Sudo --chroot Local Privilege Escalation

Small standalone local privilege-escalation repository for CVE-2025-32463 affecting sudo chroot handling. The repo contains two code artifacts: a real Bash PoC exploit (sudo-chwoot.sh) and a small C demo program (chwoot-demo.c) that simulates the vulnerable behavior for CTF/demo purposes. The README documents the CVE and links to external write-ups and advisories. The main exploit flow in sudo-chwoot.sh is: create a temporary staging directory under /tmp, write a C payload source file, build a malicious shared object named like an NSS module (libnss_/woot1337.so.2), create a fake chroot tree with a crafted woot/etc/nsswitch.conf containing 'passwd: /woot1337', copy /etc/group into the fake environment, and finally invoke 'sudo -R woot woot'. The payload uses a constructor function so code executes immediately when the shared object is loaded; it sets UID/GID to 0 and launches /bin/bash, yielding a root shell. This is a true exploit, not merely a detector. The chwoot-demo.c file is not the exploit itself; it demonstrates the conceptual primitive by chrooting into /tmp/stage, performing lookups such as gethostbyname("woot") and getgrnam("got root?"), and manipulating saved directory descriptors to illustrate chroot escape and NSS-triggered behavior. Overall, the repository is minimal, operational, and focused on local EoP via malicious NSS library loading in a crafted sudo chroot context.

This repository is a minimal local privilege-escalation proof of concept for CVE-2025-32463 affecting sudo. The repository contains only two files: a tiny exploit instruction file and a README. The exploit file does not include actual source code; it only instructs the operator to run ./mkall-dynamic.sh and then ./get_root.sh. Those referenced scripts are not included in the provided content, so the full exploit logic, payload details, and exact implementation cannot be verified from this archive alone. Based on the README, the exploit targets vulnerable sudo versions 1.9.14 through 1.9.17 and abuses functionality related to the --chroot option to achieve root privilege escalation. The README states that gcc is not required on the target, suggesting the missing scripts likely use prebuilt or dynamically assembled components rather than compiling locally. The claimed outcome is root access on a local system. There are no network indicators, URLs, IPs, domains, registry keys, or remote C2 endpoints in the provided content. The only fingerprintable artifacts are the referenced local script paths ./mkall-dynamic.sh and ./get_root.sh. Overall, this appears to be a sparse POC-style repository rather than a complete, operational exploit package.

This repository is a minimal local privilege-escalation proof-of-concept for CVE-2025-32463 targeting sudo. It contains only two files: a short README describing the technique and a single Python exploit script, `cve-2025-32463.py`, which is the clear entry point. The exploit is not network-based; it is a local attack that prepares a malicious filesystem layout, compiles a shared library payload, and then invokes `sudo -R` to trigger unsafe loading behavior. The Python script creates a temporary staging directory under `/tmp`, changes into it, and writes a C source file `x.c`. That C code defines a `run()` function that calls `setreuid(0,0)` and `setregid(0,0)` before executing `/bin/bash`, making the payload a straightforward root shell launcher. The script then creates `root/etc` and `libnss_` directories, writes a crafted `root/etc/nsswitch.conf` containing `passwd: /x`, copies `/etc/group` into the fake root, and compiles the C file into a shared object named `libnss_/x.so.2` using `gcc -shared -fPIC -Wl,-init,run`. The `-Wl,-init,run` linker option ensures the `run()` function executes automatically when the library is loaded. The final step, `sudo -R root x x`, is the exploit trigger. Based on the README and code, the intended abuse is to control a chroot-like environment via sudo's `-R` option, inject a malicious NSS configuration, and force loading of the attacker-supplied NSS library. If successful on a vulnerable system, the result is local privilege escalation to a root shell. The repository is small but functional, with a hardcoded payload and no customization features, so OPERATIONAL is the best maturity fit rather than a mere POC.

Repository contains a single Bash PoC exploit script and a README describing CVE-2025-32463 (sudo chroot/NSS-based local privilege escalation). Structure: - `CVE-2025-32463.sh`: Main exploit entry point. Creates a temporary staging directory under `/tmp`, writes and compiles an embedded C payload into a shared object named like an NSS module (`libnss_/woot1337.so.2`), and constructs a fake chroot directory `woot/` containing `etc/nsswitch.conf` and a copied `/etc/group`. - `README.md`: Explains affected sudo versions (1.9.14–1.9.17), the abuse of `--chroot`/`-R` and `nsswitch.conf`, and basic run instructions. Exploit capability and flow: 1. Creates staging dir and writes `woot1337.c` implementing a constructor/init routine that sets UID/GID to 0 and execs `/bin/bash`. 2. Builds a fake chroot tree `woot/etc/` and writes `nsswitch.conf` with `passwd: /woot1337`, aiming to force NSS to load a module corresponding to `woot1337`. 3. Compiles the payload as a shared library with an init hook (`-Wl,-init,woot`) and places it at `libnss_/woot1337.so.2`. 4. Triggers the vulnerability via `sudo -R woot woot`, expecting sudo’s chroot/NSS handling to load the attacker-controlled NSS module, executing the constructor and yielding a root shell. 5. Cleans up the staging directory. No network IOCs are present; all observables are local filesystem paths and the `sudo -R` invocation used to trigger the vulnerable behavior.

