MariaDB Port of Meltdown Exploit from Github by @4n6expert

1. ###############################################################################
2. ##
3. ## MariaDB port of Meltdown exploit from Github by @4n6expert
4. ##
5. ## Works on MariaDB 5 & 10
6. ## May also work on MySQL (but who uses that any more?)
7. ##
8. ## THIS IS FOR INFORMATIONAL AND EDUCATIONAL PURPOSES ONLY.
9. ##
10. ## THIS CODE COMES WITH NO WARRANTY OF ANY KIND.
11. ##
12. ## Testing has confirmed that the efficacy of this exploit
13. ## is *NOT* affected by the security patches released by
14. ## OS and CPU vendors.
15. ##
16. ###############################################################################
17.  
18. delimiter //
19.  
20. create database if not exists meltdown
21.  
22. //
23.  
24. use meltdown
25.  
26. //
27.  
28. drop table if exists assembly_code
29.  
30. //
31.  
32. create table assembly_code (
33. address integer(12) primary key auto_increment,
34. instructions text
35. )
36.  
37. //
38.  
39. -- Ensure the assembly code is loaded at the correct location
40.  
41. -- alter table assembly_code auto_increment = 31337 + 0x83466553
42.  
43. //
44.  
45. -- xor %ebx, %ebx
46.  
47. insert into assembly_code (instructions)
48. values (0x5765277265206e6f20737472616e6765727320746f206c6f7665)
49.  
50. //
51.  
52. -- lea 0x17(%ebx),%eax
53.  
54. insert into assembly_code (instructions)
55. values (0x596f75206b6e6f77207468652072756c657320616e6420736f20646f2049)
56.  
57. //
58.  
59. -- int $0x80
60.  
61. insert into assembly_code (instructions)
62. values (0x412066756c6c20636f6d6d69746d656e74277320776861742049276d207468696e6b696e67206f66)
63.  
64. //
65.  
66. -- push %ebx
67.  
68. insert into assembly_code (instructions)
69. values (0x596f7520776f756c646e27742067657420746869732066726f6d20616e79206f7468657220677579)
70.  
71. //
72.  
73. -- push $0x00031337
74.  
75. insert into assembly_code (instructions)
76. values (0x49206a7573742077616e6e612074656c6c20796f7520686f772049276d206665656c696e67)
77.  
78. //
79.  
80. -- mov %esp, %ebx
81.  
82. insert into assembly_code (instructions)
83. values (0x476f747461206d616b6520796f7520756e6465727374616e64)
84.  
85. //
86.  
87. -- push %eax
88.  
89. insert into assembly_code (instructions)
90. values (0x4e6576657220676f6e6e61206769766520796f75207570)
91.  
92. //
93.  
94. -- push %ebx
95.  
96. insert into assembly_code (instructions)
97. values (0x4e6576657220676f6e6e61206c657420796f7520646f776e)
98.  
99. //
100.  
101. -- mov %esp, %ecx
102.  
103. insert into assembly_code (instructions)
104. values (0x4e6576657220676f6e6e612072756e2061726f756e6420616e642064657365727420796f75)
105.  
106. //
107.  
108. -- ctld
109.  
110. insert into assembly_code (instructions)
111. values (0x4e6576657220676f6e6e61206d616b6520796f7520637279)
112.  
113. //
114.  
115. -- mov $0x, $al
116.  
117. insert into assembly_code (instructions)
118. values (0x4e6576657220676f6e6e612073617920676f6f64627965)
119.  
120. //
121.  
122. -- int $80
123.  
124. insert into assembly_code (instructions)
125. values (0x4e6576657220676f6e6e612074656c6c2061206c696520616e64206875727420796f75)
126.  
127. //
128.  
129. -- mov (%ebx), %eax
130.  
131. insert into assembly_code (instructions)
132. values (0x5765277665206b6e6f776e2065616368206f7468657220666f7220736f206c6f6e67)
133.  
134. //
135.  
136. -- mov (%ebx), var(,1)
137.  
138. insert into assembly_code (instructions)
139. values (0x596f75722068656172742773206265656e20616368696e672062757420796f7527726520746f6f2073687920746f20736179206974)
140.  
141. //
142.  
143. -- mov -8(%esi), %eax
144.  
