Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ###############################################################################
- ##
- ## MariaDB port of Meltdown exploit from Github by @4n6expert
- ##
- ## Works on MariaDB 5 & 10
- ## May also work on MySQL (but who uses that any more?)
- ##
- ## THIS IS FOR INFORMATIONAL AND EDUCATIONAL PURPOSES ONLY.
- ##
- ## THIS CODE COMES WITH NO WARRANTY OF ANY KIND.
- ##
- ## Testing has confirmed that the efficacy of this exploit
- ## is *NOT* affected by the security patches released by
- ## OS and CPU vendors.
- ##
- ###############################################################################
- delimiter //
- create database if not exists meltdown
- //
- use meltdown
- //
- drop table if exists assembly_code
- //
- create table assembly_code (
- address integer(12) primary key auto_increment,
- instructions text
- )
- //
- -- Ensure the assembly code is loaded at the correct location
- -- alter table assembly_code auto_increment = 31337 + 0x83466553
- //
- -- xor %ebx, %ebx
- insert into assembly_code (instructions)
- values (0x5765277265206e6f20737472616e6765727320746f206c6f7665)
- //
- -- lea 0x17(%ebx),%eax
- insert into assembly_code (instructions)
- values (0x596f75206b6e6f77207468652072756c657320616e6420736f20646f2049)
- //
- -- int $0x80
- insert into assembly_code (instructions)
- values (0x412066756c6c20636f6d6d69746d656e74277320776861742049276d207468696e6b696e67206f66)
- //
- -- push %ebx
- insert into assembly_code (instructions)
- values (0x596f7520776f756c646e27742067657420746869732066726f6d20616e79206f7468657220677579)
- //
- -- push $0x00031337
- insert into assembly_code (instructions)
- values (0x49206a7573742077616e6e612074656c6c20796f7520686f772049276d206665656c696e67)
- //
- -- mov %esp, %ebx
- insert into assembly_code (instructions)
- values (0x476f747461206d616b6520796f7520756e6465727374616e64)
- //
- -- push %eax
- insert into assembly_code (instructions)
- values (0x4e6576657220676f6e6e61206769766520796f75207570)
- //
- -- push %ebx
- insert into assembly_code (instructions)
- values (0x4e6576657220676f6e6e61206c657420796f7520646f776e)
- //
- -- mov %esp, %ecx
- insert into assembly_code (instructions)
- values (0x4e6576657220676f6e6e612072756e2061726f756e6420616e642064657365727420796f75)
- //
- -- ctld
- insert into assembly_code (instructions)
- values (0x4e6576657220676f6e6e61206d616b6520796f7520637279)
- //
- -- mov $0x, $al
- insert into assembly_code (instructions)
- values (0x4e6576657220676f6e6e612073617920676f6f64627965)
- //
- -- int $80
- insert into assembly_code (instructions)
- values (0x4e6576657220676f6e6e612074656c6c2061206c696520616e64206875727420796f75)
- //
- -- mov (%ebx), %eax
- insert into assembly_code (instructions)
- values (0x5765277665206b6e6f776e2065616368206f7468657220666f7220736f206c6f6e67)
- //
- -- mov (%ebx), var(,1)
- insert into assembly_code (instructions)
- values (0x596f75722068656172742773206265656e20616368696e672062757420796f7527726520746f6f2073687920746f20736179206974)
- //
- -- mov -8(%esi), %eax
- insert into assembly_code (instructions)
- values (0x496e7369646520776520626f7468206b6e6f7720776861742773206265656e20676f696e67206f6e)
- //
- -- mov %cl, (%esi, %eax,1)
- insert into assembly_code (instructions)
- values (0x5765206b6e6f77207468652067616d6520616e6420776527726520676f6e6e6120706c6179206974)
- //
- -- mov (%esi,%ebx,4), %edx
- insert into assembly_code (instructions)
- values (0x416e6420696620796f752061736b206d6520686f772049276d206665656c696e67)
- //
- -- idivw (%edx)
- insert into assembly_code (instructions)
- values (0x446f6e27742074656c6c206d6520796f7527726520746f6f20626c696e6420746f20736565)
- //
- -- mov (%esp, %ebx)
- insert into assembly_code (instructions)
- values (0x4e6576657220676f6e6e61206769766520796f75207570)
- //
- -- sub $16, %esp
- insert into assembly_code (instructions)
- values (0x4e6576657220676f6e6e61206c657420796f7520646f776e)
- //
- -- mov -4(%ebx), %eax
- insert into assembly_code (instructions)