Repository contains a single Bash exploit script and a detailed README for CVE-2025-32463 (sudo “chroot-to-root”). Structure & purpose: - `CVE-2025-32463.sh`: Operational local privilege escalation PoC. It stages a fake chroot, compiles a malicious NSS shared library, and triggers sudo’s `-R/--chroot` behavior to get code execution as root. - `README.md`: Background, affected versions (sudo 1.9.14–1.9.17 before 1.9.17p1), impact, technical explanation (NSS loading from within chroot before policy checks), and remediation guidance. Exploit flow (capabilities): 1) Performs basic checks for `sudo` and `gcc`, and prints the detected sudo version. 2) Creates a temporary staging directory under `/tmp` and writes `woot1337.c`, a C payload implementing a constructor function. 3) Builds a fake chroot tree `woot/` with `woot/etc/nsswitch.conf` containing `passwd: /woot1337`, and creates `libnss_/`. 4) Compiles a shared object `libnss_/woot1337.so.2` (NSS-style naming) whose constructor calls `setreuid(0,0)`, `setregid(0,0)`, then `execl('/bin/bash','/bin/bash','-i',NULL)`. 5) Triggers the vulnerability via `sudo -R woot woot`, causing sudo to pivot into the attacker-controlled chroot and (per the described bug) load the attacker’s NSS module as root, yielding an interactive root shell. Attack vector: - Purely local privilege escalation; no network communication. The key primitive is root code execution via attacker-controlled NSS module loading induced by sudo’s chroot option.

Repository purpose: a small container-based lab plus an automated local privilege escalation PoC for sudo vulnerabilities CVE-2025-32462 and CVE-2025-32463. Structure (actual files present): - Dockerfile: builds an Ubuntu 24.04 container and compiles/installs sudo 1.9.16p2 from source (downloaded from sudo.ws). Creates a non-root user `pwn` for testing. - README.md: explains both CVEs and provides manual lab steps. It includes example Docker networking/hostnames to demonstrate CVE-2025-32462 (host matching bypass using `sudo -h highpriv.test.local ...`) and outlines the CVE-2025-32463 technique (NSS injection via `sudo -R` chroot). - auto_cve_2025_32463.sh: the main exploit automation. It creates a temporary staging directory, writes a C shared-library payload, builds it as a fake NSS module (libnss_/cve_2025_32463.so.2), creates a minimal chroot tree with a crafted `etc/nsswitch.conf` that references the custom NSS service name, then triggers the vulnerability with `sudo -R cve_2025_32463 cve_2025_32463`. When sudo loads the NSS module, the constructor sets uid/gid to 0 and execs /bin/bash, yielding a root shell. Exploit capabilities: - Local EoP to root (CVE-2025-32463) by achieving arbitrary code execution as root during sudo initialization in a chroot, via attacker-controlled NSS configuration and library loading. - The repo also documents (but does not provide a dedicated script for) CVE-2025-32462 exploitation: bypassing sudoers Host_Alias restrictions by supplying a spoofed hostname with `-h`, enabling unauthorized root command execution when host-based rules are in use. Notes on completeness: README describes additional directories (exploit/, lab/) that are not present in the provided file listing; the functional PoC in this archive is the single script auto_cve_2025_32463.sh plus the Docker lab build.

Repository contains a single Bash proof-of-concept exploit script (`CVE-2025-32463.sh`) and a detailed `README.md`. The exploit targets CVE-2025-32463 in sudo (versions 1.9.14 through 1.9.17 prior to 1.9.17p1), a local privilege escalation issue involving the `sudo -R/--chroot` feature. Core capability: the script builds an attacker-controlled chroot directory, writes a crafted `woot/etc/nsswitch.conf` that redirects NSS `passwd` lookups to a custom module path (`/woot1337`), compiles a malicious shared library (`libnss_/woot1337.so.2`) with a constructor that sets UID/GID to 0 and executes `/bin/bash -i`, then triggers the vulnerable behavior by running `sudo -R woot woot`. If successful, sudo performs NSS lookups after pivoting into the user-controlled chroot, loads the attacker’s NSS module as root, and the constructor spawns a root shell. Structure/purpose: - `CVE-2025-32463.sh`: end-to-end exploit orchestrator (checks for sudo/gcc, creates `/tmp` staging dir, writes/compiles C payload, constructs fake chroot, triggers `sudo -R`). - Embedded C payload (`woot1337.c`) is generated on the fly and compiled into the malicious NSS library. - `README.md`: extensive background, affected versions, technical explanation, and remediation guidance; includes external reference URLs and images. No network communication is performed by the exploit; it is purely local and relies on filesystem artifacts (temporary chroot, nsswitch.conf, and a malicious shared object) to achieve root code execution.