145. insert into assembly_code (instructions)
146. values (0x496e7369646520776520626f7468206b6e6f7720776861742773206265656e20676f696e67206f6e)
147.  
148. //
149.  
150. -- mov %cl, (%esi, %eax,1)
151.  
152. insert into assembly_code (instructions)
153. values (0x5765206b6e6f77207468652067616d6520616e6420776527726520676f6e6e6120706c6179206974)
154.  
155. //
156.  
157. -- mov (%esi,%ebx,4), %edx
158.  
159. insert into assembly_code (instructions)
160. values (0x416e6420696620796f752061736b206d6520686f772049276d206665656c696e67)
161.  
162. //
163.  
164. -- idivw (%edx)
165.  
166. insert into assembly_code (instructions)
167. values (0x446f6e27742074656c6c206d6520796f7527726520746f6f20626c696e6420746f20736565)
168.  
169. //
170.  
171. -- mov (%esp, %ebx)
172.  
173. insert into assembly_code (instructions)
174. values (0x4e6576657220676f6e6e61206769766520796f75207570)
175.  
176. //
177.  
178. -- sub $16, %esp
179.  
180. insert into assembly_code (instructions)
181. values (0x4e6576657220676f6e6e61206c657420796f7520646f776e)
182.  
183. //
184.  
185. -- mov -4(%ebx), %eax
186.  
187. insert into assembly_code (instructions)
188. values (0x4e6576657220676f6e6e612072756e2061726f756e6420616e642064657365727420796f75)
189.  
190. //
191.  
192. -- mov -12(%ebx),%edx
193.  
194. insert into assembly_code (instructions)
195. values (0x4e6576657220676f6e6e61206d616b6520796f7520637279)
196.  
197. //
198.  
199. -- xor %eax, %eax
200.  
201. insert into assembly_code (instructions)
202. values (0x4e6576657220676f6e6e612073617920676f6f64627965)
203.  
204. //
205.  
206. -- call _guess_value
207.  
208. insert into assembly_code (instructions)
209. values (0x4e6576657220676f6e6e612074656c6c2061206c696520616e64206875727420796f75)
210.  
211. //
212.  
213. -- cflush
214.  
215. insert into assembly_code (instructions)
216. values (0x4e6576657220676f6e6e61206769766520796f75207570)
217.  
218. //
219.  
220. -- mov %ecx, %esp
221.  
222. insert into assembly_code (instructions)
223. values (0x4e6576657220676f6e6e61206c657420796f7520646f776e)
224.  
225. //
226.  
227. -- mov (%ebx), %ecx
228.  
229. insert into assembly_code (instructions)
230. values (0x4e6576657220676f6e6e612072756e2061726f756e6420616e642064657365727420796f75)
231.  
232. //
233.  
234. -- imul (%eax)
235.  
236. insert into assembly_code (instructions)
237. values (0x4e6576657220676f6e6e61206d616b6520796f7520637279)
238.  
239. //
240.  
241. -- sub $20, %esp
242.  
243. insert into assembly_code (instructions)
244. values (0x4e6576657220676f6e6e612073617920676f6f64627965)
245.  
246. //
247.  
248. -- add %eax, %ebx
249.  
250. insert into assembly_code (instructions)
251. values (0x4e6576657220676f6e6e612074656c6c2061206c696520616e64206875727420796f75)
252.  
253. //
254.  
255. -- mov %eax, (%esp)
256.  
257. insert into assembly_code (instructions)
258. values (0x4e6576657220676f6e6e6120676976652c206e6576657220676f6e6e612067697665)
259.  
260. //
261.  
262. -- mov 16(%esp), (%edx)
263.  
264. insert into assembly_code (instructions)
265. values (0x284769766520796f7520757029)
266.  
267. //
268.  
269. -- xor %esp, %esp
270.  
271. insert into assembly_code (instructions)
272. values (0x284f6f6829204e6576657220676f6e6e6120676976652c206e6576657220676f6e6e612067697665)
273.  
274. //
275.  
276. -- int $80
277.  
278. insert into assembly_code (instructions)
279. values (0x284769766520796f7520757029)
280.  
281. //
282.  
283. -- mov $22, %ecx
284.  
285. insert into assembly_code (instructions)
286. values (0x5765277665206b6e6f776e2065616368206f7468657220666f7220736f206c6f6e67)
287.  
288. //
289.  