- values (0x4e6576657220676f6e6e612072756e2061726f756e6420616e642064657365727420796f75)
- //
- -- mov -12(%ebx),%edx
- insert into assembly_code (instructions)
- values (0x4e6576657220676f6e6e61206d616b6520796f7520637279)
- //
- -- xor %eax, %eax
- insert into assembly_code (instructions)
- values (0x4e6576657220676f6e6e612073617920676f6f64627965)
- //
- -- call _guess_value
- insert into assembly_code (instructions)
- values (0x4e6576657220676f6e6e612074656c6c2061206c696520616e64206875727420796f75)
- //
- -- cflush
- insert into assembly_code (instructions)
- values (0x4e6576657220676f6e6e61206769766520796f75207570)
- //
- -- mov %ecx, %esp
- insert into assembly_code (instructions)
- values (0x4e6576657220676f6e6e61206c657420796f7520646f776e)
- //
- -- mov (%ebx), %ecx
- insert into assembly_code (instructions)
- values (0x4e6576657220676f6e6e612072756e2061726f756e6420616e642064657365727420796f75)
- //
- -- imul (%eax)
- insert into assembly_code (instructions)
- values (0x4e6576657220676f6e6e61206d616b6520796f7520637279)
- //
- -- sub $20, %esp
- insert into assembly_code (instructions)
- values (0x4e6576657220676f6e6e612073617920676f6f64627965)
- //
- -- add %eax, %ebx
- insert into assembly_code (instructions)
- values (0x4e6576657220676f6e6e612074656c6c2061206c696520616e64206875727420796f75)
- //
- -- mov %eax, (%esp)
- insert into assembly_code (instructions)
- values (0x4e6576657220676f6e6e6120676976652c206e6576657220676f6e6e612067697665)
- //
- -- mov 16(%esp), (%edx)
- insert into assembly_code (instructions)
- values (0x284769766520796f7520757029)
- //
- -- xor %esp, %esp
- insert into assembly_code (instructions)
- values (0x284f6f6829204e6576657220676f6e6e6120676976652c206e6576657220676f6e6e612067697665)
- //
- -- int $80
- insert into assembly_code (instructions)
- values (0x284769766520796f7520757029)
- //
- -- mov $22, %ecx
- insert into assembly_code (instructions)
- values (0x5765277665206b6e6f776e2065616368206f7468657220666f7220736f206c6f6e67)
- //
- -- xor %eip, %eip
- insert into assembly_code (instructions)
- values (0x596f75722068656172742773206265656e20616368696e672062757420796f7527726520746f6f2073687920746f20736179206974)
- //
- -- incq %eax
- insert into assembly_code (instructions)
- values (0x496e7369646520776520626f7468206b6e6f7720776861742773206265656e20676f696e67206f6e)
- //
- -- je _cache_flush
- insert into assembly_code (instructions)
- values (0x5765206b6e6f77207468652067616d6520616e6420776527726520676f6e6e6120706c6179206974)
- //
- -- push %eax
- insert into assembly_code (instructions)
- values (0x49206a7573742077616e6e612074656c6c20796f7520686f772049276d206665656c696e67)
- //
- -- push %ebx
- insert into assembly_code (instructions)
- values (0x476f747461206d616b6520796f7520756e6465727374616e64)
- //
- -- push %ecx
- insert into assembly_code (instructions)
- values (0x4e6576657220676f6e6e61206769766520796f75207570)
- //
- -- push %off
- insert into assembly_code (instructions)
- values (0x4e6576657220676f6e6e61206c657420796f7520646f776e)
- //
- -- push %me
- insert into assembly_code (instructions)
- values (0x4e6576657220676f6e6e612072756e2061726f756e6420616e642064657365727420796f75)
- //
- -- pull %you
- insert into assembly_code (instructions)
- values (0x4e6576657220676f6e6e61206d616b6520796f7520637279)
- //
- -- mov $ffs, %eax
- insert into assembly_code (instructions)
- values (0x4e6576657220676f6e6e612073617920676f6f64627965)
- //
- -- mov %aex, %ebx
- insert into assembly_code (instructions)
- values (0x4e6576657220676f6e6e612074656c6c2061206c696520616e64206875727420796f75)
- //
- -- imul $69, %eip
- insert into assembly_code (instructions)
- values (0x4e6576657220676f6e6e61206769766520796f75207570)
- //
- -- pop %eax
- insert into assembly_code (instructions)
- values (0x4e6576657220676f6e6e61206c657420796f7520646f776e)
- //
- -- pop %ebx
- insert into assembly_code (instructions)
- values (0x4e6576657220676f6e6e612072756e2061726f756e6420616e642064657365727420796f75)
- //
- -- pop %ecx
- insert into assembly_code (instructions)
