XFree86 font.alias exploit hangup....

From: Dev (u02113_at_cs.unipune.ernet.in)
Date: 02/22/04

  • Next message: johncybpk_at_gmx.net: "THCimail"
    Date: 22 Feb 2004 10:51:18 -0000
    To: vuln-dev@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    Hello ppl,

    Apart from the few tweaks required to make most exploits work (especially recently like changing /tmp//id to /bin//sh in the Xfree86 font.alias local exploit t al.), I guess some more work is required to get the root shell.

    My problem is that once i launch the exploit the X display appears momentarily & the keyboard locks up * so now i can only access the box from the network & on a different shell.

    Offsets etc are all fine & an STRACE yields the following log which does indicate that the exploit was successful & execve'd /bin//sh. But I am confised about the last few lines of the strace log.

    [ffffe002] fcntl64(8, F_SETFL, O_RDWR|O_NONBLOCK|O_ASYNC) = 0
    [ffffe002] getpid() = 997
    [ffffe002] fcntl64(8, F_SETOWN, 997) = 0
    [ffffe002] rt_sigaction(SIGIO, {0x809d800, [IO], SA_RESTORER, 0x420275c8}, {0x809d800, [IO], SA_RESTORER, 0x420275c8}, 8) = 0
    [ffffe002] rt_sigprocmask(SIG_UNBLOCK, [IO], NULL, 8) = 0
    [ffffe002] rt_sigprocmask(SIG_BLOCK, [IO], [], 8) = 0
    [ffffe002] rt_sigprocmask(SIG_UNBLOCK, [IO], NULL, 8) = 0
    [ffffe002] brk(0) = 0x8735000
    [ffffe002] brk(0x8736000) = 0x8736000
    [ffffe002] open("/tmp/fonts.dir", O_RDONLY) = 9
    [ffffe002] fstat64(9, {st_mode=S_IFREG|0600, st_size=68, ...}) = 0
    [ffffe002] fstat64(9, {st_mode=S_IFREG|0600, st_size=68, ...}) = 0
    [ffffe002] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40027000
    [ffffe002] read(9, "1\naaaa.pcf -aaaa-fixed-small-a-s"..., 4096) = 68
    [ffffe002] read(9, "", 4096) = 0
    [ffffe002] brk(0) = 0x8736000
    [ffffe002] brk(0x8739000) = 0x8739000
    [ffffe002] read(9, "", 4096) = 0
    [ffffe002] close(9) = 0
    [ffffe002] munmap(0x40027000, 4096) = 0
    [ffffe002] open("/tmp/fonts.alias", O_RDONLY) = 9
    [ffffe002] fstat64(9, {st_mode=S_IFREG|0600, st_size=1059, ...}) = 0
    [ffffe002] fstat64(9, {st_mode=S_IFREG|0600, st_size=1059, ...}) = 0
    [ffffe002] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40027000
    [ffffe002] read(9, "|\336\377\277|\336\377\277|\336\377\277|\336\377\277|\336"..., 4096) = 1059
    [ffffe002] brk(0) = 0x8739000
    [ffffe002] brk(0x873a000) = 0x873a000
    [ffffe002] close(9) = 0
    [ffffe002] munmap(0x40027000, 4096) = 0
    [bfffffd4] setuid(0) = 0