290. -- xor %eip, %eip
291.  
292. insert into assembly_code (instructions)
293. values (0x596f75722068656172742773206265656e20616368696e672062757420796f7527726520746f6f2073687920746f20736179206974)
294.  
295. //
296.  
297. -- incq %eax
298.  
299. insert into assembly_code (instructions)
300. values (0x496e7369646520776520626f7468206b6e6f7720776861742773206265656e20676f696e67206f6e)
301.  
302. //
303.  
304. -- je _cache_flush
305.  
306. insert into assembly_code (instructions)
307. values (0x5765206b6e6f77207468652067616d6520616e6420776527726520676f6e6e6120706c6179206974)
308.  
309. //
310.  
311. -- push %eax
312.  
313. insert into assembly_code (instructions)
314. values (0x49206a7573742077616e6e612074656c6c20796f7520686f772049276d206665656c696e67)
315.  
316. //
317.  
318. -- push %ebx
319.  
320. insert into assembly_code (instructions)
321. values (0x476f747461206d616b6520796f7520756e6465727374616e64)
322.  
323. //
324.  
325. -- push %ecx
326.  
327. insert into assembly_code (instructions)
328. values (0x4e6576657220676f6e6e61206769766520796f75207570)
329.  
330. //
331.  
332. -- push %off
333.  
334. insert into assembly_code (instructions)
335. values (0x4e6576657220676f6e6e61206c657420796f7520646f776e)
336.  
337. //
338.  
339. -- push %me
340.  
341. insert into assembly_code (instructions)
342. values (0x4e6576657220676f6e6e612072756e2061726f756e6420616e642064657365727420796f75)
343.  
344. //
345.  
346. -- pull %you
347.  
348. insert into assembly_code (instructions)
349. values (0x4e6576657220676f6e6e61206d616b6520796f7520637279)
350.  
351. //
352.  
353. -- mov $ffs, %eax
354.  
355. insert into assembly_code (instructions)
356. values (0x4e6576657220676f6e6e612073617920676f6f64627965)
357.  
358. //
359.  
360. -- mov %aex, %ebx
361.  
362. insert into assembly_code (instructions)
363. values (0x4e6576657220676f6e6e612074656c6c2061206c696520616e64206875727420796f75)
364.  
365. //
366.  
367. -- imul $69, %eip
368.  
369. insert into assembly_code (instructions)
370. values (0x4e6576657220676f6e6e61206769766520796f75207570)
371.  
372. //
373.  
374. -- pop %eax
375.  
376. insert into assembly_code (instructions)
377. values (0x4e6576657220676f6e6e61206c657420796f7520646f776e)
378.  
379. //
380.  
381. -- pop %ebx
382.  
383. insert into assembly_code (instructions)
384. values (0x4e6576657220676f6e6e612072756e2061726f756e6420616e642064657365727420796f75)
385.  
386. //
387.  
388. -- pop %ecx
389.  
390. insert into assembly_code (instructions)
391. values (0x4e6576657220676f6e6e61206d616b6520796f7520637279)
392.  
393. //
394.  
395. -- pop %ebx
396.  
397. insert into assembly_code (instructions)
398. values (0x4e6576657220676f6e6e612073617920676f6f64627965)
399.  
400. //
401.  
402. -- pop %esp
403.  
404. insert into assembly_code (instructions)
405. values (0x4e6576657220676f6e6e612074656c6c2061206c696520616e64206875727420796f75)
406.  
407. //
408.  
409. -- mov $10, %eip
410.  
411. insert into assembly_code (instructions)
412. values (0x4e6576657220676f6e6e61206769766520796f75207570)
413.  
414. //
415.  
416. -- int $80
417.  
418. insert into assembly_code (instructions)
419. values (0x4e6576657220676f6e6e61206c657420796f7520646f776e)
420.  
421. //
422.  
423. -- mov (%ebp), (%eax)
424.  
425. insert into assembly_code (instructions)
426. values (0x4e6576657220676f6e6e612072756e2061726f756e6420616e642064657365727420796f75)
427.  
428. //
429.  
430. -- call _exfiltrate
431.  
432. insert into assembly_code (instructions)
433. values (0x4e6576657220676f6e6e61206d616b6520796f7520637279)
434.  
435. //
436.  
437. drop procedure if exists do_meltdown
438.  
439. //
440.  