Repository contains a Bash-based local privilege escalation PoC for CVE-2025-32463 (sudo chroot/--chroot, -R). Structure: (1) `CVE-2025-32463.sh` is the main exploit script; it creates a temporary directory under `/tmp`, writes a small C payload (`woot.c`) that uses a constructor to set UID/GID to 0 and exec `/bin/bash`, then compiles it into a shared object named like an NSS module (`libnss_/woot.so.2`). It prepares a minimal chroot tree (`woot/etc/nsswitch.conf`, copies `/etc/group`) so that when `sudo -R woot woot` is executed, sudo/NSS will consult attacker-controlled configuration and load the malicious library before privileges are dropped, resulting in a root shell. (2) `README.md` documents the CVE, affected versions (1.9.14–1.9.17), and basic execution steps. No network activity is present; the exploit is purely local and depends on sudo configuration/behavior and the ability to compile code.

Repo purpose: a minimal C reimplementation PoC for CVE-2025-32463 (sudo chroot / "chwoot" privilege escalation). Structure: (1) vpr-chwoot.c is the exploit, built as a shared object with a custom ELF entry point and a constructor (woot). The entry() function stages a fake chroot directory (.vpr-chwoot) and writes woot/etc/nsswitch.conf to reference a custom NSS service (/vpr-chwoot). It then creates a fake NSS module path (libnss_/vpr-chwoot.so.2) as a symlink to its own executable (found via /proc/self/exe). Finally it execve()s /usr/bin/sudo with -R .vpr-chwoot to trigger the vulnerable chroot behavior and dynamic loading of the attacker-controlled NSS module. When loaded, the constructor woot() runs, calls setresuid(0,0,0) and setresgid(0,0,0), cleans up artifacts, forks, and execs /bin/sh to provide an interactive root shell, then removes the staging directory. (2) Makefile compiles the C file into a shared object using ld with --entry=entry and --init=woot. (3) Dockerfile builds Ubuntu 24.04 with sudo 1.9.16p2 from sudo.ws and build tooling, creating a 'poc' user for demonstration. (4) run.sh builds and runs the container (with --privileged and --rm) and removes the image afterward. No network scanning or remote exploitation is present; this is a local LPE PoC with automated staging and cleanup.

Repository contains a single Bash PoC exploit script for CVE-2025-32463 (sudo local privilege escalation via -R/--chroot NSS injection), plus README and MIT license. Structure & purpose: - `CVE-2025-32463.sh`: end-to-end local EoP PoC. It creates a temp build directory under `/tmp`, writes and compiles a C shared library with a constructor (`pwn()`) that sets UID/GID to 0 and execs an interactive shell. It then constructs a minimal chroot-like directory tree (`root/etc`, `libnss_`) and writes `root/etc/nsswitch.conf` with `passwd: /pwn` to coerce NSS to load `libnss_/pwn.so.2`. Finally it triggers the vulnerable behavior with `sudo -R root pwn`, and cleans up the staging directory. - `README.md`: explains affected sudo versions (1.9.14–1.9.17, fixed in 1.9.17p1), requirements (gcc, ability to run `sudo -R`), and basic usage. Exploit capabilities: - Local privilege escalation to root by abusing sudo’s chroot option to load an attacker-controlled NSS module. - Spawns an interactive root shell (`/bin/bash -i` or `/bin/sh -i`). No network communication is present; all observables are local filesystem paths and the `sudo -R` invocation used to trigger the vulnerability.

Repository contains a single Bash exploit script (`CVE-2025-32463.sh`) and a minimal README. The script is an operational local privilege-escalation PoC for CVE-2025-32463 affecting sudo. It creates a temporary build directory under `/tmp`, writes a small C payload (`woot1337.c`) that uses a constructor to immediately set UID/GID to 0 and execute `/bin/sh -c <command>`, then compiles it into a shared object named like an NSS module (`libnss_/woot1337.so.2`). To trigger execution, it builds a fake root tree (`woot/`) containing `etc/nsswitch.conf` with `passwd: /woot1337` and a copied `etc/group`, then invokes `sudo -R woot woot`. The intent is that sudo, when operating with the alternate root, consults the attacker-controlled NSS configuration and loads the attacker-provided NSS shared library, causing the constructor to run as root. If no command-line arguments are provided, the exploit defaults to spawning an interactive root shell (`/bin/bash`); otherwise it runs the supplied command as root. Cleanup removes the temporary staging directory.

This repository contains a local privilege escalation exploit for CVE-2025-32463, targeting vulnerable versions of Sudo on Linux systems. The exploit is implemented as a Bash script (exploit.sh) that automates the process of creating a malicious shared library in C (exploit.c), which is compiled on the fly using gcc. The shared library abuses the LD_PRELOAD environment variable to escalate privileges to root and spawn a root shell when a benign binary (such as /bin/true) is executed with sudo. The script sets up a temporary working directory, compiles the payload, prepares the environment, and executes the exploit, cleaning up after execution. The exploit requires local access, a vulnerable Sudo version, and gcc to be installed. No network endpoints are involved; all actions are performed locally on the target system.

