By setting scramble_len > 20 , the attacker could overwrite eip (return address) on the stack. Using a combination of NOP sled and shellcode, a remote attacker could execute arbitrary commands on the host.
char username[64]; char scramble[20]; // FIXED SIZE VULNERABILITY memcpy(username, packet+offset, username_len); offset += username_len; memcpy(scramble, packet+offset, scramble_len); // No boundary check mysql 5.0.12 exploit
Client -> Server: Connection request Server -> Client: Greeting packet (contains salt) Client -> Server: Authentication packet (username, hashed password using salt) Server -> Client: OK or Access Denied In the vulnerable version, the server parsed the authentication packet as follows (pseudo-code): By setting scramble_len > 20 , the attacker