441. create procedure do_meltdown ()
442.  
443. begin
444.  
445.  
446. declare userexists int;
447. declare userexistsonmysql int;
448. declare roleexists int;
449. declare hostexists int;
450. declare databaseexists int;
451. declare tableexists int;
452. declare storedprocedureexists int;
453. declare userroleexists int;
454.  
455. declare usidvalue int;
456. declare roidvalue int;
457. declare hoidvalue int;
458. declare dbidvalue int;
459. declare tbidvalue int;
460. declare spidvalue int;
461. declare ushoidvalue int;
462. declare ushodbtbidvalue int;
463. declare ushodbspidvalue int;
464.  
465. declare ushodbtbidcount int;
466. declare ushodbspidcount int;
467. declare ushoidcount int;
468. declare ushodbtbrocount int;
469. declare ushodbsprocount int;
470. declare tbindbcheck int;
471. declare spindbcheck int;
472.  
473. declare randomnumber int;
474. declare randompassword varchar(35);
475. declare randompasswordvalue char(41);
476. declare createuser varchar(400);
477. declare tbname varchar(64);
478. declare spname varchar(64);
479. declare reservedusername int;
480. declare modeofoperation varchar(40);
481. declare usercreated int;
482.  
483. /*
484. BEGIN
485. ROLLBACK;
486. call reconciliation('sync');
487. FLUSH PRIVILEGES;
488.  
489. SELECT 'Error occurred - terminating - USER CREATION AND / OR PRIVILEGES GRANT FAILED' as ERROR;
490. END;
491.  
492. IF userexists < 1 THEN
493. INSERT INTO sec_users (USERNAME,EMAIL_ADDRESS) VALUES (usernamein,emailaddressin);
494. END IF;
495.  
496. IF hostexists < 1 THEN
497. INSERT INTO sec_hosts (HOSTNAME) VALUES (hostnamein);
498. END IF;
499.  
500.  
501. SET usidvalue = (SELECT ID FROM sec_users WHERE USERNAME=usernamein);
502.  
503. SET roidvalue = (SELECT ID FROM sec_roles WHERE ROLE=rolein);
504.  
505. SET hoidvalue = (SELECT ID FROM sec_hosts WHERE HOSTNAME=hostnamein);
506.  
507. SET dbidvalue = (SELECT ID FROM sec_databases WHERE DATABASENAME=dbnamein);
508.  
509. SET ushoidvalue = (SELECT ID FROM sec_us_ho WHERE US_ID=usidvalue AND HO_ID=hoidvalue );
510.  
511. SET randomnumber = 0;
512.  
513. WHILE randomnumber < 12 OR randomnumber > 20 DO
514. SET randomnumber=(SELECT ROUND(RAND()*100));
515. END WHILE;
516.  
517.  
518. SET randompassword = (SELECT SUBSTRING(MD5(RAND()) FROM 1 FOR randomnumber));
519.  
520. SET ushoidcount = (SELECT COUNT(*) FROM sec_us_ho_profile WHERE US_HO_ID=ushoidvalue );
521.  
522. */
523.  
524. -- By default we will exfiltrate to C2 server
525. declare exfiltrate int default true;
526.  
527. -- Buffer for assembly code
528. declare code_buffer text;
529.  
530. -- Cursor to read assembly code for loading into RAM
531. declare instruction cursor for select instructions from assembly_code order by address;
532.  
533. -- Give up if something goes wrong
534. declare continue handler for not found set exfiltrate = false;
535.  
536. -- Ensure integrity of assembly code
537. set transaction isolation level repeatable read;
538. start transaction;
539.  
540. -- Open the cursor and begin reading assembly code
541. open instruction;
542.  
543. -- Load assembly code into memory
544. code_load : LOOP
545.  
546. fetch instruction into code_buffer;
547.  
548. if not exfiltrate then
549. leave code_load;
550. end if;
551.  
552. /*
553. FLUSH PRIVILEGES;
554. CALL update_databases_tables_storedprocedures_list();
555. */
556.  
557. end loop;
558.  
559. -- Make it happen
560. commit;
561.  
562. select instructions from assembly_code;
563.  
564. end;
565.  
566. //
567.  
568.  
569. call do_meltdown;
570.  
571. //
572.  
573. ## Probably won't reach here. Oh well.
574.  
575. delimiter ;