来源

关联漏洞

描述

Rust PoC for CVE-2025-32463 (sudo chroot "chwoot" Local PrivEsc)

介绍

> **DISCLAIMER**
>
> This code is for **educational and research purposes only.** 
>
> Do not use it on systems you do not own or have permission to test.
>
> The author is **not responsible** for any misuse, damage, or legal consequences resulting from the use of this code.

# sudo chroot PrivEsc PoC (CVE-2025-32463) 
This is an implementation of the sudo chroot vulnerability ([CVE-2025-32463](https://nvd.nist.gov/vuln/detail/CVE-2025-32463)) exploit I wrote in Rust based on [sudo's advisory](https://www.sudo.ws/security/advisories/chroot_bug/) and the [Stratascale advisory](https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot). 
The exploit allows you to run arbitray code in the form of a shared library due to a bug in how sudo handles chroot.

When passing the chroot option to sudo, you can provide a malicious `/etc/nsswitch.conf` file within the chroot directory that tells sudo to load an arbitrary shared object. This PoC abuses this in order to grant root access to an unprivileged user. 

## Usage
### Default PrivEsc Payload
Using the provided binaries under `Releases`, simply run the following to gain `root`:

```bash
./sudo_chroot_exploit
```

This uses a shared library payload which simply spawns a root shell.

### Custom payloads
The payload code (C) is provided under `/payload`. There is also a `Makefile` provided for building the code. You can modify or replace the payload as you see fit.
To specify a different payload than the default, you can run the following command:
```bash
/sudo_chroot_exploit -i custom_payload.so
```

文件快照

 [4.0K]  /data/pocs/5f02c8f0e228a6ff5b7691e148cc2ba96dad8bb9
├── [6.0K]  Cargo.lock
├── [ 122]  Cargo.toml
├── [4.0K]  payload
│   ├── [ 101]  Makefile
│   └── [ 310]  payload.c
├── [1.5K]  README.md
└── [4.0K]  src
    ├── [1.2K]  exploit.rs
    └── [ 951]  main.rs

2 directories, 7 files

备注