## https://sploitus.com/exploit?id=8553A7DE-DB35-548C-90BE-B96055C99010
# informix-informixdir-bof
A root shell exploit for a stack-based buffer overflow vulnerability in IBM Informix, triggered in Informix main executable onmode via the `$INFORMIXDIR` environment variable on AIX 5L running on IBM PowerPC architecture.
## Overview
The vulnerable target is the `onmode` utility located at `/informix/bin/onmode`. By passing an oversized `INFORMIXDIR` environment variable, an attacker can overwrite the return address on the stack and redirect execution to attacker-controlled shellcode.
The exploit uses a classic NOP-sled technique: the constructed buffer is filled with PowerPC NOP instructions in the first half, followed by shellcode in the middle, with the target return address sprayed across the remainder. The shellcode spawns `/bin/sh`.
## Target Environment
| Component | Details |
|--------------|--------------------------------|
| OS | IBM AIX 5L |
| Architecture | IBM PowerPC |
| Application | IBM Informix |
| Binary | `/informix/bin/onmode` |
| Vector | `$INFORMIXDIR` environment variable |
## Usage
```bash
gcc expnew-works.c -o exploit
./exploit
```
**Parameters:**
- `buffer_size` โ Size of the exploit buffer (will be rounded down to nearest 8-byte boundary). Start with values around `4000`โ`8000` and adjust based on results.
- `offset` โ Stack offset used to calculate the return address. Tune this value based on the target environment's stack layout.
**Example:**
```bash
./exploit 4096 200
```
## How It Works
1. Calculates a target return address based on the current environment pointer and the provided offset.
2. Fills the buffer with the target address (return address spray).
3. Overwrites the first half of the buffer with PowerPC NOP sleds (`\x7c\xa5\x2a\x79`).
4. Inserts the shellcode at the midpoint of the buffer.
5. Prepends `INFORMIXDIR=` to the buffer and passes it as an environment variable to `onmode` via `execle()`.
## Shellcode
The embedded PowerPC shellcode executes `/bin/sh`. It is position-independent and suitable for stack-based exploitation on AIX 5L / PowerPC.
## Privilege Escalation
`onmode` is installed with the **setuid bit** set, meaning it runs with root privileges regardless of who invokes it. A local attacker can exploit this vulnerability to achieve a root shell without requiring any elevated permissions.
## Reliability & Running in a Loop
Due to memory address randomization, the exploit may not succeed on the first attempt. It is recommended to run it in a loop from the shell until a root shell is obtained. This typically takes a few minutes.
```bash
while true; do ./exploit 4096 200; done
```
## Disclaimer
This code is intended for **security research and educational purposes only**. Use only on systems you own or have explicit written permission to test. Unauthorized use against production systems is illegal and unethical.