Mysql 5.0.12 Exploit -

By setting scramble_len > 20 , the attacker could overwrite eip (return address) on the stack. Using a combination of NOP sled and shellcode, a remote attacker could execute arbitrary commands on the host.

A simpler variation (the authentication bypass) required only: mysql 5.0.12 exploit

char username[64]; char scramble[20]; // FIXED SIZE VULNERABILITY memcpy(username, packet+offset, username_len); offset += username_len; memcpy(scramble, packet+offset, scramble_len); // No boundary check By setting scramble_len > 20 , the attacker

Client -> Server: Connection request Server -> Client: Greeting packet (contains salt) Client -> Server: Authentication packet (username, hashed password using salt) Server -> Client: OK or Access Denied In the vulnerable version, the server parsed the authentication packet as follows (pseudo-code): By setting scramble_len &gt

S’abonner
Notifier de
guest

0 Commentaires
le plus ancien
le plus récent le plus populaire
Commentaires en ligne
Afficher tous les commentaires