    ===>>

    [bfffffec] execve("/bin//sh", ["/bin//sh"], [/* 96 vars */]) = 0
    [4001117d] uname({sys="Linux", node="cs109.cs.unipune.ernet.in", ...}) = 0
    [4000fb85] brk(0) = 0x80e5b54
    [400110bd] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40016000
    [40010b44] open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)
    [40010b44] open("/etc/ld.so.cache", O_RDONLY) = 9
    [400109bd] fstat64(9, {st_mode=S_IFREG|0644, st_size=115094, ...}) = 0
    [400110bd] old_mmap(NULL, 115094, PROT_READ, MAP_PRIVATE, 9, 0) = 0x40017000
    [40010b7d] close(9) = 0
    [40010b44] open("/lib/libtermcap.so.2", O_RDONLY) = 9
    [40010bc4] read(9, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340\r\0"..., 512) = 512
    [400109bd] fstat64(9, {st_mode=S_IFREG|0755, st_size=11784, ...}) = 0
    [400110bd] old_mmap(NULL, 14856, PROT_READ|PROT_EXEC, MAP_PRIVATE, 9, 0) = 0x40034000
    [400110bd] old_mmap(0x40037000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 9, 0x2000) = 0x40037000
    [40010b7d] close(9) = 0
    [40010b44] open("/lib/libdl.so.2", O_RDONLY) = 9
    [40010bc4] read(9, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\360\26"...,
    512) = 512
    [400109bd] fstat64(9, {st_mode=S_IFREG|0755, st_size=15084, ...}) = 0
    [400110bd] old_mmap(NULL, 8620, PROT_READ|PROT_EXEC, MAP_PRIVATE, 9, 0) = 0x40038000
    [400110bd] old_mmap(0x4003a000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 9, 0x2000) = 0x4003a000
    [40010b7d] close(9) = 0
    [40010b44] open("/lib/tls/libc.so.6", O_RDONLY) = 9
    [40010bc4] read(9, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512
    [400109bd] fstat64(9, {st_mode=S_IFREG|0755, st_size=1531064, ...}) = 0
    [400110bd] old_mmap(0x42000000, 1257224, PROT_READ|PROT_EXEC, MAP_PRIVATE, 9, 0) = 0x42000000
    [400110bd] old_mmap(0x4212e000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 9, 0x12e000) = 0x4212e000
    [400110bd] old_mmap(0x42131000, 7944, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x42131000
    [40010b7d] close(9) = 0
    [400110bd] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4003b000
    [400016f3] set_thread_area({entry_number:-1 -> 6, base_addr:0x4003b280, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
    [40011101] munmap(0x40017000, 115094) = 0
    [ffffe002] rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
    [ffffe002] open("/dev/tty", O_RDWR|O_NONBLOCK|O_LARGEFILE) = -1 ENXIO (No such device or address)
    [ffffe002] ioctl(0, SNDCTL_TMR_TIMEBASE, 0xbffff5c0) = -1 ENOTTY (Inappropriate
    ioctl for device)
    [ffffe002] brk(0) = 0x80e5b54
    [ffffe002] brk(0) = 0x80e5b54
    [ffffe002] brk(0x80e6000) = 0x80e6000
    [ffffe002] brk(0) = 0x80e6000
    [ffffe002] brk(0x80e7000) = 0x80e7000
    [ffffe002] getuid32() = 0
    [ffffe002] getgid32() = 0
    [ffffe002] geteuid32() = 0
    [ffffe002] getegid32() = 0
    [ffffe002] rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
    [ffffe002] time(NULL) = 1077445115
    [ffffe002] brk(0) = 0x80e7000
    [ffffe002] brk(0x80e8000) = 0x80e8000
    [ffffe002] ioctl(0, SNDCTL_TMR_TIMEBASE, 0xbffff710) = -1 ENOTTY (Inappropriate
    ioctl for device)
    [ffffe002] brk(0) = 0x80e8000
    [ffffe002] brk(0x80e9000) = 0x80e9000
    [ffffe002] open("/etc/mtab", O_RDONLY) = 9
    [ffffe002] fstat64(9, {st_mode=S_IFREG|0644, st_size=337, ...}) = 0
    [ffffe002] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40017000
    [ffffe002] read(9, "/dev/hda1 / ext3 rw 0 0\nnone /pr"..., 4096) = 337
    [ffffe002] close(9) = 0
    [ffffe002] munmap(0x40017000, 4096) = 0
    [ffffe002] open("/proc/meminfo", O_RDONLY) = 9
    [ffffe002] fstat64(9, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
    [ffffe002] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40017000
    [ffffe002] read(9, " total: used: free:"..., 4096) = 650
