I thought you just did something like the following in your shellcode...
setuid(0)
mkdir("blah")
chroot("blah")
chroot("../../../../../../../../../../../../")
execve("/bin/sh",0,0)
-KF
Kalle Andersson wrote:
>Of course can buffer overflows be done with success, but it will be
>much more difficult.
>
>Remember, if you are root inside a chroot-jail you are root on the
>machine. You can probably someway trick the server into downloading
>necessary code and files to remount the filesystems into the
>chroot-environment or make connections to other trusted servers etc
>etc....
>
>FreeBSD Jails are somewhat more secure, you might want to look into
>that.
>
>
>Jason Haar wrote:
>
>>[note: my question is WRT non-root chrooted jails - we all know about
>>chroot'ing root processes!]
>>
>>Most buffer overflows I've seen attempt to infiltrate the system enough to
>>run /bin/sh. In chroot'ed environments, /bin/sh doesn't (shouldn't!) exist -
>>so they fail.
>>
>>Is it as simple as that? As 99.999% of the system binaries aren't available
>>in the jail, can a buffer overflow ever work?
>>
>>--
>>Cheers
>>
>>Jason Haar
>>
>>Information Security Manager
>>Trimble Navigation Ltd.
>>Phone: +64 3 9635 377 Fax: +64 3 9635 417
>>
>
>--
>Best Regards
>Kalle Andersson
>Technical Manager / EuroTrust Sweden AB
>kanat_private
>
>
This archive was generated by hypermail 2b30 : Thu May 23 2002 - 21:00:48 PDT