Vulnerability Development mailing list archives
XFree86 font.alias exploit hangup....
From: Dev <u02113 () cs unipune ernet in>
Date: 22 Feb 2004 10:51:18 -0000
Hello ppl,
Apart from the few tweaks required to make most exploits work (especially recently like changing /tmp//id to /bin//sh
in the Xfree86 font.alias local exploit t al.), I guess some more work is required to get the root shell.
My problem is that once i launch the exploit the X display appears momentarily & the keyboard locks up * so now i can
only access the box from the network & on a different shell.
Offsets etc are all fine & an STRACE yields the following log which does indicate that the exploit was successful &
execve'd /bin//sh. But I am confised about the last few lines of the strace log.
[ffffe002] fcntl64(8, F_SETFL, O_RDWR|O_NONBLOCK|O_ASYNC) = 0
[ffffe002] getpid() = 997
[ffffe002] fcntl64(8, F_SETOWN, 997) = 0
[ffffe002] rt_sigaction(SIGIO, {0x809d800, [IO], SA_RESTORER, 0x420275c8}, {0x809d800, [IO], SA_RESTORER, 0x420275c8},
8) = 0
[ffffe002] rt_sigprocmask(SIG_UNBLOCK, [IO], NULL, 8) = 0
[ffffe002] rt_sigprocmask(SIG_BLOCK, [IO], [], 8) = 0
[ffffe002] rt_sigprocmask(SIG_UNBLOCK, [IO], NULL, 8) = 0
[ffffe002] brk(0) = 0x8735000
[ffffe002] brk(0x8736000) = 0x8736000
[ffffe002] open("/tmp/fonts.dir", O_RDONLY) = 9
[ffffe002] fstat64(9, {st_mode=S_IFREG|0600, st_size=68, ...}) = 0
[ffffe002] fstat64(9, {st_mode=S_IFREG|0600, st_size=68, ...}) = 0
[ffffe002] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40027000
[ffffe002] read(9, "1\naaaa.pcf -aaaa-fixed-small-a-s"..., 4096) = 68
[ffffe002] read(9, "", 4096) = 0
[ffffe002] brk(0) = 0x8736000
[ffffe002] brk(0x8739000) = 0x8739000
[ffffe002] read(9, "", 4096) = 0
[ffffe002] close(9) = 0
[ffffe002] munmap(0x40027000, 4096) = 0
[ffffe002] open("/tmp/fonts.alias", O_RDONLY) = 9
[ffffe002] fstat64(9, {st_mode=S_IFREG|0600, st_size=1059, ...}) = 0
[ffffe002] fstat64(9, {st_mode=S_IFREG|0600, st_size=1059, ...}) = 0
[ffffe002] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40027000
[ffffe002] read(9, "|\336\377\277|\336\377\277|\336\377\277|\336\377\277|\336"..., 4096) = 1059
[ffffe002] brk(0) = 0x8739000
[ffffe002] brk(0x873a000) = 0x873a000
[ffffe002] close(9) = 0
[ffffe002] munmap(0x40027000, 4096) = 0
[bfffffd4] setuid(0) = 0
===>>
[bfffffec] execve("/bin//sh", ["/bin//sh"], [/* 96 vars */]) = 0
[4001117d] uname({sys="Linux", node="cs109.cs.unipune.ernet.in", ...}) = 0
[4000fb85] brk(0) = 0x80e5b54
[400110bd] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40016000
[40010b44] open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)
[40010b44] open("/etc/ld.so.cache", O_RDONLY) = 9
[400109bd] fstat64(9, {st_mode=S_IFREG|0644, st_size=115094, ...}) = 0
[400110bd] old_mmap(NULL, 115094, PROT_READ, MAP_PRIVATE, 9, 0) = 0x40017000
[40010b7d] close(9) = 0
[40010b44] open("/lib/libtermcap.so.2", O_RDONLY) = 9
[40010bc4] read(9, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340\r\0"..., 512) = 512
[400109bd] fstat64(9, {st_mode=S_IFREG|0755, st_size=11784, ...}) = 0
[400110bd] old_mmap(NULL, 14856, PROT_READ|PROT_EXEC, MAP_PRIVATE, 9, 0) = 0x40034000
[400110bd] old_mmap(0x40037000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 9, 0x2000) = 0x40037000
