This repository contains a Proof of Concept (PoC) for CVE-2025-32463, a vulnerability in sudo allowing a chroot escape to achieve local privilege escalation.# CVE-2025-32463-Sudo-Chroot-Escape
**Description**
This repository contains a Python-based Proof of Concept (PoC) for CVE-2025-32463, a local privilege escalation vulnerability in the sudo versions 1.9.14 through 1.9.17. When a user has sudo privileges to run a command within a chroot environment (-R flag), an attacker can abuse the Name Service Switch (NSS) mechanism to load a malicious shared object. This allows the attacker to escape the chroot and execute arbitrary code as the root user.
This exploit was inspired by K1tt3h’s [CVE-2025-32463-POC](https://github.com/K1tt3h/CVE-2025-32463-POC) project.
---
**Disclaimer**
This script is provided for educational and authorized penetration testing purposes only. Unauthorized use of this script against systems you do not own or have explicit permission to test is illegal and unethical. The author assumes no responsibility for misuse or damage caused by this script.
---
**About the Vulnerability**
* CVE ID: [CVE-2025-32463](https://nvd.nist.gov/vuln/detail/CVE-2025-32463)
* Component: Sudo (`--chroot` option)
* Impact: Arbitrary code execution as root by tricking the dynamic linker into loading a malicious NSS (Name Service Switch) module.
* Attack Vector: Local (requires sudo privileges with the chroot option enabled)
---
**Features**
* Automatically creates and compiles the malicious C payload.
* Uses a temporary directory for all artifacts, ensuring no files are left on the system.
* Displays an animated status for each step of the exploit, confirming its completion.
---
**Requirements**
* Python 3.x
* `gcc` installed for compiling the payload.
---
**Usage**
```
git clone https://github.com/nelissandro/CVE-2025-32463-Sudo-Chroot-Escape.git
cd CVE-2025-32463-Sudo-Chroot-Escape
python3 exploit.py
```
---
**How It Works**
1. The script writes a C payload to a file; this payload contains a `__attribute__((constructor))` function designed to spawn a root shell the moment it's executed.
2. It then creates a temporary directory to serve as a fake chroot environment, complete with a malicious `/etc/nsswitch.conf` file.
3. The malicious config file is configured to trick the system's C library (glibc) into loading a custom library (`libnss_privesc.so.2`) to handle password lookups.
4. The C payload is compiled into the `libnss_privesc.so.2` shared object file and placed where the dynamic linker can find it.
5. When `sudo` is executed with the `-R` flag, it enters the chroot, reads the malicious config, and loads our shared object, triggering the constructor and spawning a root shell.
登录后查看神龙缓存的 POC 文件快照
登录查看