This repository contains a functional proof-of-concept exploit for CVE-2025-32463, a local privilege escalation vulnerability in Sudo (versions 1.9.14 through 1.9.17) affecting Linux and Unix-like systems. The exploit is implemented as a Bash script (CVE-2025-32463.sh) that stages a malicious NSS shared library and a crafted nsswitch.conf in a temporary directory. By invoking Sudo with the --chroot (-R) option and pointing it to the staged environment, the exploit tricks Sudo into loading the attacker's shared library, which escalates privileges and spawns a root shell. The payload is written in C and compiled on the fly. The repository also includes a detailed README.md explaining the vulnerability, affected versions, exploitation steps, and mitigation advice. No network endpoints are involved; all actions are performed locally via file system manipulation. The exploit is operational and provides a root shell if successful.

This repository provides a proof-of-concept (PoC) local privilege escalation exploit for CVE-2025-32463, targeting vulnerable versions of sudo (1.9.14 to 1.9.17) on Linux systems with chroot support and nsswitch enabled. The repository contains two files: a README.md with usage instructions and a Bash script (cve202532463.sh) that automates the exploitation process. The script checks for dependencies and vulnerable sudo versions, sets up a fake environment, generates and compiles a C shared library payload that escalates privileges to root, and then triggers the exploit via sudo. If successful, the exploit provides a root shell. The exploit is a functional PoC and does not contain weaponized or framework-based code. Key fingerprintable endpoints include manipulation of /etc/nsswitch.conf and /etc/group, and execution of /bin/sh or /bin/bash as root.

This repository provides a local privilege escalation exploit for Sudo versions 1.9.14 through 1.9.17 (CVE-2025-32463) on Linux systems. The exploit leverages a flaw in the handling of the --chroot (-R) option, allowing an attacker to load a malicious NSS shared library as root by crafting a fake /etc/nsswitch.conf in a user-controlled chroot environment. The main exploit is a Bash script (embedded in 52352.txt and README.md) that creates a temporary directory, writes a C source file for the malicious NSS library, compiles it, sets up the chroot environment, and invokes sudo with the -R option. When sudo attempts to resolve user/group information, it loads the attacker's library, which escalates privileges and spawns a root shell. The repository contains three files: the exploit description and PoC (52352.txt), a license file, and a README with technical details and usage instructions. The exploit is operational and provides a working root shell if the target is vulnerable.

This repository contains a local privilege escalation exploit for Sudo version 1.9.17 (CVE-2025-32463). The exploit is implemented as a Bash script (cwoot.sh) that automates the process of creating a malicious NSS shared library and configuration, sets up a chroot environment, and triggers the vulnerability using the 'sudo -R' option. The payload is a C shared library that, when loaded by Sudo, sets the effective UID and GID to root and spawns a root shell. The exploit requires local access to the target system and the ability to execute sudo with the --chroot option. The repository is structured with a README.md explaining the vulnerability and usage instructions, and the main exploit script (cwoot.sh) containing both Bash and embedded C code. No network endpoints are hardcoded in the exploit; all actions are performed locally on the target system.

This repository contains a working exploit for CVE-2025-32463, a critical local privilege escalation vulnerability in sudo (versions 1.9.14 to 1.9.17) affecting Linux systems. The exploit is implemented as a Bash script ('sudo-chwoot.sh') that creates a temporary chroot environment, generates a malicious C shared library (libnss_/woot1337.so.2), and manipulates the nsswitch.conf file to force sudo to load this library when invoked with the --chroot (-R) option. The shared library, when loaded, sets the process's UID and GID to 0 (root) and executes an arbitrary command (default: /bin/bash), effectively granting a root shell to the attacker. The exploit requires local access to the target system and a vulnerable sudo configuration. The repository also includes a README with detailed usage instructions, a license file, and defensive recommendations for mitigation. No network endpoints are involved; all actions are performed locally on the target system.

This repository provides a Python-based proof-of-concept exploit for CVE-2025-32463, a local privilege escalation vulnerability in sudo (versions 1.9.14 through 1.9.17) when used with the --chroot (-R) option. The exploit consists of two files: a README.md with detailed background and usage instructions, and exploit.py, the main exploit script. The exploit works by creating a malicious C shared object (libnss_privesc.so.2) that spawns a root shell when loaded. It sets up a fake chroot environment, including a crafted /etc/nsswitch.conf to trick glibc into loading the attacker's shared object for password lookups. The exploit then triggers sudo with the -R flag, causing the payload to execute and escape the chroot, granting a root shell. The code is a functional PoC and does not use any external frameworks. The attack vector is local, requiring sudo privileges with chroot capability. The exploit leaves minimal traces by using a temporary directory for all artifacts.

This repository contains a local privilege escalation exploit targeting Sudo versions before 1.9.17p1 on Linux. The exploit leverages a vulnerability in how sudo handles the --chroot (-R) option, allowing a user to control the nsswitch.conf file used by sudo. The exploit consists of a Python script (exploit.py) that creates a temporary working directory, writes a malicious nsswitch.conf and a C source file for a shared library, compiles the shared library, and sets up a chroot environment. The malicious nsswitch.conf instructs the system to use the attacker's shared library for password lookups. When sudo is run with the chroot option, it loads the attacker's library, which escalates privileges and spawns a root shell. The repository also includes a README.md describing the vulnerability and exploit. The main entry point is exploit.py, which orchestrates the attack. The exploit is operational and provides a root shell if successful. No network endpoints are involved; all actions are local and file-based.