[40010b7d] close(9) = 0
[40010b44] open("/lib/libdl.so.2", O_RDONLY) = 9
[40010bc4] read(9, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\360\26"...,
512) = 512
[400109bd] fstat64(9, {st_mode=S_IFREG|0755, st_size=15084, ...}) = 0
[400110bd] old_mmap(NULL, 8620, PROT_READ|PROT_EXEC, MAP_PRIVATE, 9, 0) = 0x40038000
[400110bd] old_mmap(0x4003a000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 9, 0x2000) = 0x4003a000
[40010b7d] close(9) = 0
[40010b44] open("/lib/tls/libc.so.6", O_RDONLY) = 9
[40010bc4] read(9, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512
[400109bd] fstat64(9, {st_mode=S_IFREG|0755, st_size=1531064, ...}) = 0
[400110bd] old_mmap(0x42000000, 1257224, PROT_READ|PROT_EXEC, MAP_PRIVATE, 9, 0) = 0x42000000
[400110bd] old_mmap(0x4212e000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 9, 0x12e000) = 0x4212e000
[400110bd] old_mmap(0x42131000, 7944, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x42131000
[40010b7d] close(9) = 0
[400110bd] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4003b000
[400016f3] set_thread_area({entry_number:-1 -> 6, base_addr:0x4003b280, limit:1048575, seg_32bit:1, contents:0,
read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
[40011101] munmap(0x40017000, 115094) = 0
[ffffe002] rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
[ffffe002] open("/dev/tty", O_RDWR|O_NONBLOCK|O_LARGEFILE) = -1 ENXIO (No such device or address)
[ffffe002] ioctl(0, SNDCTL_TMR_TIMEBASE, 0xbffff5c0) = -1 ENOTTY (Inappropriate
ioctl for device)
[ffffe002] brk(0) = 0x80e5b54
[ffffe002] brk(0) = 0x80e5b54
[ffffe002] brk(0x80e6000) = 0x80e6000
[ffffe002] brk(0) = 0x80e6000
[ffffe002] brk(0x80e7000) = 0x80e7000
[ffffe002] getuid32() = 0
[ffffe002] getgid32() = 0
[ffffe002] geteuid32() = 0
[ffffe002] getegid32() = 0
[ffffe002] rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
[ffffe002] time(NULL) = 1077445115
[ffffe002] brk(0) = 0x80e7000
[ffffe002] brk(0x80e8000) = 0x80e8000
[ffffe002] ioctl(0, SNDCTL_TMR_TIMEBASE, 0xbffff710) = -1 ENOTTY (Inappropriate
ioctl for device)
[ffffe002] brk(0) = 0x80e8000
[ffffe002] brk(0x80e9000) = 0x80e9000
[ffffe002] open("/etc/mtab", O_RDONLY) = 9
[ffffe002] fstat64(9, {st_mode=S_IFREG|0644, st_size=337, ...}) = 0
[ffffe002] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40017000
[ffffe002] read(9, "/dev/hda1 / ext3 rw 0 0\nnone /pr"..., 4096) = 337
[ffffe002] close(9) = 0
[ffffe002] munmap(0x40017000, 4096) = 0
[ffffe002] open("/proc/meminfo", O_RDONLY) = 9
[ffffe002] fstat64(9, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
[ffffe002] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40017000
[ffffe002] read(9, " total: used: free:"..., 4096) = 650
[ffffe002] close(9) = 0
[ffffe002] munmap(0x40017000, 4096) = 0
[ffffe002] brk(0) = 0x80e9000
[ffffe002] brk(0x80ea000) = 0x80ea000
[ffffe002] rt_sigaction(SIGCHLD, {SIG_DFL}, {SIG_DFL}, 8) = 0
[ffffe002] rt_sigaction(SIGCHLD, {SIG_DFL}, {SIG_DFL}, 8) = 0
[ffffe002] rt_sigaction(SIGINT, {SIG_DFL}, {SIG_DFL}, 8) = 0
[ffffe002] rt_sigaction(SIGINT, {SIG_DFL}, {SIG_DFL}, 8) = 0
[ffffe002] rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0
[ffffe002] rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0