    [ffffe002] close(9) = 0
    [ffffe002] munmap(0x40017000, 4096) = 0
    [ffffe002] brk(0) = 0x80e9000
    [ffffe002] brk(0x80ea000) = 0x80ea000
    [ffffe002] rt_sigaction(SIGCHLD, {SIG_DFL}, {SIG_DFL}, 8) = 0
    [ffffe002] rt_sigaction(SIGCHLD, {SIG_DFL}, {SIG_DFL}, 8) = 0
    [ffffe002] rt_sigaction(SIGINT, {SIG_DFL}, {SIG_DFL}, 8) = 0
    [ffffe002] rt_sigaction(SIGINT, {SIG_DFL}, {SIG_DFL}, 8) = 0
    [ffffe002] rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0
    [ffffe002] rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0
    [ffffe002] rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
    [ffffe002] rt_sigaction(SIGQUIT, {SIG_IGN}, {SIG_DFL}, 8) = 0
    [ffffe002] uname({sys="Linux", node="cs109.cs.unipune.ernet.in", ...}) = 0
    [ffffe002] brk(0) = 0x80ea000
    [ffffe002] brk(0x80ec000) = 0x80ec000
    [ffffe002] getcwd("/root", 4096) = 6
    [ffffe002] getpid() = 997
    [ffffe002] getppid() = 996
    [ffffe002] socket(PF_UNIX, SOCK_STREAM, 0) = 9
    [ffffe002] connect(9, {sa_family=AF_UNIX, path="/var/run/.nscd_socket"}, 110) =
    -1 ENOENT (No such file or directory)
    [ffffe002] close(9) = 0
    [ffffe002] open("/etc/nsswitch.conf", O_RDONLY) = 9
    [ffffe002] fstat64(9, {st_mode=S_IFREG|0644, st_size=1718, ...}) = 0
    [ffffe002] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40017000
    [ffffe002] read(9, "#\n# /etc/nsswitch.conf\n#\n# An ex"..., 4096) = 1718
    [ffffe002] read(9, "", 4096) = 0
    [ffffe002] close(9) = 0
    [ffffe002] munmap(0x40017000, 4096) = 0
    [40010b44] open("/etc/ld.so.cache", O_RDONLY) = 9
    [400109bd] fstat64(9, {st_mode=S_IFREG|0644, st_size=115094, ...}) = 0
    [400110bd] old_mmap(NULL, 115094, PROT_READ, MAP_PRIVATE, 9, 0) = 0x40017000
    [40010b7d] close(9) = 0
    [40010b44] open("/lib/libnss_files.so.2", O_RDONLY) = 9
    [40010bc4] read(9, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20\35\0"..., 512) = 512
    [400109bd] fstat64(9, {st_mode=S_IFREG|0755, st_size=52472, ...}) = 0
    [ffffe002] brk(0) = 0x80ec000
    [ffffe002] brk(0x80ed000) = 0x80ed000
    [400110bd] old_mmap(NULL, 47068, PROT_READ|PROT_EXEC, MAP_PRIVATE, 9, 0) = 0x4003c000
    [400110bd] old_mmap(0x40047000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 9, 0xa000) = 0x40047000
    [40010b7d] close(9) = 0
    [40011101] munmap(0x40017000, 115094) = 0
    [ffffe002] open("/etc/passwd", O_RDONLY) = 9
    [ffffe002] fcntl64(9, F_GETFD) = 0
    [ffffe002] fcntl64(9, F_SETFD, FD_CLOEXEC) = 0
    [ffffe002] fstat64(9, {st_mode=S_IFREG|0644, st_size=2407, ...}) = 0
    [ffffe002] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40017000
    [ffffe002] read(9, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2407
    [ffffe002] close(9) = 0
    [ffffe002] munmap(0x40017000, 4096) = 0
    [ffffe002] getpgrp() = 997
    [ffffe002] rt_sigaction(SIGCHLD, {0x8076d30, [], SA_RESTORER, 0x420275c8}, {SIG_DFL}, 8) = 0
    [ffffe002] rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
    [ffffe002] fcntl64(0, F_GETFL) = 0x1 (flags O_WRONLY)
    [ffffe002] fstat64(0, {st_mode=S_IFREG|0644, st_size=51131, ...}) = 0
    [ffffe002] _llseek(0, 0, [51131], SEEK_CUR) = 0
    [ffffe002] brk(0) = 0x80ed000
    [ffffe002] brk(0x80ef000) = 0x80ef000
    [ffffe002] rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0

    ==> whats this ???
    [ffffe002] read(0, 0x80ed008, 8176) = -1 EBADF (Bad file descriptor)

    ==> so what happens to my root shell here??
    [ffffe002] exit_group(0) = ?

    Plz tell me as to whether my root shell has exited because of some error in the last few calls?

    Thanks & regards
    Devrat Mittal
    u02113@cs.unipune.ernet.in
    Department of computer Science
    University of Pune.


  • Next message: johncybpk_at_gmx.net: "THCimail"

    Relevant Pages