This repository provides a working local privilege escalation exploit for CVE-2025-32463, targeting Sudo versions 1.9.14 through 1.9.16 on Linux systems. The main exploit file, CVE-2025-32463.py, is a Python script that automates the exploitation process. It creates a temporary working directory, generates a C source file for a malicious shared object, and compiles it. The exploit sets up a fake chroot environment with attacker-controlled configuration files (notably nsswitch.conf) and a malicious NSS shared library. By invoking sudo with the --chroot option and pointing it to this environment, the exploit causes sudo to load the attacker's shared library, which escalates privileges and executes a shell or arbitrary command as root. The repository also includes a README.md with usage instructions and a brief video file (POC VIDEO.mp4). The exploit is operational and provides a root shell on vulnerable systems. All exploitation is local; no network endpoints are involved. The code is well-structured, with clear separation of setup, payload generation, compilation, execution, and cleanup steps.

This repository provides a local privilege escalation proof-of-concept (PoC) exploit for CVE-2025-32463, a vulnerability in sudo (versions 1.9.14 to 1.9.17) affecting Linux systems. The repository contains three files: a Dockerfile to set up a vulnerable Ubuntu 24.04 environment with the affected sudo version and a non-privileged user, a README.md with setup and usage instructions, and the main exploit script 'sudo-chwoot.sh'. The exploit works by creating a malicious NSS (Name Service Switch) shared object in C, which, when loaded, sets the process's UID and GID to 0 and spawns a root shell. The script sets up a custom nsswitch.conf to force sudo (when run with --chroot) to load this malicious module. The exploit is launched by running 'sudo -R woot woot', which triggers the vulnerability and results in a root shell. The attack vector is local, requiring shell access to the target system and the ability to run sudo with the --chroot option. No network endpoints are involved; all actions are performed locally within the container or target system. The repository is structured for educational and testing purposes, with clear instructions and a self-contained lab environment.

This repository provides a proof-of-concept (PoC) local privilege escalation exploit for CVE-2025-32463, targeting a vulnerability in the sudo utility on Linux systems (notably Ubuntu 18.04 or later). The exploit is implemented as a Bash script ('exploit.sh') that stages a temporary working directory, writes and compiles a C shared object ('woot1337.so.2') designed to escalate privileges, and sets up a chroot environment with a custom 'nsswitch.conf' to load the malicious library. The script then invokes 'sudo -R woot woot', which triggers the vulnerability, resulting in a root shell. The payload is a C constructor that sets UID/GID to 0 and spawns '/bin/bash'. The repository also includes a README with usage instructions and a LICENSE file. No network endpoints are involved; all actions are local to the target system. The exploit requires sudo privileges and a vulnerable sudo configuration. The code is a functional PoC and not weaponized for mass exploitation.

This repository provides a proof-of-concept (PoC) exploit for CVE-2025-32463, a privilege escalation vulnerability in sudo (version 1.9.16p2) on Linux. The repository includes a Dockerfile that builds a vulnerable environment, a Bash script (sudo-chwoot.sh) that implements the exploit, and a helper script (run.sh) to build and run the container. The exploit works by creating a malicious NSS (Name Service Switch) shared object and a crafted nsswitch.conf, then using sudo's chroot (-R) option to load the malicious library, which escalates privileges to root and spawns a shell or executes arbitrary commands as root. The exploit is local and requires the attacker to execute code on the target system. The repository is structured for easy testing in a controlled Docker environment, making it suitable for research and demonstration purposes.

This repository provides a local privilege escalation exploit for CVE-2025-32463. The exploit consists of two main C files: 'cve_2025_32463.c' (the main exploit logic) and 'woot1337.c' (the payload). The exploit works by staging a custom NSS (Name Service Switch) environment in a temporary directory, writing a malicious shared object (libwoot1337.so) that, when loaded, sets the process UID and GID to 0 and spawns a root shell. The exploit then invokes 'sudo' with a custom configuration to load this malicious NSS module, resulting in a root shell. The README provides detailed compilation and usage instructions, including how to convert the shared object to a C header for embedding. The exploit is operational and provides a working root shell if the target is vulnerable. No network endpoints are involved; all actions are local to the target system.

This repository provides a local privilege escalation exploit for CVE-2025-32463, a vulnerability in sudo (referred to as sudo_chwoot). The exploit is delivered as a Bash script (exp.sh) that orchestrates the attack. The script is designed to work on systems both with and without gcc installed: if gcc is present, it compiles a C shared object payload on the fly; otherwise, it uses a precompiled binary (woot1337.so.2). The payload is a shared object that, when loaded, sets the effective UID and GID to 0 (root) and spawns a shell or executes a specified command as root. The exploit leverages the 'sudo -R' option with a crafted environment to trigger the vulnerability. The repository includes two README files (in Chinese and English) and the main exploit script. The attack vector is local, requiring shell access to the target system. No network endpoints are involved. The exploit is operational and provides a root shell or command execution upon success.

This repository is a Go-based local privilege escalation exploit for CVE-2025-32463, targeting sudo versions 1.9.14 to 1.9.17 on Linux systems. The exploit leverages a flaw in the --chroot (-R) option of sudo, allowing a local user with sudo privileges to gain root access by loading a malicious shared library via a crafted chroot environment. The repository contains two main code files: 'main.go', which handles argument parsing and user interface, and 'src/cve.go', which implements the exploit logic. The exploit works by creating a temporary directory, generating a C source file for a malicious NSS module, compiling it into a shared object, setting up a fake chroot environment, and invoking sudo with the -R option to load the malicious library. If successful, the exploit spawns a root shell. The README provides detailed setup, compilation, and usage instructions, as well as safety recommendations. The exploit is operational and provides a working root shell on vulnerable systems. No network endpoints are involved; all actions are performed locally on the target system.

This repository provides a proof-of-concept (PoC) exploit for CVE-2025-32463, a local privilege escalation vulnerability in sudo (versions 1.9.0 to 1.9.17p1) that allows users to escape a chroot jail and gain root access to the host system. The repository contains two files: a Bash script (CVE-2025-32463.sh) and a README.md. The Bash script creates a temporary directory, writes a C source file (woot1337.c) that, when compiled as a shared object, sets user and group IDs to root and spawns a root shell outside the chroot. The script sets up a minimal chroot environment, compiles the shared object, and then invokes sudo with the chroot option to trigger the exploit. The README.md provides detailed usage instructions, requirements, and mitigation advice. The exploit is a functional PoC and requires a vulnerable sudo version and a specific sudoers configuration that allows chrooted execution. No network endpoints are involved; the attack vector is local privilege escalation via misconfigured sudoers and vulnerable sudo.

This repository contains a proof-of-concept (PoC) local privilege escalation exploit targeting a theoretical vulnerability in 'sudo' (CVE-2025-32463). The exploit is implemented as a Bash script ('sudo-chwoot.sh') and is accompanied by a README.txt with detailed instructions and background. The script creates a temporary chroot environment, injects a custom base64-encoded shared object (.so) as a malicious NSS module, and manipulates 'nsswitch.conf' to force 'sudo' to load this module when run with the '-R' (chroot) option. If the exploit is successful, it provides a root shell or executes arbitrary commands as root. The exploit is self-contained, with the payload embedded in the script, and is intended for research and testing in controlled environments only. The main attack vector is local, requiring the attacker to execute the script on a vulnerable system. The repository structure is simple, consisting of the exploit script and a README.

This repository provides a fully functional local privilege escalation exploit environment for CVE-2025-32463, a vulnerability in sudo (versions 1.9.14 to 1.9.17) that allows a local user to gain root privileges via the --chroot option and manipulation of NSS configuration. The repository is structured as a Docker-based lab, with two Dockerfiles (deb and source) for building vulnerable environments using either pre-built packages or source compilation. The main exploit is implemented in 'docker/sudo-chwoot.sh', a bash script that creates a malicious NSS shared library (hacker.so.2) with a constructor that sets UID/GID to 0 and executes a shell or arbitrary command as root. The script manipulates nsswitch.conf to ensure the library is loaded when sudo is invoked in a chrooted environment. The README provides detailed instructions for building and running the lab, including pulling pre-built images from Docker Hub and executing the exploit script. The exploit is operational and provides a root shell or command execution as root within the container. The repository also includes extensive documentation on the vulnerability and chroot/container isolation security. No network attack vector is present; exploitation is local within the container. Key fingerprintable endpoints include the exploit script, manipulated nsswitch.conf, and the Docker images/URLs used for the lab.

This repository provides a working local privilege escalation exploit for CVE-2025-32463, a critical vulnerability in sudo versions 1.9.14 through 1.9.17 on Linux. The exploit is implemented as a Bash script (cve-2025-32463.sh) that stages a malicious chroot environment, compiles a custom NSS (Name Service Switch) shared library in C, and manipulates sudo's chroot and NSS loading logic to execute arbitrary code as root. The payload creates a setuid root shell at /tmp/rootbash and writes a proof file (/tmp/pwned_proof.txt) to demonstrate successful exploitation. The exploit requires local access, sudo privileges, and the ability to use chroot via sudo. The repository is well-documented, with a detailed README explaining the vulnerability, exploitation steps, prerequisites, and mitigation advice. No network endpoints are involved; all actions are performed locally on the target system. The exploit is operational and provides a persistent root shell if successful.

This repository contains a single Bash script ('exploit.sh') that implements a local privilege escalation exploit targeting Linux systems with sudo. The script creates a temporary working directory, generates a C source file for a malicious NSS (Name Service Switch) shared object, and compiles it. The shared object, when loaded, sets the effective UID and GID to 0 (root) and executes a shell or arbitrary command as root. The script sets up a custom NSS configuration to force the use of the malicious module, then invokes sudo in a way that loads this module, resulting in privilege escalation. The exploit is operational and provides a root shell or command execution as root if successful. The main attack vector is local, requiring the attacker to have shell access and the ability to run sudo. The repository is structured as a single exploit script with embedded C code for the payload.