[ffffe002] rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
[ffffe002] rt_sigaction(SIGQUIT, {SIG_IGN}, {SIG_DFL}, 8) = 0
[ffffe002] uname({sys="Linux", node="cs109.cs.unipune.ernet.in", ...}) = 0
[ffffe002] brk(0) = 0x80ea000
[ffffe002] brk(0x80ec000) = 0x80ec000
[ffffe002] getcwd("/root", 4096) = 6
[ffffe002] getpid() = 997
[ffffe002] getppid() = 996
[ffffe002] socket(PF_UNIX, SOCK_STREAM, 0) = 9
[ffffe002] connect(9, {sa_family=AF_UNIX, path="/var/run/.nscd_socket"}, 110) =
-1 ENOENT (No such file or directory)
[ffffe002] close(9) = 0
[ffffe002] open("/etc/nsswitch.conf", O_RDONLY) = 9
[ffffe002] fstat64(9, {st_mode=S_IFREG|0644, st_size=1718, ...}) = 0
[ffffe002] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40017000
[ffffe002] read(9, "#\n# /etc/nsswitch.conf\n#\n# An ex"..., 4096) = 1718
[ffffe002] read(9, "", 4096) = 0
[ffffe002] close(9) = 0
[ffffe002] munmap(0x40017000, 4096) = 0
[40010b44] open("/etc/ld.so.cache", O_RDONLY) = 9
[400109bd] fstat64(9, {st_mode=S_IFREG|0644, st_size=115094, ...}) = 0
[400110bd] old_mmap(NULL, 115094, PROT_READ, MAP_PRIVATE, 9, 0) = 0x40017000
[40010b7d] close(9) = 0
[40010b44] open("/lib/libnss_files.so.2", O_RDONLY) = 9
[40010bc4] read(9, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20\35\0"..., 512) = 512
[400109bd] fstat64(9, {st_mode=S_IFREG|0755, st_size=52472, ...}) = 0
[ffffe002] brk(0) = 0x80ec000
[ffffe002] brk(0x80ed000) = 0x80ed000
[400110bd] old_mmap(NULL, 47068, PROT_READ|PROT_EXEC, MAP_PRIVATE, 9, 0) = 0x4003c000
[400110bd] old_mmap(0x40047000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 9, 0xa000) = 0x40047000
[40010b7d] close(9) = 0
[40011101] munmap(0x40017000, 115094) = 0
[ffffe002] open("/etc/passwd", O_RDONLY) = 9
[ffffe002] fcntl64(9, F_GETFD) = 0
[ffffe002] fcntl64(9, F_SETFD, FD_CLOEXEC) = 0
[ffffe002] fstat64(9, {st_mode=S_IFREG|0644, st_size=2407, ...}) = 0
[ffffe002] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40017000
[ffffe002] read(9, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2407
[ffffe002] close(9) = 0
[ffffe002] munmap(0x40017000, 4096) = 0
[ffffe002] getpgrp() = 997
[ffffe002] rt_sigaction(SIGCHLD, {0x8076d30, [], SA_RESTORER, 0x420275c8}, {SIG_DFL}, 8) = 0
[ffffe002] rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
[ffffe002] fcntl64(0, F_GETFL) = 0x1 (flags O_WRONLY)
[ffffe002] fstat64(0, {st_mode=S_IFREG|0644, st_size=51131, ...}) = 0
[ffffe002] _llseek(0, 0, [51131], SEEK_CUR) = 0
[ffffe002] brk(0) = 0x80ed000
[ffffe002] brk(0x80ef000) = 0x80ef000
[ffffe002] rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
==> whats this ???
[ffffe002] read(0, 0x80ed008, 8176) = -1 EBADF (Bad file descriptor)
==> so what happens to my root shell here??
[ffffe002] exit_group(0) = ?
Plz tell me as to whether my root shell has exited because of some error in the last few calls?
Thanks & regards
Devrat Mittal
u02113 () cs unipune ernet in
Department of computer Science
University of Pune.
Current thread:
- XFree86 font.alias exploit hangup.... Dev (Feb 25)
- Re: XFree86 font.alias exploit hangup.... lazy (Feb 27)
- Re: XFree86 font.alias exploit hangup.... Marco Ivaldi (Feb 29)
- Re: XFree86 font.alias exploit hangup.... lazy (Feb 27)