Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-32463 PoC — Sudo 安全漏洞

Source
https://github.com/D3ltaFormation/CVE-2025-32463-Sudo-Chroot-Escape
Associated Vulnerability
Title:Sudo 安全漏洞 (CVE-2025-32463)
Description:Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.
Description
This repository contains a Proof of Concept (PoC) for CVE-2025-32463, a vulnerability in sudo allowing a chroot escape to achieve local privilege escalation.
Readme
# CVE-2025-32463-Sudo-Chroot-Escape

**Description**

This repository contains a Python-based Proof of Concept (PoC) for CVE-2025-32463, a local privilege escalation vulnerability in the sudo versions 1.9.14 through 1.9.17. When a user has sudo privileges to run a command within a chroot environment (-R flag), an attacker can abuse the Name Service Switch (NSS) mechanism to load a malicious shared object. This allows the attacker to escape the chroot and execute arbitrary code as the root user.

This exploit was inspired by K1tt3h’s [CVE-2025-32463-POC](https://github.com/K1tt3h/CVE-2025-32463-POC) project.

---
**Disclaimer**

This script is provided for educational and authorized penetration testing purposes only. Unauthorized use of this script against systems you do not own or have explicit permission to test is illegal and unethical. The author assumes no responsibility for misuse or damage caused by this script.

---
**About the Vulnerability**

* CVE ID: [CVE-2025-32463](https://nvd.nist.gov/vuln/detail/CVE-2025-32463)
* Component: Sudo (`--chroot` option)
* Impact: Arbitrary code execution as root by tricking the dynamic linker into loading a malicious NSS (Name Service Switch) module.
* Attack Vector: Local (requires sudo privileges with the chroot option enabled)

---
**Features**

* Automatically creates and compiles the malicious C payload.
* Uses a temporary directory for all artifacts, ensuring no files are left on the system.
* Displays an animated status for each step of the exploit, confirming its completion.

---
**Requirements**

* Python 3.x
* `gcc` installed for compiling the payload.

---
**Usage**

```
git clone https://github.com/nelissandro/CVE-2025-32463-Sudo-Chroot-Escape.git
cd CVE-2025-32463-Sudo-Chroot-Escape
python3 exploit.py
```

---
**How It Works**

1. The script writes a C payload to a file; this payload contains a `__attribute__((constructor))` function designed to spawn a root shell the moment it's executed.
2. It then creates a temporary directory to serve as a fake chroot environment, complete with a malicious `/etc/nsswitch.conf` file.
3. The malicious config file is configured to trick the system's C library (glibc) into loading a custom library (`libnss_privesc.so.2`) to handle password lookups.
4. The C payload is compiled into the `libnss_privesc.so.2` shared object file and placed where the dynamic linker can find it.
5. When `sudo` is executed with the `-R` flag, it enters the chroot, reads the malicious config, and loads our shared object, triggering the constructor and spawning a root shell.
File Snapshot

 [4.0K]  /data/pocs/4a1a9503f93fbc4cb442d4980fb7b2ede538b2ee
├── [3.9K]  exploit.py
└── [2.5K]  README.md

1 directory, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →