary
 			print_status("#{rhost}:#{rport} successful logged in as '#{user}' with password '#{pass}'")
 			report_auth_info(
 				:host   => rhost,
-				:proto  => 'MYSQL',
+				:proto  => 'mysql',
 				:user   => user,
 				:pass   => pass,
 				:targ_host => rhost,
 				:targ_port => rport
 			)
-			return :pass
+			return :next_user
 		rescue ::RbMysql::AccessDeniedError
-				print_status("#{rhost}:#{rport} failed to login as '#{user}' with password '#{pass}'") if verbose
-				return :fail
+			print_status("#{rhost}:#{rport} failed to login as '#{user}' with password '#{pass}'") if verbose
+			return :fail
 		rescue ::RbMysql::Error => e
 			print_error("#{rhost}:#{rport} failed to login: #{e}")
 			return :error
 		rescue ::Interrupt
 			raise $!
 		rescue ::Rex::ConnectionError
-			return :error
+			return :done
 		end
 	end
+
+	def next_pass(state)
+		# Always try empty and the username
+		passes = ['', state[:user]]
+		state[:idx] ||= 0
+		pass = passes[state[:idx]]
+		state[:idx] += 1
+		return pass
+	end
+
 end