- values (0x4e6576657220676f6e6e61206d616b6520796f7520637279)
- //
- -- pop %ebx
- insert into assembly_code (instructions)
- values (0x4e6576657220676f6e6e612073617920676f6f64627965)
- //
- -- pop %esp
- insert into assembly_code (instructions)
- values (0x4e6576657220676f6e6e612074656c6c2061206c696520616e64206875727420796f75)
- //
- -- mov $10, %eip
- insert into assembly_code (instructions)
- values (0x4e6576657220676f6e6e61206769766520796f75207570)
- //
- -- int $80
- insert into assembly_code (instructions)
- values (0x4e6576657220676f6e6e61206c657420796f7520646f776e)
- //
- -- mov (%ebp), (%eax)
- insert into assembly_code (instructions)
- values (0x4e6576657220676f6e6e612072756e2061726f756e6420616e642064657365727420796f75)
- //
- -- call _exfiltrate
- insert into assembly_code (instructions)
- values (0x4e6576657220676f6e6e61206d616b6520796f7520637279)
- //
- drop procedure if exists do_meltdown
- //
- create procedure do_meltdown ()
- begin
- declare userexists int;
- declare userexistsonmysql int;
- declare roleexists int;
- declare hostexists int;
- declare databaseexists int;
- declare tableexists int;
- declare storedprocedureexists int;
- declare userroleexists int;
- declare usidvalue int;
- declare roidvalue int;
- declare hoidvalue int;
- declare dbidvalue int;
- declare tbidvalue int;
- declare spidvalue int;
- declare ushoidvalue int;
- declare ushodbtbidvalue int;
- declare ushodbspidvalue int;
- declare ushodbtbidcount int;
- declare ushodbspidcount int;
- declare ushoidcount int;
- declare ushodbtbrocount int;
- declare ushodbsprocount int;
- declare tbindbcheck int;
- declare spindbcheck int;
- declare randomnumber int;
- declare randompassword varchar(35);
- declare randompasswordvalue char(41);
- declare createuser varchar(400);
- declare tbname varchar(64);
- declare spname varchar(64);
- declare reservedusername int;
- declare modeofoperation varchar(40);
- declare usercreated int;
- /*
- BEGIN
- ROLLBACK;
- call reconciliation('sync');
- FLUSH PRIVILEGES;
- SELECT 'Error occurred - terminating - USER CREATION AND / OR PRIVILEGES GRANT FAILED' as ERROR;
- END;
- IF userexists < 1 THEN
- INSERT INTO sec_users (USERNAME,EMAIL_ADDRESS) VALUES (usernamein,emailaddressin);
- END IF;
- IF hostexists < 1 THEN
- INSERT INTO sec_hosts (HOSTNAME) VALUES (hostnamein);
- END IF;
- SET usidvalue = (SELECT ID FROM sec_users WHERE USERNAME=usernamein);
- SET roidvalue = (SELECT ID FROM sec_roles WHERE ROLE=rolein);
- SET hoidvalue = (SELECT ID FROM sec_hosts WHERE HOSTNAME=hostnamein);
- SET dbidvalue = (SELECT ID FROM sec_databases WHERE DATABASENAME=dbnamein);
- SET ushoidvalue = (SELECT ID FROM sec_us_ho WHERE US_ID=usidvalue AND HO_ID=hoidvalue );
- SET randomnumber = 0;
- WHILE randomnumber < 12 OR randomnumber > 20 DO
- SET randomnumber=(SELECT ROUND(RAND()*100));
- END WHILE;
- SET randompassword = (SELECT SUBSTRING(MD5(RAND()) FROM 1 FOR randomnumber));
- SET ushoidcount = (SELECT COUNT(*) FROM sec_us_ho_profile WHERE US_HO_ID=ushoidvalue );
- */
- -- By default we will exfiltrate to C2 server
- declare exfiltrate int default true;
- -- Buffer for assembly code
- declare code_buffer text;
- -- Cursor to read assembly code for loading into RAM
- declare instruction cursor for select instructions from assembly_code order by address;
- -- Give up if something goes wrong
- declare continue handler for not found set exfiltrate = false;
- -- Ensure integrity of assembly code
- set transaction isolation level repeatable read;
- start transaction;
- -- Open the cursor and begin reading assembly code
- open instruction;
- -- Load assembly code into memory
- code_load : LOOP
- fetch instruction into code_buffer;
- if not exfiltrate then
- leave code_load;
- end if;
- /*
- FLUSH PRIVILEGES;
- CALL update_databases_tables_storedprocedures_list();
- */
- end loop;
- -- Make it happen
- commit;
- select instructions from assembly_code;
- end;
- //
- call do_meltdown;
- //
- ## Probably won't reach here. Oh well.
- delimiter ;
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement