Exploit for Code Injection in Mariadb CVE-2024-27766

Name: Exploit for Code Injection in Mariadb CVE-2024-27766
Rating: 5 (99 reviews)
2026-04-09 | CVSS 5.7
## https://sploitus.com/exploit?id=C65F644C-2F8C-578B-8E2E-9545302B1DA2
# CVE-2024-27766

MariaDB v11.1 RCE via UDF — modified PoC based on [Ant1sec-ops/CVE-2024-27766](https://github.com/Ant1sec-ops/CVE-2024-27766).

---

## Overview

| | |
|---|---|
| **Affected** | MariaDB v11.1 |
| **Fixed in** | 10.5.25 / 10.6.18 / 10.11.8 / 11.0.6 / 11.1.5 / 11.2.4 / 11.4.2+ |
| **Type** | RCE via User-Defined Function (UDF) |

MariaDB v11.1 allows an attacker with sufficient database privileges (`FILE` privilege + plugin directory write access) to register a malicious UDF and execute arbitrary OS commands through it.

> Note: The MariaDB Foundation disputes this CVE on the grounds that no privilege boundary is crossed. Exploitation requires admin-level DB access or equivalent.

---

## What's different from the original

The original PoC uses a `longlong` return type, so `do_system()` only returns whether the command succeeded — you can't see the output directly from SQL.

This version changes the return type to `char *`, which pipes stdout back as the query result. No out-of-band channel needed; just run `SELECT do_system('whoami')` and the output comes back inline.

### Changes at a glance

| | Original | This PoC |
|---|---|---|
| Return type | `longlong` | `char *` |
| Execution | `system()` | `_popen()` + `fgets()` loop |
| SQL result | exit code | command stdout |
| Memory | none | heap-allocated, freed in `deinit` |

One thing worth noting: returning `char *` from a UDF requires MariaDB to know the buffer size upfront. `do_system_init` sets `initid->max_length = 65536`, matching the output buffer allocated in the main function.

Because the return type changed, `RETURNS STRING` must be used when registering the function — not `RETURNS INTEGER` as in the original.

```sql
CREATE FUNCTION do_system RETURNS STRING SONAME 'do_system.dll';
```

---

## Requirements

- Windows (uses `_popen` / `_pclose`)
- MariaDB v11.1 (unpatched)
- DB user with `FILE` privilege and plugin directory write access
- MinGW-w64 or MSVC to compile

---

## Disclaimer

For educational and research purposes only. Do not use against systems you don't own or have explicit permission to test.