This repository is a comprehensive attack simulation and forensic analysis toolkit, developed for educational purposes. It demonstrates a full attack chain against a Linux system, including: - **Initial Access**: Achieved via a Python dependency confusion attack, delivering a malicious PyPI package. - **Privilege Escalation**: Exploits CVE-2025-32463 (sudo 1.9.16p2) to gain root privileges using a custom Bash exploit script. - **Persistence and Stealth**: Deploys a custom kernel rootkit (src/rkit.c) that provides multiple features: - Root privilege escalation via a magic signal (kill -64). - Hiding of processes (by PID), files, and directories (by prefix), and the module itself from /proc/modules and /sys/modules. - Self-unloading via a magic signal (kill -62). - Hooks syscalls (kill, getdents, getdents64) using ftrace for backdoor and hiding features. - Starts a userland loader (src/shell.c) for a persistent reverse shell to a hardcoded C2 server (192.168.56.101:9001). - Persistence is achieved via a udev rule that triggers the loader on boot. - **Userland Loader (src/shell.c)**: Loads the kernel module in-memory (no .ko file on disk) and establishes a reverse shell, logging activity to /var/log/volnaya.log. - **Forensics and Analysis**: The repository includes memory and network artifacts, extraction scripts, and detailed documentation for forensic investigation. The structure is modular, with each subdirectory in `src/` representing a different rootkit feature (e.g., communication, root backdoor, hiding, etc.), culminating in a combined, weaponized rootkit in `src/rkit.c` and a userland loader in `src/shell.c`. The attack chain is well-documented in README.md and Exploit_chain.mmd, and the repository includes scripts for setup, exploitation, and artifact extraction. The exploit is operational and demonstrates advanced persistence, stealth, and remote access capabilities on modern Linux systems.

This repository contains a proof-of-concept (PoC) exploit for CVE-2025-32463, a local privilege escalation vulnerability in the sudo utility on Linux. The exploit leverages a flaw in sudo's handling of the --chroot option, which allows a non-sudoer user to escalate privileges to root by manipulating configuration and library files in a controlled chroot environment. The repository consists of two files: a README.md explaining the vulnerability and attack method, and exploit.sh, a bash script that automates the attack. The script creates a temporary directory, writes a malicious C shared library (woot1337.c), compiles it, sets up a fake nsswitch.conf to direct sudo to load the attacker's library, and then invokes sudo with the chroot option to trigger the exploit. If successful, the attacker is granted a root shell. The exploit requires local access, the ability to run sudo with --chroot, and gcc to compile the payload. The main fingerprintable endpoints are the fake nsswitch.conf, the malicious shared library, and the use of /bin/bash for the root shell.

This repository contains a local privilege escalation exploit for CVE-2025-32463, targeting vulnerable versions of sudo (1.9.14 up to 1.9.17) on Linux. The exploit consists of a Bash script (exploit.sh) and a README.md with usage instructions and background information. The script creates a temporary working directory, writes a C source file for a malicious shared object, compiles it, and sets up a fake NSS (Name Service Switch) environment. It then invokes sudo with the -R option to load the malicious shared object, which escalates privileges and spawns a root shell. The exploit is operational and provides a working root shell if the target is vulnerable. The main attack vector is local, requiring shell access to the target system. Several file paths are used as part of the exploit setup, including /bin/bash, /etc/group, and temporary directories. The repository is straightforward, with clear instructions and a single exploit script.

This repository is a Proof-of-Concept (PoC) local privilege escalation exploit for CVE-2025-32463, targeting the sudo utility on Linux systems. The exploit is implemented in Rust and generates a C source file at runtime, which is then compiled into a malicious shared object (woot1337.so.2). This shared object, when loaded, sets the effective UID and GID to 0 (root) and executes a shell or arbitrary command as root. The exploit sets up a custom nsswitch.conf and supporting files in a temporary directory, compiles the payload, and then invokes sudo in a way that triggers the vulnerability, resulting in privilege escalation. The repository includes a Dockerfile for setting up a vulnerable environment, a README with usage instructions, and Rust source code in src/main.rs. The exploit requires local access and the ability to run binaries with sudo. No network endpoints are involved; all actions are performed locally on the target system.

This repository provides a working privilege escalation exploit for CVE-2025-32463, a vulnerability in sudo (versions 1.9.14 through 1.9.17) that allows local users to escalate privileges to root via the --chroot option. The exploit is operational and does not require a compiler (gcc) on the target, as it ships precompiled, base64-encoded shared object payloads for multiple architectures (x86_64, i386, aarch64, armv7l, riscv64) in both dynamic and static forms. The main exploit logic is implemented in both Python (get_root.py) and Bash (get_root.sh), which detect the system architecture, decode the appropriate payload, set up a chroot environment with a custom NSS configuration, and invoke sudo to load the malicious shared object. The payload sets UID/GID to 0 and spawns a root shell. The repository also includes a script (mkall-dynamic.sh) for compiling new payloads if needed. No network endpoints are involved; the attack vector is local privilege escalation. The structure is clean, with clear separation of payloads, launcher scripts, and build utilities.

