Skip to content

aykit/chroot-privilege-escalation

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
.gitignore
.gitignore
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
escalate.c
escalate.c
 
 
prepare-chroot.sh
prepare-chroot.sh
 
 
run.c
run.c
 
 

Repository files navigation

This example shows how the ability to call chroot(2) can be used to gain root priviliges. It works as follows: Inside the new root /etc/ld.so.preload is created with the instruction to load /run.so, which in turn starts a shell. Since the working directory is not changed by chroot(2), a setuid binary from the original root can be executed using a relative path, leading to the invocation of a root shell.

To run the example, build it

make

allow the binary to make chroot(2) calls

sudo setcap CAP_SYS_CHROOT=ep build/escalate

prepare the chroot

./prepare-chroot.sh chroot/ $(which su)

and run the binary

./build/escalate chroot/ $(which su)

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

7 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages