How can I automatically pass the password to 'su'?

The best ways to automate this type of input, is using expect or better pexpect. most servers come with python, at least with a modern distribution.

First off you said your VM does not have expect installed? I'm not sure why that matters. Is there any reason why you cannot install/execute something, under your local account?

Next consideration, why must you even use passwd??? You can also change a password by replacing the hash specified in /etc/shadow. You obviously would need to correctly pregenerate a hash first, but as long as you use a supported one it should work as expected. Now how you would script such an action, that's an exercise for you to work out.

I also want to mention, passwd does not read it's input from STDIN. If i'm not mistaken, it reads from a tty. So no fancy combo of just echo and sleep would work. However it's possible using a HEREDOC, but assumes system is sufficiently responsive. You may be able to break it up and sleep between entires. I just tested this, it worked on my Ubuntu workstation.

#!/bin/bash
passwd root <<'EOF'
newpassword
newpassword
EOF

Your exploit could also write to the groups file and make the current user part of the 'wheel' group (or whatever group can run sudo commands w/o a password). Then you'll be able to sudo su root (or any other user) w/o a password.

Running visudo should give you some direction on the setup of the 'wheel' group on your machine.

To clarify: once a user becomes part of the wheel group, they can run sudo commands without needing a password.