This repository is a proof-of-concept (PoC) exploit for CVE-2025-32463, a vulnerability in the sudo utility's handling of the chroot option. The exploit is implemented in Rust, with a C-based payload. The main structure consists of a Rust binary (src/main.rs and src/exploit.rs) that sets up a chroot environment, creates a malicious /etc/nsswitch.conf file, and places a crafted shared library payload in a location where sudo will load it. The payload (payload/payload.c) is a shared object that, when loaded, sets the process's UID and GID to 0 (root) and spawns a root shell (/bin/sh). The exploit can be run with the default payload or a custom one provided by the user. The Makefile in the payload directory is used to build the shared object. The attack vector is local privilege escalation, requiring the attacker to execute the exploit on a vulnerable system. The main fingerprintable endpoints are the chroot/etc/nsswitch.conf file, the libnss_/payload.so.2 shared object, and the /bin/sh shell invoked by the payload. The repository is well-structured for research and educational purposes, and the exploit is a functional PoC for the targeted vulnerability.

This repository contains a proof-of-concept (PoC) exploit for a privilege escalation vulnerability in certain versions of sudo on Linux systems. The exploit targets a flaw in how sudo handles NSS (Name Service Switch) library loading when using the -R (chroot) option. The main script, 'Xpl0it', is a Bash script that automates the exploitation process: it gathers system and sudo configuration information, checks for vulnerable sudo versions, and prepares a chroot environment with a malicious NSS library. The script generates C code for the malicious library, compiles it, and sets up the necessary files and directory structure to trick sudo into loading the attacker's code. When the exploit is triggered (by running 'sudo -R bridge bridge'), the malicious library is loaded with root privileges, allowing arbitrary command execution as root. The repository is structured with a detailed README.md explaining the vulnerability, exploitation steps, and educational value, and a single exploit script ('Xpl0it') that implements the attack logic. The exploit is local and requires the attacker to have sudo privileges with the ability to use the -R option. No network endpoints are involved; all actions are performed on the local filesystem.

This repository provides a proof-of-concept (PoC) local privilege escalation exploit for CVE-2025-32463, a vulnerability in the chroot feature of sudo versions 1.9.14 through 1.9.17. The repository contains a Dockerfile to build a vulnerable environment, a README.md with usage instructions and background, and a bash script (poc.sh) that implements the exploit. The exploit works by creating a malicious NSS (Name Service Switch) shared object in C that, when loaded via sudo's chroot feature, sets the effective user and group ID to root and spawns a root shell. The bash script automates the process of building the shared object, setting up the chroot environment, and triggering the vulnerability. The exploit is local-only and does not require any special sudo rules, making it a practical privilege escalation vector for any user on a vulnerable system. No network endpoints are involved; all actions are performed locally. The repository is structured for easy testing and demonstration of the vulnerability.

This repository is a proof-of-concept (PoC) exploit for CVE-2025-32463, a local privilege escalation vulnerability in sudo (versions 1.9.14 through 1.9.17, before 1.9.17p1) affecting Linux systems. The exploit is implemented in a single Python script (PoC.py), which automates the following steps: 1. Sets up a fake chroot environment with the necessary directory structure (./chtoot/lib and ./chtoot/etc). 2. Writes a malicious nsswitch.conf file to force sudo to load a custom NSS module for passwd resolution. 3. Generates a C source file for a malicious NSS module (libnss_Xfiles.so.2), which, when loaded, spawns a root shell. 4. Compiles the C payload into a shared object using gcc. 5. Cleans up the C source file. 6. Launches sudo with the --chroot (-R) option, targeting the crafted chroot, which triggers the loading of the malicious NSS module and results in a root shell. The exploit requires local access, a vulnerable sudo version, and the ability to use the --chroot option. The main fingerprintable endpoints are the chroot directory (./chtoot), the malicious NSS module (./chtoot/lib/libnss_Xfiles.so.2), and the crafted nsswitch.conf (./chtoot/etc/nsswitch.conf). The repository is structured with a single exploit script, a README with detailed usage and vulnerability information, and a license file. The exploit demonstrates the vulnerability but does not provide a weaponized or highly automated attack.

This repository is a proof-of-concept (PoC) exploit for CVE-2025-32463, a local privilege escalation vulnerability in sudo (versions 1.9.14 through 1.9.15p5) related to the chroot (-R) feature. The exploit leverages a flaw in how sudo handles NSS (Name Service Switch) configuration and module loading after a chroot operation. By preparing a fake root directory containing a crafted /etc/nsswitch.conf and a malicious NSS shared object, the attacker can trick sudo into loading and executing arbitrary code as root. The repository includes a Dockerfile to build a vulnerable environment, a shell script (sudo-chroot.sh) that stages and executes the exploit, and a run.sh script to automate the Docker setup. The main exploit logic is in sudo-chroot.sh, which dynamically generates and compiles a C shared object that, when loaded, spawns a root shell or executes arbitrary commands. The exploit is local and requires the ability to run sudo with the -R option. No network endpoints are involved; all fingerprintable endpoints are file paths used in the exploit staging and execution.