## https://sploitus.com/exploit?id=5D18EA57-E99C-5CD0-9C37-2DFA42A2D27C
> **DISCLAIMER**
>
> This code is for **educational and research purposes only.**
>
> Do not use it on systems you do not own or have permission to test.
>
> The author is **not responsible** for any misuse, damage, or legal consequences resulting from the use of this code.
# sudo chroot PrivEsc PoC (CVE-2025-32463)
This is an implementation of the sudo chroot vulnerability ([CVE-2025-32463](https://nvd.nist.gov/vuln/detail/CVE-2025-32463)) exploit I wrote in Rust based on [sudo's advisory](https://www.sudo.ws/security/advisories/chroot_bug/) and the [Stratascale advisory](https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot).
The exploit allows you to run arbitray code in the form of a shared library due to a bug in how sudo handles chroot.
When passing the chroot option to sudo, you can provide a malicious `/etc/nsswitch.conf` file within the chroot directory that tells sudo to load an arbitrary shared object. This PoC abuses this in order to grant root access to an unprivileged user.
## Usage
### Default PrivEsc Payload
Using the provided binaries under `Releases`, simply run the following to gain `root`:
```bash
./sudo_chroot_exploit
```
This uses a shared library payload which simply spawns a root shell.
### Custom payloads
The payload code (C) is provided under `/payload`. There is also a `Makefile` provided for building the code. You can modify or replace the payload as you see fit.
To specify a different payload than the default, you can run the following command:
```bash
/sudo_chroot_exploit -i custom_payload.so
```